General Data Protection Regulation (GDPR)
AWS Audit Manager provides a prebuilt standard framework that supports the General Data Protection Regulation (GDPR). By default, this framework contains only manual controls. These manual controls don't collect evidence automatically. However, if you want to automate evidence collection for some controls under GDPR, you can use the custom control feature in AWS Audit Manager. For more information, see Using this framework to support your audit preparation.
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is a
new European privacy law that became enforceable on May 25, 2018. The GDPR replaces the EU
Data Protection Directive, also known as Directive 95/46/EC
The GDPR applies to all organizations that are established in the EU and to organizations (no matter whether they were established in the EU) that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information that relates to an identified or identifiable natural person.
You can find the GDPR framework in the framework library page of AWS Audit Manager. For more
information, see the General
Data Protection Regulation (GDPR) Center
Using this framework to support your audit preparation
You can use the GDPR framework in AWS Audit Manager to help you prepare for audits.
The framework details are as follows:
Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
---|---|---|---|
GDPR | 0 | 371 | 10 |
To automate evidence collection for controls under GDPR, you can use AWS Audit Manager to create custom controls for GDPR. You can do this by referring to the recommended data source configuration in the following table. For instructions on how to create a custom control, see Creating a custom control.
Control name | Control set | Recommended control data source mapping |
---|---|---|
Article 25 Data protection by design and by default.1 |
Chapter 4 - Controller and Processor |
You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information:
When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security checks: |
Article 25 Data protection by design and by default.2 |
Chapter 4 - Controller and Processor |
You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information:
When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security checks: |
Article 25 Data protection by design and by default.3 |
Chapter 4 - Controller and Processor |
You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information:
When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security checks: |
Article 30 Records of processing activities.1 |
Chapter 4 - Controller and Processor |
You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information:
When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security check: |
Article 30 Records of processing activities.2 |
Chapter 4 - Controller and Processor |
You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information:
When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security check: |
Article 30 Records of processing activities.3 |
Chapter 4 - Controller and Processor |
You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information:
When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security check: |
Article 30 Records of processing activities.4 |
Chapter 4 - Controller and Processor |
You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information:
When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security check: |
Article 30 Records of processing activities.5 |
Chapter 4 - Controller and Processor |
You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information:
When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Security Hub as the evidence type, and then select the following Security Hub security check: |
Article 32 Security of processing.1 |
Chapter 4 - Controller and Processor |
You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information:
When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: |
Article 32 Security of processing.2 |
Chapter 4 - Controller and Processor |
You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information:
When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: |
Article 32 Security of processing.3 |
Chapter 4 - Controller and Processor |
You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information:
When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: |
Article 32 Security of processing.4 |
Chapter 4 - Controller and Processor |
You can create a custom control in AWS Audit Manager that supports this GDPR control. When you specify the control details, enter the following under Testing information:
When you configure the data source for the custom control, choose Automated evidence, Compliance check from AWS Config as the evidence type, and then select the following AWS Config Rules: |
After you create your new custom controls for GDPR, you can add them to a custom GDPR framework. For more information, see Creating a custom framework and Editing a custom framework. You can then create an assessment from the custom GDPR framework. This way, AWS Audit Manager can collect evidence automatically for the custom controls that you added. For instructions on how to create an assessment from a framework, see Creating an assessment.
You can find the GDPR framework under the Standard frameworks tab of the Framework library in Audit Manager.