Skip to content

GDPR

Best for: Any organization that processes personal data of EU/EEA residents, regardless of where it is headquartered. A US SaaS company serving EU customers or tracking EU visitor behavior via web analytics falls in scope. Controllers and processors both carry direct liability. No revenue threshold applies, though limited SME derogations exist: Article 30 record-keeping requirements are relaxed for organizations with fewer than 250 employees in specific cases.

Mandatory?Mandatory for any org processing EU/EEA personal data
Who validates?DPA enforcement; no formal certification scheme
RenewalOngoing compliance; no fixed audit cycle
ScopeAny personal data of EU/EEA individuals, regardless of org location

๐Ÿ› European Parliament and Council of the European Union (publisher of Regulation (EU) 2016/679). Consistency guidance is provided by the European Data Protection Board (EDPB), and enforcement is carried out by each EU/EEA Supervisory Authority (e.g., CNIL in France, and BfDI plus regional DPAs in Germany). ยท GDPR (EU 2016/679) Official source โ†’

Get Started

module "..." {
  source  = "gdpr.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

  • What Compliance.tf automates

    • Encryption at Rest: Runs controls checking DynamoDB, DAX, API Gateway cache, and CloudTrail log encryption configuration. Validates that KMS CMKs are used rather than default AWS-managed keys where applicable (dynamodb_table_encrypted_with_kms, dax_cluster_encryption_at_rest_enabled, cloudtrail_trail_logs_encrypted_with_kms_cmk).
    • Encryption in Transit: Checks CloudFront distribution viewer protocol policies for HTTPS enforcement and flags ACM certificates expiring within 30 days (cloudfront_distribution_encryption_in_transit_enabled, acm_certificate_expires_30_days).
    • Audit Trail Completeness: Validates CloudTrail is enabled across all regions with read/write events, S3 data events, CloudWatch integration, and log file validation. Covers 10 CloudTrail-related controls that collectively verify a complete audit trail exists.
    • Configuration Monitoring: AWS Config enablement and log delivery are validated across all regions (config_enabled_all_regions, config_configuration_recorder_no_failed_deliver_logs).
    • Storage Access Controls: Verifies that the CloudTrail S3 bucket is not publicly accessible and that S3 bucket access logging is enabled for CloudTrail destinations (cloudtrail_bucket_not_public, cloudtrail_s3_logging_enabled).

  • What you handle

    • Encryption at Rest: Defining and documenting a key management policy per Article 32. Managing KMS key rotation schedules, key access policies, and cross-account key sharing. Mapping which encryption keys protect which categories of personal data for your Article 30 records of processing.
    • Encryption in Transit: Ensuring TLS is enforced at application layers not covered by these controls (e.g., internal microservice communication, database connections). Documenting minimum TLS version requirements. Managing certificate renewal automation and monitoring.
    • Audit Trail Completeness: Writing and testing breach detection rules based on these logs, and configuring the CloudWatch alarms and incident response workflows that consume them. The 72-hour notification window under Article 33 starts when you become aware of an incident, so detection latency matters. Log retention periods should reflect your supervisory authority's expectations.
    • Configuration Monitoring: Defining AWS Config rules specific to your personal data environment. Reviewing configuration change history during DPIA reviews. Integrating Config findings into your governance, risk, and compliance (GRC) platform.
    • Storage Access Controls: Applying least-privilege IAM policies for all S3 buckets containing personal data. Implementing S3 Object Lock or versioning to prevent unauthorized deletion. Documenting data retention and erasure procedures to meet Article 17 (right to erasure) obligations.

Controls by Category

Audit Logging and Monitoring (Articles 5(2), 30, 33) (3 controls)

GDPR Article 33 requires breach notification within 72 hours, which demands comprehensive logging to detect and investigate incidents. Auditors look for multi-region CloudTrail coverage with both read and write event logging, CloudWatch integration for real-time alerting, and log file validation to prove logs have not been tampered with. Organizations frequently miss S3 data-level event logging, which leaves object-level access to personal data unauditable.

