Google calls GDPR compliance a "shared responsibility"

Blue figure statue next to white background with NEXT on

With a little over a year to go before the EU's General Data Protection Regulation (GDPR) arrives, Google today called for a "shared responsibility" when it comes to compliance and protecting data.

At the London leg of Google's Cloud Next conference, the company spoke at length about its past compliance records, claiming it is well positioned to adhere to the new data protection rules. Google also said it would be rolling out contractual amendments in advance of May 2018, when GDPR applies to the UK, and that it would remain a "committed partner in customers' GDPR compliance efforts".

"Google Cloud is about customers, your data is private to you," said Google Cloud SVP Diane Greene, speaking at the keynote event. "Google is committed to having full support for that by May 2018, and we will put it in your contracts that we are committed to that.

"My commitment to you is that we're going to build together, we're going to have shared responsibility. We're committed to open, rather than locking you in."

The new GDPR regulations represent the single biggest shake up to data protection laws since the creation of the Data Protection Act in 1998. With Google Cloud and G Suite users dealing with over one billion individual customers per day, the company recognised a responsibility to ensure its clients are prepared for the tougher rules.

Although the cloud functions as a relationship between data controllers (companies that decide how and for what purpose data is processed) and data processors (third-parties that do the processing on behalf of controllers), the core principles of unlawful processing remain the same, according to Nathaly Rey, EMEA head of trust at Google Cloud.

"However, there are important new provisions that impact on this relationship," said Rey. "Providers are liable as well for the first time, the fine regime is also more significant than we have had in the past... and you have to ensure data is easily migrated." Within this framework, Google feels the obligations on data processors have increased.

Drawing on the past

Brian Stevens, VP of Google Cloud, said the company is drawing upon its past experience within the EU data protection frameworks to reassure customers they will face as little disruption as possible during the transition.

"Our security capabilities are really helping with your compliance complications," said Stevens. "We have been offering model contract clauses in Europe for a long period of time, and the underlying work we have been doing will set us up for getting ready to commit to GDPR when it rolls out in May next year."

Google was keen to highlight its past records for data compliance, including its adherence to SOC security audits every 18 months, and the securing of a diploma from the International Standards Organisation, considered the gold standard for security.

As part of its commitment, Google has created a number of features to give practical assurance of data compliance. The new Cloud Key Management System (KMS) has been made generally available, an encryption process that provides a more robust method of securing data, over the default Google Encryption, which only encrypts data at rest. The KMS allows customers to encrypt as much user data as they wish using unique keys, which are themselves encrypted on the Google Cloud Platform.

Specific features within G Suite include a 'Vault' function that ensures the user is automatically compliant with GDPR data retention rules, and an advertising restriction that prevents data from being used commercially.

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.