AWS Audit Manager will no longer be open to new customers starting April 30, 2026. If you would like to use Audit Manager, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [AWS Audit Manager availability change](https://docs.aws.amazon.com/audit-manager/latest/userguide/audit-manager-availability-change.html).
# GDPR 2016
AWS Audit Manager provides a prebuilt standard framework that supports the General Data Protection Regulation (GDPR) 2016.
This framework contains only manual controls. These manual controls don't collect evidence automatically. However, if you want to automate evidence collection for some controls under GDPR, you can use the custom control feature in Audit Manager. For more information, see [Using this framework](#framework-GDPR).
**Topics**
+ [
## What is the GDPR?
](#what-is-GDPR)
+ [Using this framework](#framework-GDPR)
+ [
## Next steps
](#next-steps-GDPR)
+ [
## Additional resources
](#resources-GDPR)
## What is the GDPR?
The GDPR is a European privacy law that became enforceable on May 25, 2018. The GDPR replaces the EU Data Protection Directive, also known as [Directive 95/46/EC](http://en.wikipedia.org/wiki/Data_Protection_Directive). It's intended to harmonize data protection laws throughout the European Union (EU). It does this by applying a single data protection law that's binding throughout each EU member state.
The GDPR applies to all organizations that are established in the EU and to organizations (no matter whether they were established in the EU) that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information that relates to an identified or identifiable natural person.
You can find the GDPR framework in the framework library page of Audit Manager. For more information, see the [General Data Protection Regulation (GDPR) Center](https://aws.amazon.com/compliance/gdpr-center/).
## Using this framework
You can use the GDPR 2016 framework in Audit Manager to help you prepare for audits.
The framework details are as follows:
| Framework name in AWS Audit Manager | Number of automated controls | Number of manual controls | Number of control sets |
| --- | --- | --- | --- |
| General Data Protection Regulation (GDPR) 2016 | 0 | 378 | 10 |
This standard framework contains manual controls only.
**Note**
If you want to automate evidence collection for GDPR, you can use Audit Manager to [create your own custom controls](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) for GDPR. The following table provides recommendations on the AWS data sources that you can map to GDPR requirements in your custom controls. Although some of the following data sources are mapped to multiple controls, keep in mind that you're charged only once for each resource assessment.
The following recommendations use AWS Config and AWS Security Hub CSPM as data sources. To successfully collect evidence from these data sources, make sure that you followed the instructions to [enable and set up AWS Config and AWS Security Hub CSPM](https://docs.aws.amazon.com/audit-manager/latest/userguide/setup-recommendations.html) in your AWS account. After you've set up both services in this way, Audit Manager collects evidence each time an evaluation occurs for the specified AWS Config rule or Security Hub CSPM control.
| Control name | Control set | Recommended control data source mapping |
| --- | --- | --- |
| Article 25 Data protection by design and by default.1 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources: Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)Choose AWS Security Hub CSPM as the data source type, and select the following Security Hub controls as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 25 Data protection by design and by default.2 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)Choose AWS Security Hub CSPM as the data source type, and select the following Security Hub controls as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 25 Data protection by design and by default.3 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)Choose AWS Security Hub CSPM as the data source type, and select the following Security Hub controls as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 30 Records of processing activities.1 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)Choose AWS Security Hub CSPM as the data source type, and select the following Security Hub control as a data source mapping:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 30 Records of processing activities.2 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)Choose AWS Security Hub CSPM as the data source type, and select the following Security Hub control as a data source mapping:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 30 Records of processing activities.3 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)Choose AWS Security Hub CSPM as the data source type, and select the following Security Hub control as a data source mapping:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 30 Records of processing activities.4 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)Choose AWS Security Hub CSPM as the data source type, and select the following Security Hub control as a data source mapping:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 30 Records of processing activities.5 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)Choose AWS Security Hub CSPM as the data source type, and select the following Security Hub control as a data source mapping:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 32 Security of processing.1 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 32 Security of processing.2 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 32 Security of processing.3 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
| Article 32 Security of processing.4 | Chapter 4 - Controller and Processor | You can [create a custom control](https://docs.aws.amazon.com/audit-manager/latest/userguide/create-controls.html) in AWS Audit Manager that supports this GDPR control. When you [specify the control details](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-1), enter the following under **Testing information**:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html)When you [set up the control data sources](https://docs.aws.amazon.com/audit-manager/latest/userguide/customize-control-from-scratch.html#from-scratch-step-2), we recommend that you include all of the following as data sources:Choose AWS Config as the data source type, and select the following AWS Config managed rules as data source mappings:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/audit-manager/latest/userguide/GDPR.html) |
After you create your new custom controls for GDPR, you can add them to a custom GDPR framework. You can then create an assessment from the custom GDPR framework. This way, Audit Manager can collect evidence automatically for the custom controls that you added.
## Next steps
For instructions on how to view detailed information about this framework, including the list of standard controls that it contains, see [Reviewing a framework in AWS Audit Manager](review-frameworks.md).
For instructions on how to create an assessment using this framework, see [Creating an assessment in AWS Audit Manager](create-assessments.md).
For instructions on how to customize this framework to support your specific requirements, see [Making an editable copy of an existing framework in AWS Audit Manager](create-custom-frameworks-from-existing.md).
## Additional resources
+ [General Data Protection Regulation (GDPR) Center](https://aws.amazon.com/compliance/gdpr-center/)
+ [AWS GDPR blog posts](https://aws.amazon.com/blogs/security/tag/gdpr/)