General Data Protection Regulation (GDPR)

What is the General Data Protection Regulation (GDPR)?Using this framework More GDPR resources

AWS Audit Manager provides a prebuilt standard framework that supports the General Data Protection Regulation (GDPR). By default, this framework contains only manual controls. These manual controls don't collect evidence automatically. However, if you want to automate evidence collection for some controls under GDPR, you can use the custom control feature in AWS Audit Manager. For more information, see Using this framework to support your audit preparation.

Topics

What is the General Data Protection Regulation (GDPR)?
Using this framework
More GDPR resources

The General Data Protection Regulation (GDPR) is a new European privacy law that became enforceable on May 25, 2018. The GDPR replaces the EU Data Protection Directive, also known as Directive 95/46/EC. It's intended to harmonize data protection laws throughout the European Union (EU). It does this by applying a single data protection law that's binding throughout each EU member state.

The GDPR applies to all organizations that are established in the EU and to organizations (no matter whether they were established in the EU) that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information that relates to an identified or identifiable natural person.

You can find the GDPR framework in the framework library page of AWS Audit Manager. For more information, see the General Data Protection Regulation (GDPR) Center.

You can use the GDPR framework in AWS Audit Manager to help you prepare for audits.

The framework details are as follows:

Framework name in AWS Audit Manager	Number of automated controls	Number of manual controls	Number of control sets	AWS services in scope
GDPR	0	371	10	None

You can find the GDPR framework under the Standard frameworks tab of the Framework library in Audit Manager.

Because this standard framework contains manual controls only, no AWS services are in scope. If you need to edit the list of services in scope for this framework, you can do so by using the CreateAssessment or UpdateAssessment API operations. Alternatively, you can customize the standard framework and then create an assessment from the custom framework.

To automate evidence collection for controls under GDPR, you can use AWS Audit Manager to create custom controls for GDPR. You can do this by referring to the recommended data source configuration in the following table. For instructions on how to create a custom control, see Creating a custom control.

