GDPR is a data privacy regulation from the European Union. Businesses and organizations worldwide -- from large enterprises to small businesses -- are striving to meet a GDPR compliance deadline set for May 25, 2018.
Amazon insists that AWS is ready for the regulation. In a blog post this week, AWS VP of Security Chad Woolf stated:
"This announcement confirms we have completed the entirety of our GDPR service readiness audit, validating that all generally available services and features adhere to the high privacy bar and data protection standards required of data processors by the GDPR. We completed this work two months ahead of the May 25, 2018 enforcement deadline in order to give customers and APN partners an environment in which they can confidently build their own GDPR-compliant products, services, and solutions."
GDPR Compliance: Opportunities, Challenges for Partners
Amazon's statement is particularly timely. Regulators are closely scrutinizing big cloud, social media and data companies after the recent Facebook privacy controversy involving Cambridge Analytica. That scrutiny will likely intensify as the GDPR deadline approaches in May.
Plenty of people are stilling struggling to understand the regulation -- especially GDPR for small businesses. Moreover, portions of the regulation may actually conflict with compliance directives in vertical markets like financial services, according to KuppingerCole.
Meanwhile, channel partners see financial opportunities and business challenges associated with the regulation, according to a SolarWinds MSP research report published in November 2017. Leading MSSPs like Trustwave, for one, have introduced compliance services to help businesses ramp up for the regulation.
GDPR Compliance: A Basic Checklist
Although the regulation has a complex list of requirements, most pundits say the mandate boils down to four key prerequisites. They include:
- Breach Notification Policy: A data breach of any kind must be communicated within 72 hours of first becoming aware of a breach.
- Right to Access: Organizations must describe how they collect and use personal data, and why. Users should also be able to request their data freely, with a 40-day turnaround from the vendor.
- Right to Be Forgotten: A user can request that an organization completely erases any data pertaining to that user.
- Data Portability: A user must have the option to download their data and transfer it elsewhere.