Google Workspace (ex. G Suite) and Google Cloud Platform’s commitment to GDPR compliance has been discussed by Google experts for more than a year. Google Cloud’s focus on data security, privacy, and transparency has been the basis for achieving this goal. Therefore, the company has introduced several updates to ensure that Google Cloud customers can enjoy our services from May 25, when the GDPR comes into force.
It is important to note that complying with the GDPR is a shared responsibility. Google Cloud generally acts as a data processor and, as Google’s data processor, only processes data following the instructions of customers. In turn, you have your own data, and Google Cloud is committed to building advanced tools and resources to keep it all under control.
In this article, we want to highlight some critical points for our corporate clients that will help you better understand the GDPR.
Terms of data processing
Over six months ago, well before the GDPR went into effect, Google made essential updates to the data processing timelines for Google Workspace (ex. G Suite) and Google Cloud Platform designed to address GDPR requirements directly. These contractual updates clearly articulated the company’s commitment to customer privacy and became the basis for GDPR compliance for both Google in general and Cloud customers. You should have been notified of the new terms if you are already a valid customer. If you haven’t already, you can take advantage of the new terms by following the instructions for Google Workspace (ex., G Suite) and Google Cloud Platform.
One of the provisions of the GDPR on the right to data portability coincides with Google’s longstanding belief that your data belongs to you. The Google Cloud Trust Principles confirm that you can access and retrieve your data whenever possible. The company is constantly working to improve the reliability of its data export capabilities. An improved data export feature has been introduced to securely download a copy of your information from our Google Workspace (ex. G Suite) and Cloud Identity services.
Data Incident Reporting
With hundreds of Google security engineers worldwide, Google Cloud invests in detecting, preventing, and responding to user data incidents. Google Workspace (ex. G Suite) and Google Cloud Platform have provided customer data incident notification contractual obligations for many years. The updated terms reflect the notification periods for processors set out in Article 33 of the GDPR.
Services and infrastructure are offered to ensure the security of data processing
Google Cloud offers new solutions to help organizations keep critical data private, resilient, and quickly accessible. By default, Google provides orderly user data classification, detection, monitoring, and de-identification through the company’s Cloud Data Loss Prevention (DLP) API to help customers manage and protect their data wherever it is. Google provides an audit trail and reports when technical teams interact with your data and system configurations.
Third-party audit and certification
Google regularly reviews and evaluates the effectiveness of technical and organizational security and privacy controls through third-party audits and certifications for Google Workspace (ex. G Suite) and Google Cloud Platform. These include international standards such as:
ISO 27001 for information security management systems;
ISO 27017 for cloud security controls;
ISO 27018 protects personal information (PII) in public clouds acting as PII processors.
These certifications and other third-party audits, such as SOC1, SOC2, and SOC3, cover numerous services on Google Cloud. The company will continue to expand the scope of certification in the future.
International data transfers
To comply with applicable EU data protection laws, Google Workspace (ex. G Suite) and Google Cloud Platform are certified under the Privacy Shield. Google also offers model contractual clauses that confirm that the contractual obligations of Google Workspace (ex. G Suite) and GCP are fully compliant with the legal framework for transferring data from the EU to the rest of the world. The regulatory decisions underlying these data transfer mechanisms remain in effect only within the scope of the GDPR.
Get GDPR documentation, videos, and other helpful information for clients at the GDPR Resource Center. You will also be provided with presentations, workshops, and opportunities for clients to directly collaborate with the Google team on the global Cloud Summit and Cloud Next project throughout the year.
Summing up, we can say that we are confident in further developing the GDPR and privacy legislation. Google’s legal team, compliance experts, and public policy experts are committed to working with regulators to understand and implement new requirements or guidelines.
GDPR compliance is a central concern for Google Cloud to protect the privacy and security of customer information. Google continues its work in this area and is ready to help you comply with GDPR requirements. Please send a request if you have any questions regarding your data and GDPR for Google Cloud and Google Workspace (ex. G Suite) products in Ukraine.