What a Google Cloud Platform client should know about GDPR
by Robin Laurens, on Nov 15, 2017 11:17:39 AM
What is the General Data Protection Regulation (GDPR)?
On May the 28th 2018, the General Data Protection Regulation (GDPR) will come into effect after a transition period of 2 years. The GDPR is a European Union law that will replace the old personal data regulation from 1995; The Data Protection Directive.
The primary goal of the GDPR is to strengthen and unify data protection for all individuals within the European Union (EU), meaning that individuals will have more rights with regards to their data and all the European data protection laws will bundle, regardless of where the data processes.
We can imagine that you, as a (future) Google Cloud Platform user, have some questions about what this new regulation implies for your big data use, and what Google does to make sure if the law complies.
We will try to answer these questions here. For more information, we also put some handy links at the end of this blog.
Where lies your responsibility as a Google Cloud Platform client?
First of all, it's essential to make a distinction between two different actors: data administrators and data processors. In the case of the Google Cloud Platform, Google is the data processor, and the business that runs its data on the cloud is the data administrator (the client). The data administrator determines the purposes and resources for processing personal data while the data processor processes the data on behalf of this administrator.
Data administrators are responsible for taking the technical and organisational measures necessary to perform data processing following the GDPR. The obligations of administrators relate to principles such as legitimacy, reasonableness and transparency, target binding, data minimisation, and accuracy, as well as compliance with the rights of stakeholders, also called "data subjects."
On the other side, Google will make every effort to meet the requirements of the GDPR for all Google Cloud services. They do this by the extended privacy- and security protection that they have been incorporating over the years in their services and contracts.
What can you do
As a client of Google Cloud Platform, it's critical to prepare well for the GDPR realisation in May. Google* created some advice which you can follow to make sure you are following the GDPR in the right way.
- Get to know the terms of the GDPR, especially pay attention to the differences between your current obligations in the field of data protection.
- Make an overview of the personal data that you manage. Google's tools can help you identify and classify data.
- Verify that your current management options, policies, and processes meet the requirements of the GDPR. Make a plan to close any gaps.
- See how to integrate the existing Google Cloud data protection features into your own legal and regulatory compliance framework. Evaluate the Google Cloud Platform materials for audits and certifications to see how they can help you
- Keep track of your responsibilities under the GDPR by regularly visiting the website of your national or, where applicable, primary data protection authority under the GDPR, and by publications from organizations such as the International Organisation of Private Professionals (IAPP).
- GCP customers can use product features and configurations to better protect their personal information against unauthorised or illegal processing. You can find them here.
What Google does
At Google, they do everything in their power to meet the GDPR requirements for the whole range of Google Cloud services. This happens within different areas;
Subject Knowledge, reliability, and resources - Google works with leading global experts, in the field of information, app, and network security. They also work with the best lawyers and service compliance experts and government policy specialists who ensure that Google adheres to privacy and security law.
Obligations in the field of data protection - Google has recently been updating the terms and conditions based explicitly on the GDPR. It's now possible to enter these updated data processing conditions through a login process which is described here.
Security of services -According to the GDPR, the administrator and the processor must take sufficient technical and organisational measures to ensure a level of security that focusses on the risk. Google uses a global infrastructure designed to provide the very highest level of protection for the entire information processing cycle. Google built the security of their infrastructure in layers, which they explain more about here.
International data transfer - Under their current conditions for data processing, Google is contractually committed to maintaining a mechanism that facilitates the transfer of personal data outside the EU, as required by the Data Protection Directive. They will also offer a corresponding commitment from the day on which the GDPR takes effect.
Standards and certifications - Google Cloud Platform is being tested on a regular base by different independent and extern parties to guarantee security, privacy, and compliance.
And Google does more. You can read about it on their website.