Control name	Control set	Recommended control data source mapping
Article 25 Data protection by design and by default.1	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term AWS CloudTrail bucket not public Show all policies with an `Allow::` and list all principals and services using those policies When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: IAM_ROOT_ACCESS_KEY_CHECK ROOT_ACCOUNT_MFA_ENABLED ROOT_ACCOUNT_HARDWARE_MFA_ENABLED VPC_FLOW_LOGS_ENABLED ACCESS_KEYS_ROTATED IAM_PASSWORD_POLICY When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security checks: 1.1 - 3.14 Config.1
Article 25 Data protection by design and by default.2	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term AWS CloudTrail bucket not public Show all policies with an `Allow::` and list all principals and services using those policies When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: IAM_ROOT_ACCESS_KEY_CHECK ROOT_ACCOUNT_MFA_ENABLED ROOT_ACCOUNT_HARDWARE_MFA_ENABLED VPC_FLOW_LOGS_ENABLED ACCESS_KEYS_ROTATED IAM_PASSWORD_POLICY When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security checks: 1.1 - 3.14 Config.1
Article 25 Data protection by design and by default.3	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term AWS CloudTrail bucket not public Show all policies with an `Allow::` and list all principals and services using those policies When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: IAM_ROOT_ACCESS_KEY_CHECK ROOT_ACCOUNT_MFA_ENABLED ROOT_ACCOUNT_HARDWARE_MFA_ENABLED VPC_FLOW_LOGS_ENABLED ACCESS_KEYS_ROTATED IAM_PASSWORD_POLICY When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security checks: 1.1 - 3.14 Config.1
Article 30 Records of processing activities.1	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED VPC_FLOW_LOGS_ENABLED CMK_BACKING_KEY_ROTATION_ENABLED CLOUD_TRAIL_ENABLED ELB_LOGGING_ENABLED CLOUDTRAIL_SECURITY_TRAIL_ENABLED REDSHIFT_CLUSTER_CONFIGURATION_CHECK CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security check: Config.1
Article 30 Records of processing activities.2	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED VPC_FLOW_LOGS_ENABLED CMK_BACKING_KEY_ROTATION_ENABLED CLOUD_TRAIL_ENABLED ELB_LOGGING_ENABLED CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security check: Config.1
Article 30 Records of processing activities.3	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term AWS CloudTrail bucket not public Show all policies with an `Allow::` and list all principals and services using those policies When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED VPC_FLOW_LOGS_ENABLED CMK_BACKING_KEY_ROTATION_ENABLED CLOUD_TRAIL_ENABLED ELB_LOGGING_ENABLED CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security check: Config.1
Article 30 Records of processing activities.4	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term AWS CloudTrail bucket not public Show all policies with an `Allow::` and list all principals and services using those policies When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED VPC_FLOW_LOGS_ENABLED CMK_BACKING_KEY_ROTATION_ENABLED CLOUD_TRAIL_ENABLED ELB_LOGGING_ENABLED CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security check: Config.1
Article 30 Records of processing activities.5	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show all root account events over term When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED VPC_FLOW_LOGS_ENABLED CMK_BACKING_KEY_ROTATION_ENABLED CLOUD_TRAIL_ENABLED ELB_LOGGING_ENABLED CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security check: Config.1
Article 32 Security of processing.1	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show data at rest encryption for all services Show data in transit encryption for all services MFA Delete enabled for Amazon S3 All Amazon Inspector scans Show all instances that are not Amazon Inspector enabled Show all load balancers that are listening on HTTPS (SSL) AWS CloudTrail encrypted at rest Amazon CloudWatch alerts for AWS Config displaying all changes and all commented settings All root activity When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED S3_BUCKET_SSL_REQUESTS_ONLY CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUDWATCH_LOG_GROUP_ENCRYPTED EFS_ENCRYPTED_CHECK ELASTICSEARCH_ENCRYPTED_AT_REST ENCRYPTED_VOLUMES RDS_STORAGE_ENCRYPTED REDSHIFT_CLUSTER_CONFIGURATION_CHECK S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED SNS_ENCRYPTED_KMS EC2_EBS_ENCRYPTION_BY_DEFAULT DYNAMODB_TABLE_ENCRYPTED_KMS DYNAMODB_TABLE_ENCRYPTION_ENABLED RDS_SNAPSHOT_ENCRYPTED S3_DEFAULT_ENCRYPTION_KMS DAX_ENCRYPTION_ENABLED EKS_SECRETS_ENCRYPTED RDS_LOGGING_ENABLED REDSHIFT_BACKUP_ENABLED RDS_IN_BACKUP_PLAN WAF_CLASSIC_LOGGING_ENABLED WAFV2_LOGGING_ENABLED ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK ELB_ACM_CERTIFICATE_REQUIRED ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK REDSHIFT_REQUIRE_TLS_SSL CLOUDFRONT_VIEWER_POLICY_HTTPS ALB_HTTP_DROP_INVALID_HEADER_ENABLED ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK ELB_TLS_HTTPS_LISTENERS_ONLY ACM_CERTIFICATE_EXPIRATION_CHECK API_GW_CACHE_ENABLED_AND_ENCRYPTED