At least one enabled trail should be present in a region CloudTrail trails should be integrated with CloudWatch logs CloudTrail trail log file validation should be enabled

Encryption at Rest (Article 32 - Security of Processing) (5 controls)

Auditors verify that personal data stored in databases, caches, and log archives is encrypted using customer-managed keys where feasible. Evidence includes KMS key policies, encryption configuration screenshots from the AWS console or CLI output, and documentation showing key ownership. A common finding is DAX or DynamoDB tables using default AWS-owned keys rather than CMKs, which limits the organization's control over key lifecycle and access auditing.

DynamoDB Accelerator (DAX) clusters should be encrypted at rest DynamoDB table should be encrypted with AWS KMS compliance.tf module DynamoDB table should have encryption enabled compliance.tf module API Gateway stage cache encryption at rest should be enabled CloudTrail trail logs should be encrypted with KMS CMK

Encryption in Transit (Article 32 - Security of Processing) (1 control)

Assessors check that data transmitted over networks is protected via TLS. For CloudFront, this means viewer protocol policies enforce HTTPS. Expired or soon-to-expire ACM certificates get flagged because a lapsed certificate can cause service disruptions that push traffic to unencrypted fallback paths. Evidence includes CloudFront distribution configs and ACM certificate expiry dates.

CloudFront distributions should require encryption in transit compliance.tf module
Additional Controls (43)

AWS IAM (9)

Ensure IAM password policy requires a minimum length of 14 or greater Ensure IAM password policy requires at least one lowercase letter Ensure IAM password policy requires at least one number Ensure IAM password policy requires at least one symbol Ensure IAM password policy requires at least one uppercase letter Ensure IAM password policy prevents password reuse Password policies for IAM users should have strong configurations with minimum length of 8 or greater IAM password policies for users should have strong configurations Ensure IAM password policy expires passwords within 90 days or less

AWS KMS (1)

KMS CMK rotation should be enabled compliance.tf module

Amazon CloudWatch Logs (1)

Log group encryption at rest should be enabled compliance.tf module

Amazon EBS (2)

Attached EBS volumes should have encryption enabled compliance.tf module EBS volume encryption at rest should be enabled compliance.tf module

Amazon EFS (2)

EFS file system encryption at rest should be enabled compliance.tf module EFS file systems should be encrypted with CMK compliance.tf module

Amazon OpenSearch Service (2)

OpenSearch domains should have encryption at rest enabled compliance.tf module OpenSearch domains node-to-node encryption should be enabled compliance.tf module

Amazon RDS (8)

RDS DB instance backup should be enabled compliance.tf module RDS DB instances backup retention period should be greater than or equal to 7 compliance.tf module RDS DB instances should be integrated with CloudWatch logs compliance.tf module RDS DB instance encryption at rest should be enabled compliance.tf module Database logging should be enabled compliance.tf module RDS for MariaDB DB instances should publish logs to CloudWatch Logs compliance.tf module RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs compliance.tf module RDS for SQL Server DB instances should publish logs to CloudWatch Logs compliance.tf module

Amazon Redshift (5)

AWS Redshift audit logging should be enabled compliance.tf module AWS Redshift clusters should have automatic snapshots enabled compliance.tf module Redshift cluster encryption in transit should be enabled compliance.tf module Redshift cluster audit logging and encryption should be enabled compliance.tf module AWS Redshift should have required maintenance settings compliance.tf module

Amazon S3 (3)

S3 bucket default encryption should be enabled compliance.tf module S3 bucket default encryption should be enabled with KMS compliance.tf module S3 buckets object logging should be enabled

Amazon SNS (1)

SNS topics should be encrypted at rest compliance.tf module

Amazon SageMaker (3)

SageMaker endpoint configuration encryption should be enabled SageMaker notebook instances should be encrypted using CMK SageMaker notebook instance encryption should be enabled

Elastic Load Balancing (4)

