GDPR-Compliant Cloud Infrastructure: What a DevOps Engineer Sets Up for UK and EU Companies in 2026

Control 1: Data Residency (EU/UK Region Restriction)

GDPR restricts transfers of personal data outside the EU/EEA to countries without an adequacy decision, unless appropriate safeguards are in place. For most UK and EU SaaS companies, the simplest approach is to store all personal data within the EU or UK.

A DevOps engineer configures: AWS region selection (eu-west-1 London for UK data, eu-west-1/eu-central-1 Frankfurt for EU data), Service Control Policies (SCPs) that prevent resource creation outside approved regions, S3 bucket policies that deny replication to non-EU regions, and RDS snapshots configured to remain in the same region.

For UK companies post-Brexit: the UK has its own adequacy decision from the EU (currently maintained). UK GDPR (implemented by the Data Protection Act 2018) applies in the UK with equivalent requirements to EU GDPR.

Control 2: Encryption at Rest

GDPR Article 32 lists encryption as an appropriate technical measure for personal data security. A DevOps engineer ensures: all RDS databases have encryption at rest enabled using AWS KMS customer-managed keys (CMKs), all S3 buckets storing personal data have server-side encryption enabled (SSE-S3 minimum, SSE-KMS for regulated data), all EBS volumes are encrypted, and DynamoDB tables with personal data are encrypted.

Key management: for regulated data (health data, financial data), a CMK with documented key rotation policy and access controls provides stronger evidence for GDPR compliance than the default AWS-managed key.

Control 3: Encryption in Transit

Personal data must be encrypted during transmission. A DevOps engineer configures: ALB listeners to redirect all HTTP to HTTPS (HTTP listener with 301 redirect), TLS 1.2 minimum enforced on all load balancers (TLS 1.3 preferred), API Gateway with HTTPS endpoints only, database connections enforced to use SSL/TLS, and internal service-to-service communication encrypted where personal data is transmitted.

Certificate management: AWS ACM certificates with automatic renewal configured to prevent TLS certificate expiry causing HTTPS downtime or fallback to unencrypted connections.

Control 4: Access Control and Least Privilege

GDPR requires that access to personal data is limited to those who need it for their documented purpose. A DevOps engineer implements: IAM policies scoped to the minimum data access required per service role, database user accounts with read/write access only to the tables containing data they process, AWS IAM Access Analyzer to identify over-permissive policies, and quarterly IAM access reviews with documentation.

For UK and EU teams using Active Directory or Okta: AWS SSO integration ensures that access to AWS accounts containing personal data is managed through the corporate identity provider, with access revoked automatically when employees leave.

Control 5: Data Retention and Automated Deletion

GDPR requires that personal data is not kept longer than necessary for the purpose for which it was collected. A DevOps engineer implements automated data lifecycle policies: S3 Lifecycle policies that delete objects after the configured retention period, RDS automated backup retention set to the minimum required (7 days for most SaaS, 35 days maximum), CloudWatch Logs retention policies set to the defined retention period (not indefinite), and database archive and deletion procedures for inactive user accounts.

Data deletion verification: for compliance with right-to-erasure (Article 17) requests, the deletion procedure must confirm that personal data is removed from all storage locations including database backups. A DevOps engineer documents the deletion procedure and the backup retention period so the team knows when a deletion is complete from all copies.

Control 6: Audit Logging and Access Records

GDPR requires the ability to demonstrate compliance (Article 5(2), accountability principle). A DevOps engineer enables: AWS CloudTrail in all regions with log file integrity validation, S3 bucket access logging for buckets containing personal data, RDS audit logging (MySQL general log or PostgreSQL pgaudit) for data access by user, VPC Flow Logs for network access to data stores, and log retention for the compliance-required period (typically 1 to 3 years for GDPR evidence).

Logs are shipped to a dedicated logging account or S3 bucket that application teams cannot modify or delete, ensuring the integrity of the audit trail.

Control 7: Breach Detection and Notification Infrastructure

GDPR Article 33 requires notification of personal data breaches to the supervisory authority within 72 hours of becoming aware. A DevOps engineer configures the monitoring that makes 72-hour detection achievable: CloudWatch alarms for unusual data access patterns (large S3 GetObject volume, unusual RDS query count, unexpected cross-account access), GuardDuty enabled for threat detection (unusual API calls, compromised credentials, suspicious network activity), and Security Hub for consolidated security findings across the account.

A runbook documents the breach detection, assessment, and notification procedure so the 72-hour window can be met without having to write the procedure during an active incident.

Control 8: Data Processor Documentation (Terraform as Evidence)

GDPR requires documentation of the technical measures in place (Article 32(1)(d)). Infrastructure as Code provides this documentation automatically. A DevOps engineer ensures: all infrastructure is defined in Terraform code checked into Git, Terraform state documents the current configuration, and a Terraform plan before any change shows what will be modified.

For GDPR evidence: the Terraform code is the Record of Processing Activities (ROPA) supplement for technical measures. An auditor or DPO (Data Protection Officer) can review the Terraform code to verify encryption, region, and access control configurations rather than relying on manually maintained documentation.

GDPR infrastructure scope

Cost at $22/hour

What is delivered

GDPR infrastructure gap assessment

2 to 3 days: $352 to $528

Gap report: which of the 8 controls are missing, risk rating, remediation priority

Data residency + encryption controls (1-3)

3 to 5 days: $528 to $880

Region restrictions via SCPs, encryption at rest and in transit, KMS CMK setup

Access control + retention policies (4-5)

3 to 5 days: $528 to $880

IAM least-privilege, S3 lifecycle, RDS backup retention, CloudWatch log retention

Audit logging + breach detection (6-7)

3 to 5 days: $528 to $880

CloudTrail, RDS audit logs, GuardDuty, Security Hub, breach notification runbook

Terraform documentation (8)

1 to 2 days: $176 to $352

All infrastructure in Terraform, GDPR evidence documentation for DPO

Full GDPR infrastructure compliance

10 to 16 days: $1,760 to $2,816

All 8 controls implemented. DPO evidence package. SOC 2 mapping included.

Monthly retainer (GDPR + DevOps)

$3,200/month

Ongoing: policy updates, quarterly access reviews, retention policy maintenance