Google this week released a new site to help its customers and partners better understand the steps the company is taking to comply with the requirements of the European Union’s General Data Protection Regulation (GDPR).
The statute goes into effect next May and requires any company that handles personal data belonging to EU residents to apply specific security and privacy controls to protect it. The GDPR also gives users more direct control over their data.
As one of the largest Internet and cloud companies in the world, Google has a lot at stake in ensuring that its services are compliant with GDPR. Over the past several months the company has taken multiple measures to ensure that its services meet the standards.
The effort covered almost all of its products including Google cloud services, Gmail and Search along with advertising and measurement services such as DoubleClick, AdSense and AdWords.
The new website consolidates the details of those efforts so Google’s customers and partners are more easily able to determine the control they have over any data they might share with the company. The site also describes the security of Google’s cloud infrastructure and reiterates its commitment to applying with all applicable data protection laws.
Google is “keenly aware” of the significant obligations businesses have under GDPR and similar laws said William Malcolm, the director of privacy for Google’s Europe, Middle East and Asian region in a blog.
“We’ve always worked hard to demonstrate that our services are secure and meet the standards of applicable data protection rules,” Malcolm said. Google’s customers can get a quick update on the status of those efforts from the new website, he added.
The content on Google’s security measures for instance, describes in considerable detail the company’s defense-in-depth strategy for protecting customer data. The section covers Google’s physical security measures for protecting data integrity, its custom security hardware and encryption technologies, the company’s incident response capabilities and processes such as continuous security monitoring and vulnerability scanning.
Also available on the site are details on Google’s commitment and adherence to industry standards such as ISO 27001 for information security management, ISO 27017 for cloud security and FedRAMP for cloud services used by government agencies.
In addition, the website explains how businesses ultimately control what data is shared with Google’s products and services. For organizations that want to keep their business data isolated from other products for instance, Google offers services such as its cloud platform and its G-Suite of cloud-hosted productivity apps. Similarly, for organizations that do not mind sharing their data with Google for data mining and analytics purposes, Google offers services such as Analytics 360.
“You choose what data your business shares with Google based on the products and features you use,” the company explained on its site.
Over the next few months, Google will also release updated contractual commitments with customers that meet GDPR requirements, Malcolm said.
GDPR replaces the EU’s existing Data Protection Directive of 1995. The new rules unify data protection requirements across the EU and places new obligations on all online companies that handle EU data. The law provides for stiff penalties for failure to comply. The law’s origins are rooted in the privacy concerns caused by former NSA contractor Edward Snowden’s leaks about U.S. government surveillance practices.