ELB application and classic load balancer logging should be enabled compliance.tf module ELB application load balancers should be configured to drop HTTP headers compliance.tf module Application Load Balancer should be configured to drop invalid http headers compliance.tf module Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit compliance.tf module

Other (2)

ES domain encryption at rest should be enabled Elasticsearch domain node-to-node encryption should be enabled

  • NIST 800-53 Rev 5 โ€” ๐ŸŸก Medium overlap (55%)

    NIST 800-53 Rev 5 covers many of the same technical controls (encryption, logging, access control) but is structured around a federal information systems context. GDPR's emphasis on data subject rights (consent, erasure, portability) has no direct NIST equivalent. The security-of-processing controls in GDPR Article 32 map well to NIST's SC and AU control families.

  • SOC 2 โ€” ๐ŸŸก Medium overlap (45%)

    SOC 2 Trust Services Criteria for Security and Confidentiality partially overlaps with GDPR Articles 5(1)(f) and 32. SOC 2 does not address data subject rights, lawful basis for processing, or cross-border transfer mechanisms. Organizations often pursue both, using SOC 2 to satisfy customer due diligence and GDPR to satisfy regulatory obligations.

  • ISO 27001 โ€” ๐ŸŸข High overlap (60%)

    ISO 27001 Annex A controls map closely to GDPR Article 32 technical measures. ISO 27701 extends 27001 specifically for privacy management and maps directly to GDPR obligations. An existing ISO 27001 certification covers a significant portion of GDPR's security requirements but leaves gaps around lawful basis, consent management, and data subject access requests.

Frequently Asked Questions

Does GDPR apply to my company if we have no offices in the EU?

Yes, if you process personal data of individuals in the EU. Article 3(2) extends GDPR's reach to any organization offering goods or services to EU residents or monitoring their behavior, regardless of where the organization is established. A US company running a website that accepts EU customers or uses analytics tracking on EU visitors falls in scope.

What does GDPR compliance certification look like? Is there a formal audit like SOC 2?

There is no single formal certification audit. Article 42 allows for approved certification mechanisms (such as EuroPriSe or CNIL's certification), but these are voluntary and narrow in scope. Most organizations demonstrate compliance through a combination of internal audits, Data Protection Impact Assessments (Article 35), maintained records of processing (Article 30), and documented technical and organizational measures. Supervisory authorities can request evidence of these at any time.

How do these AWS infrastructure controls relate to GDPR requirements?

GDPR Article 32 requires 'appropriate technical and organisational measures' including encryption of personal data and the ability to ensure ongoing confidentiality, integrity, and availability of processing systems. The controls mapped here cover encryption at rest and in transit, audit logging, and configuration monitoring: the infrastructure security layer. They do not cover GDPR's legal and procedural requirements: lawful basis for processing (Article 6), consent management (Article 7), data subject rights (Articles 15 through 22), Data Protection Officer appointment (Article 37), or cross-border transfer mechanisms (Chapter V).

What are the actual fine amounts and how are they calculated?

Article 83 defines two tiers. Tier 1 violations (e.g., failing to maintain records of processing) carry fines up to EUR 10 million or 2% of annual global turnover, whichever is higher. Tier 2 violations (e.g., violating data subject rights or transfer rules) carry fines up to EUR 20 million or 4% of annual global turnover. Supervisory authorities consider factors including the nature and severity of the infringement, whether it was intentional, mitigation steps taken, and prior history. In practice, fines have ranged from a few thousand euros for small companies to EUR 1.2 billion (Meta, 2023, by the Irish DPC for unlawful data transfers).

How long does it take to implement GDPR compliance from scratch?

It depends on the organization's size, data processing complexity, and existing security posture. A small SaaS company with a modern AWS setup and existing SOC 2 controls might need 3 to 6 months to address the legal and procedural gaps (privacy notices, DPIA process, data subject request workflows, vendor DPAs). A large enterprise with legacy systems and complex data flows across multiple jurisdictions can take 12 to 18 months. The infrastructure controls checked by compliance.tf can be remediated in days to weeks; the legal, organizational, and process requirements take considerably longer.