Are you prepared for the General Data Protection Regulation (GDPR)?

On 25 May 2018, the most significant piece of European data protection legislation to be introduced in 20 years will come into force. The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.

You can count on the fact that Google is committed to GDPR compliance across Google Cloud services. Google are also committed to helping its customers with their GDPR compliance journey by providing robust privacy and security protections built into its services and contracts over the years.

What are your responsibilities as a customer?

G Suite for Business, G Suite for Education and Google Cloud Platform customers will typically act as the data controller for any personal data they provide to Google in connection with their use of Google’s services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. Google is a data processor and processes personal data on behalf of the data controller when the controller is using G Suite or Google Cloud Platform.

Data controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.

If you are a data controller, you may find guidance related to your responsibilities under GDPR by regularly checking the website of your national or lead data protection authority under the GDPR (as applicable), as well as by reviewing publications by data privacy associations such as the International Association of Privacy Professionals (IAPP).

You should also seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with legal advice specifically tailored to your situation.

Where should you start?

As a current or future customer of Google Cloud, now is a great time for you to begin preparing for the GDPR. Consider these tips:

  • Familiarize yourself with the provisions of the GDPR, particularly how they may differ from your current data protection obligations.
  • Consider creating an updated inventory of personal data that you handle. You can use some of the tools in G Suite or Google Cloud Platform to help identify and classify data. You should also use a tool like DPOrganizer to map and visualize your data.
  • Review your current controls, policies, and processes to assess whether they meet the requirements of the GDPR, and build a plan to address any gaps.
  • Consider how you can leverage the existing data protection features on Google Cloud as part of your own regulatory compliance framework. Conduct a review of G Suite or Google Cloud Platform third-party audit and certification materials to see how they may help with this exercise.
  • Monitor updated regulatory guidance as it becomes available, and consult a lawyer to obtain legal advice specifically applicable to your business circumstances.

In a future post we will look into what Google Cloud’s commitments to GDPR are, and what they have to do as data processors.

NOTE: Please bear in mind that nothing in this article is intended to provide you with, or should be used as a substitute for, legal advice. I recommend you seek independent legal advice to determine your appropriate national or lead data protection authority.