Article 32 Security of processing.2	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show data at rest encryption for all services Show data in transit encryption for all services MFA Delete enabled for Amazon S3 All Amazon Inspector scans Show all instances that aren't Amazon Inspector enabled Show all load balancers that are listening on HTTPS (SSL) AWS CloudTrail encrypted at rest Amazon CloudWatch alerts for AWS Config displaying all changes and all commented settings All root activity When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED S3_BUCKET_SSL_REQUESTS_ONLY CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUDWATCH_LOG_GROUP_ENCRYPTED EFS_ENCRYPTED_CHECK ELASTICSEARCH_ENCRYPTED_AT_REST ENCRYPTED_VOLUMES RDS_STORAGE_ENCRYPTED REDSHIFT_CLUSTER_CONFIGURATION_CHECK S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED SNS_ENCRYPTED_KMS EC2_EBS_ENCRYPTION_BY_DEFAULT DYNAMODB_TABLE_ENCRYPTED_KMS DYNAMODB_TABLE_ENCRYPTION_ENABLED RDS_SNAPSHOT_ENCRYPTED S3_DEFAULT_ENCRYPTION_KMS DAX_ENCRYPTION_ENABLED EKS_SECRETS_ENCRYPTED RDS_LOGGING_ENABLED REDSHIFT_BACKUP_ENABLED RDS_IN_BACKUP_PLAN WAF_CLASSIC_LOGGING_ENABLED WAFV2_LOGGING_ENABLED ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK ELB_ACM_CERTIFICATE_REQUIRED ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK REDSHIFT_REQUIRE_TLS_SSL CLOUDFRONT_VIEWER_POLICY_HTTPS ALB_HTTP_DROP_INVALID_HEADER_ENABLED ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK ELB_TLS_HTTPS_LISTENERS_ONLY ACM_CERTIFICATE_EXPIRATION_CHECK API_GW_CACHE_ENABLED_AND_ENCRYPTED
Article 32 Security of processing.3	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show data at rest encryption for all services Show data in transit encryption for all services MFA Delete enabled for Amazon S3 All Amazon Inspector scans Show all instances that aren't Amazon Inspector enabled Show all load balancers that are listening on HTTPS (SSL) AWS CloudTrail encrypted at rest Amazon CloudWatch alerts for AWS Config displaying all changes and all commented settings All root activity When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED S3_BUCKET_SSL_REQUESTS_ONLY CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUDWATCH_LOG_GROUP_ENCRYPTED EFS_ENCRYPTED_CHECK ELASTICSEARCH_ENCRYPTED_AT_REST ENCRYPTED_VOLUMES RDS_STORAGE_ENCRYPTED REDSHIFT_CLUSTER_CONFIGURATION_CHECK S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED SNS_ENCRYPTED_KMS EC2_EBS_ENCRYPTION_BY_DEFAULT DYNAMODB_TABLE_ENCRYPTED_KMS DYNAMODB_TABLE_ENCRYPTION_ENABLED RDS_SNAPSHOT_ENCRYPTED S3_DEFAULT_ENCRYPTION_KMS DAX_ENCRYPTION_ENABLED EKS_SECRETS_ENCRYPTED RDS_LOGGING_ENABLED REDSHIFT_BACKUP_ENABLED RDS_IN_BACKUP_PLAN WAF_CLASSIC_LOGGING_ENABLED WAFV2_LOGGING_ENABLED ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK ELB_ACM_CERTIFICATE_REQUIRED ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK REDSHIFT_REQUIRE_TLS_SSL CLOUDFRONT_VIEWER_POLICY_HTTPS ALB_HTTP_DROP_INVALID_HEADER_ENABLED ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK ELB_TLS_HTTPS_LISTENERS_ONLY ACM_CERTIFICATE_EXPIRATION_CHECK API_GW_CACHE_ENABLED_AND_ENCRYPTED
Article 32 Security of processing.4	Chapter 4 - Controller and Processor	You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information: Show data at rest encryption for all services Show data in transit encryption for all services MFA Delete enabled for Amazon S3 All Amazon Inspector scans Show all instances that aren't Amazon Inspector enabled Show all load balancers that are listening on HTTPS (SSL) AWS CloudTrail encrypted at rest Amazon CloudWatch alerts for AWS Config displaying all changes and all commented settings All root activity When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED S3_BUCKET_SSL_REQUESTS_ONLY CLOUD_TRAIL_ENCRYPTION_ENABLED CLOUDWATCH_LOG_GROUP_ENCRYPTED EFS_ENCRYPTED_CHECK ELASTICSEARCH_ENCRYPTED_AT_REST ENCRYPTED_VOLUMES RDS_STORAGE_ENCRYPTED REDSHIFT_CLUSTER_CONFIGURATION_CHECK S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED SNS_ENCRYPTED_KMS EC2_EBS_ENCRYPTION_BY_DEFAULT DYNAMODB_TABLE_ENCRYPTED_KMS DYNAMODB_TABLE_ENCRYPTION_ENABLED RDS_SNAPSHOT_ENCRYPTED S3_DEFAULT_ENCRYPTION_KMS DAX_ENCRYPTION_ENABLED EKS_SECRETS_ENCRYPTED RDS_LOGGING_ENABLED REDSHIFT_BACKUP_ENABLED RDS_IN_BACKUP_PLAN WAF_CLASSIC_LOGGING_ENABLED WAFV2_LOGGING_ENABLED ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK ELB_ACM_CERTIFICATE_REQUIRED ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK REDSHIFT_REQUIRE_TLS_SSL CLOUDFRONT_VIEWER_POLICY_HTTPS ALB_HTTP_DROP_INVALID_HEADER_ENABLED ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK ELB_TLS_HTTPS_LISTENERS_ONLY ACM_CERTIFICATE_EXPIRATION_CHECK API_GW_CACHE_ENABLED_AND_ENCRYPTED

After you create your new custom controls for GDPR, you can add them to a custom GDPR framework. For more information, see Creating a custom framework and Editing a custom framework. You can then create an assessment from the custom GDPR framework. This way, AWS Audit Manager can collect evidence automatically for the custom controls that you added. For instructions on how to create an assessment from a framework, see Creating an assessment.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

FedRAMP Moderate Baseline

Gramm-Leach-Bliley Act