AWS promises to be GDPR compliant by May 2018 deadline

Cloud giant Amazon Web Services announced that all of its services will be GDPR compliant when enforcement of the new EU privacy law begins on May 25, 2018.

Amazon Web Services, or AWS, is not the first cloud provider to announce it will be compliant with the EU's new General Data Privacy Regulation (GDPR); earlier this year Microsoft announced all of its cloud services would be GDPR compliant by the deadline.

"AWS welcomes the arrival of the GDPR. The new, robust requirements raise the bar for data protection, security, and compliance, and will push the industry to follow the most stringent controls, helping to make everyone more secure," wrote Stephen Schmidt, vice president of security engineering and CISO at Amazon Web Services, in a blog post. "I am happy to announce today that all AWS services will comply with the GDPR when it becomes enforceable on May 25, 2018."

Schmidt said that AWS will offer "a number of services and tools to enable you to build GDPR-compliant infrastructure on top of AWS," and detailed some of the tools and services that AWS will be offering its customers to help them become GDPR compliant.

As an entity providing data processing services, AWS announced the availability of a data processing agreement (DPA) through the account managers of AWS customers. Cloud customers need to have a valid DPA spelling out how cloud data processors like AWS comply with the new EU data privacy regulation in order to be GDPR compliant.

AWS welcomes the arrival of the GDPR.

AWS also has "teams of compliance experts, data protection specialists, and security experts working with customers across Europe to answer their questions and help them prepare for running workloads in the AWS Cloud after the GDPR comes into force," Schmidt wrote.

AWS also touted updates to its EU Data Protection website, with special mention of AWS' membership in the Association of Cloud Infrastructure Services Providers in Europe (CISPE), which is an association of cloud infrastructure services providers operating in Europe, aiming to help cloud customers become GDPR compliant. AWS joined CISPE earlier this year, committing Amazon to CISPE's cloud "Code of Conduct" and positioning Amazon to provide GDPR compliant services to its customers. Schmidt wrote that a number of AWS services and tools, including Amazon EC2, Amazon S3 and AWS CloudTrail, are fully compliant with the CISPE's Code of Conduct.

Starting May 25, 2018, GDPR compliance will be mandatory for all businesses and organizations that collect or process personal data related to any EU person. The new rules prescribe more rigorous requirements on the collection and use of personal data, how data is removed after it is no longer needed, and granting individuals the right to delete their data. Penalties can be significant under GDPR; failure to comply can cost organizations in breach fines of up to 4% of their annual global turnover or 20 million euros -- whichever is greater.