Life Sciences

Amazon Web Services Navigating GDPR Compliance on AWS 2 AWS Data Processing Addendum (DPA) AWS offers a GDPR-compliant Data Processing Addendum (GDPR DPA), which enables customers to comply with GDPR contractual obligations. The AWS GDPR DPA is incorporated into the AWS Service Terms and applies automatically to all customers globally who require it to comply with the GDPR. The Role of AWS Under the GDPR Under the GDPR, AWS can be both a data processor and a data controller. AWS as a Data Processor When customers and AWS Solution Providers use AWS services to process personal data in their content, AWS acts as a data processor. Customers and AWS Solution Providers can use the controls available in AWS services, including security configuration controls, to process personal data. Under these circumstances, the customer or AWS Solution Providers may act as a data controller or a data processor, and AWS acts as a data processor or sub-processor. The AWS GDPR-compliant Data Processing Addendum (DPA) incorporates the commitments of AWS as a data processor. AWS as a Data Controller When AWS collects personal data and determines the purposes and means of processing that personal data, it acts as a data controller. For example, AWS stores account information as a data controller for account registration, administration, services access, customer contact, and support. Under Article 32, controllers and processors are required to "implement appropriate technical and organizational measures" that consider "the state of the art and the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons". The GDPR provides specific suggestions for what types of security actions may be required, including: • The pseudonymization and encryption of personal data. • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

• Cover
• Abstract
• General Data Protection Regulation Overview
• Changes the GDPR Introduces to Organizations Operating in the EU
• AWS Preparation for the GDPR
• AWS Data Processing Addendum (DPA)
• The Role of AWS Under the GDPR
• AWS as a Data Processor
• AWS as a Data Controller
• Shared Security Responsibility Model
• Strong Compliance Framework and Security Standards
• AWS Compliance Program
• Cloud Computing Compliance Controls Catalog
• The CISPE Code of Conduct
• Data Access Controls
• AWS Identity and Access Management
• Temporary Access Tokens Through AWS STS
• Multi-Factor-Authentication
• Access to AWS Objects Resources
• Access to Operational & Configuration Data
• Geo-Restrictions
• Control Access to Web Applications and Mobile Apps
• Monitoring and Logging
• Manage and Configure Assets with AWS Config
• Compliance Auditing & Security Analytics with AWS CloudTrail
• Log Formats
• Centralized Security Management
• Protecting your Data on AWS
• Encrypt Data at Rest
• Encrypt Data in Transit
• Encryption Tools
• AWS Key Management Service
• AWS Service Integration
• Audit Capabilities
• Security
• AWS CloudHSM
• Integration with AWS Services and Third-Party Applications
• Audit Activities
• AWS Cryptographic Services and Tools
• Linux DM-Crypt Infrastructure
• Data Protection by Design & by Default
• How AWS Can Help
• Contributors
• Document Revisions