Even though the European Union’s General Data Protection Regulation (GDPR) is now in effect, discussions with RedLock customers and prospects indicates there are still many unanswered questions regarding who must comply and how to prove compliance. Some US-based organizations think GDPR does not apply to them. Other organizations adopting public cloud believe their cloud provider is entirely responsible for GDPR compliance. And still others believe GDPR supersedes all other compliance requirements.
Given this confusion, I’d like to clarify some of these questions by connecting the dots between cloud computing, the shared responsibility model and GDPR. It’s actually very straightforward.
GDPR applies to any organization - located anywhere - that offers goods or services to, or monitors the behavior of, EU citizens. Under this definition, many US enterprises and organizations must adhere to this regulation.
Second, public cloud computing is absolutely subject to GDPR regulations. In fact, GDPR regulations specifically calls out 'cloud(s) processors and controllers will not be exempt from GDPR enforcement’.
Third, the Shared Responsibility Model of Cloud Computing does not fundamentally change under GDPR. Cloud providers are responsible for securing the underlying infrastructure that supports the cloud and the services provided; while customers, acting either as data controllers or data processors, are responsible for any personal data they put in the cloud. AWS, for example, has covered this topic extensively.
To summarize, many organizations who use public cloud computing services will be subject to GDPR regulations. Those organizations are still subject to fulfilling their responsibilities under the shared security model. The shared security model and GDPR are complementary; one does one supercede the other.
GDPR compliance reporting is one of the many standard compliance reports supported by the RedLock Cloud 360TM platform. Just as RedLock enables compliance and security mappings for NIST CSF, CIS, SOC 2, PCI, and HIPAA, GDPR reporting identifies whether services in AWS, Azure and Google Cloud are properly configured to protect data against accidental or unlawful access, use, modification or disclosure. For organizations concerned about GDPR compliance in the cloud and have to prove compliance status to internal and external auditors, RedLock has your back.
By using RedLock for GDPR, organizations can automate security compliance and provide comprehensive reporting to management and external auditors with a few keystrokes.
The RedLock Cloud 360 platform compliance dashboard provides a holistic, at-a-glance view of resources monitored for GDPR (any other standards if selected) and highlights the number of resources that pass and fail the applicable compliance standard. It also indicates the relative trend; whether the number of pass/fails are increasing or decreasing. This summary, on-demand view can be used as your compliance team’s ‘home base’ for visually monitoring GDPR status in real time.
The actual GDPR regulations include 11 chapters, with each chapter having many sub-articles. A chapter defines general areas (e.g. general provisions, principles, rights of the data subject, etc.) while the articles are the details sections within each area. The RedLock Cloud 360 platform clearly, easily maps to these chapters and articles. By double-clicking on the GDPR link in the dashboard, the individual chapters are highlighted, including their name, requirement number and descriptions, as shown below. In addition, you can double-click on each chapter to reveal the underlying articles included in each chapter.
RedLock generate reports detailing your GDPR compliance posture. These reports are part of the RedLock Cloud 360 platform and contain summary and detailed findings of security and compliance risks in your cloud environment. You have the option to select one or more cloud types, report types, cloud accounts, regions and time range to create a report. A professional, easy-to-digest and read report is generated with a single click for compliance teams, executive management and auditors. Once the report is generated, you have option to immediately download the report.
In an audit, organizations are asked to prove compliance for a given time period. This poses significant challenges in public cloud computing environments where users are constantly making changes without a security review. RedLock enables you to report on your current compliance posture, and also maintains historical snapshots of your environment, enabling you to prove compliance for any past periods as well.
In the RedLock GDPR Compliance Assurance report, you get:
According to a 2016 report by PwC, 88% of organizations said they had finished GDPR preparations and spent more than $1 million, while 40% reported spending more than $10 million. The pattern of increased spending was consistent regardless of company size.
By using RedLock for GDPR compliance monitoring and reporting, your organization gets the benefit of knowing and documenting your compliance status without the overhead of building specialized reporting systems. Moreover, GDPR reporting is a standard feature of the RedLock Cloud 360 platform. It does not require any special integration or additional engineering to implement. With GDPR now in full effect, proving your compliance in the cloud has never been easier, or more cost effective.
Get a demo to see how RedLock can help you with: