On May the 28th 2018, the General Data Protection Regulation (GDPR) will come into effect after a transition period of 2 years. The GDPR is a European Union law that will replace the old personal data regulation from 1995; The Data Protection Directive.
The primary goal of the GDPR is to strengthen and unify data protection for all individuals within the European Union (EU), meaning that individuals will have more rights with regards to their data and all the European data protection laws will bundle, regardless of where the data processes.
We can imagine that you, as a (future) Google Cloud Platform user, have some questions about what this new regulation implies for your big data use, and what Google does to make sure if the law complies.
We will try to answer these questions here. For more information, we also put some handy links at the end of this blog.
First of all, it's essential to make a distinction between two different actors: data administrators and data processors. In the case of the Google Cloud Platform, Google is the data processor, and the business that runs its data on the cloud is the data administrator (the client). The data administrator determines the purposes and resources for processing personal data while the data processor processes the data on behalf of this administrator.
Data administrators are responsible for taking the technical and organisational measures necessary to perform data processing following the GDPR. The obligations of administrators relate to principles such as legitimacy, reasonableness and transparency, target binding, data minimisation, and accuracy, as well as compliance with the rights of stakeholders, also called "data subjects."
On the other side, Google will make every effort to meet the requirements of the GDPR for all Google Cloud services. They do this by the extended privacy- and security protection that they have been incorporating over the years in their services and contracts.
As a client of Google Cloud Platform, it's critical to prepare well for the GDPR realisation in May. Google* created some advice which you can follow to make sure you are following the GDPR in the right way.
* Google Cloud en de Algemene Verordening Gegevens Bescherming.
At Google, they do everything in their power to meet the GDPR requirements for the whole range of Google Cloud services. This happens within different areas;
Subject Knowledge, reliability, and resources - Google works with leading global experts, in the field of information, app, and network security. They also work with the best lawyers and service compliance experts and government policy specialists who ensure that Google adheres to privacy and security law.
Obligations in the field of data protection - Google has recently been updating the terms and conditions based explicitly on the GDPR. It's now possible to enter these updated data processing conditions through a login process which is described here.
Security of services -According to the GDPR, the administrator and the processor must take sufficient technical and organisational measures to ensure a level of security that focusses on the risk. Google uses a global infrastructure designed to provide the very highest level of protection for the entire information processing cycle. Google built the security of their infrastructure in layers, which they explain more about here.
International data transfer - Under their current conditions for data processing, Google is contractually committed to maintaining a mechanism that facilitates the transfer of personal data outside the EU, as required by the Data Protection Directive. They will also offer a corresponding commitment from the day on which the GDPR takes effect.
Standards and certifications - Google Cloud Platform is being tested on a regular base by different independent and extern parties to guarantee security, privacy, and compliance.
And Google does more. You can read about it on their website.