Cloud Security for European Companies: Staying GDPR-Compliant on AWS & GCP

GDPR Cloud Requirements

AWS GDPR Configuration

AWS GDPR Setup:

Region Selection:
  Primary: eu-central-1 (Frankfurt)
  Secondary: eu-west-1 (Ireland)
  
Encryption:
  - Enable default EBS encryption
  - Use KMS customer-managed keys
  - Enable S3 default encryption
  - RDS encryption enabled

Access Control:
  - IAM roles (not users) for applications
  - MFA required for console access
  - CloudTrail enabled all regions
  - GuardDuty enabled

Data Residency:
  - S3 bucket policies restrict to EU regions
  - SCP policies prevent non-EU deployments
  - VPC endpoints for AWS services

GCP GDPR Configuration

GCP GDPR Setup:

Region Selection:
  Primary: europe-west1 (Belgium)
  Secondary: europe-west3 (Frankfurt)

Encryption:
  - Customer-managed encryption keys (CMEK)
  - Cloud Storage encryption
  - BigQuery column-level encryption

Access Control:
  - Organization policies
  - VPC Service Controls
  - IAM conditions
  - Audit logging enabled

Data Residency:
  - Resource location restrictions
  - Org policy constraints
  - Data residency commitments

Compliance Checklist

## GDPR Cloud Checklist

### Infrastructure
- [ ] Using EU regions only for EU data
- [ ] Encryption enabled at rest
- [ ] Encryption enabled in transit
- [ ] Audit logging configured
- [ ] Access logs retained (required period)

### Legal
- [ ] DPA signed with cloud provider
- [ ] Standard Contractual Clauses in place
- [ ] Data processing records maintained
- [ ] Privacy impact assessment completed

### Technical
- [ ] IAM policies reviewed
- [ ] Network security configured
- [ ] Backup encryption verified
- [ ] Deletion procedures tested
- [ ] Data export capability verified