When the European Union’s General Data Protection Regulation (GDPR) formally goes into effect next year, Google will be ready for it.
That’s according to Suzanne Frey, Google’s director of security, trust and privacy, and Marc Crandall, director of compliance at the company.
In a blog this week, the two Google executives reiterated the company’s commitment to ensuring that its services will fully comply with the privacy and security requirements of the GDPR. “Our users can count on the fact that Google is committed to GDPR compliance across G Suite and Google Cloud Platform service when the GDPR takes effect on May 25, 2018,” Frey and Crandall said.
The GDPR is a sweeping regulation that requires all companies handling personal data belonging to residents of the European Union to adhere to a set of policies and procedures for protecting the data. Among other things, the regulation seeks to ensure that EU residents have more direct control over personal data that might be collected, stored or handled by a company based outside the EU economic zone.
The GDPR statute replaces the US-EU Safe Harbor Agreement that had covered trans-Atlantic transfers for more than a decade. That agreement gave organizations like Google, Microsoft and others a way to self-certify their adherence to the EU’s privacy requirements when handing data belonging to EU residents. The EU’s Court of Justice invalidated Safe Harbor in 2015 over concerns that it did not adequately protect EU data against U.S. government access of the kind disclosed by the Edward Snowden leaks.
In their blog this week, Frey and Crandall noted that Google has evolved its data processing terms and conditions in recent years to more clearly articulate the company’s privacy commitments. The terms will be further updated to bring them in line with GDPR requirements, the two Google directors noted.
Google also provides several third-party audits and certifications for its cloud platform and G Suite, including ISO 27001 security audits and ISO 27017 and ISO 27018 certifications for protection of personally identifiable data in the cloud, they said.
In addition, Google’s Cloud Platform and G Suite services have been certified under Privacy Shield, a program designed to give companies a way to show their adherence to the privacy and security controls specified in GDPR. EU data protection authorities have also already signed off on the so-called model contract clauses that Google uses to cover the transfer of EU customer data to the United States, the two Google executives said. What that means is that Google’s customers in the EU already have the legal cover they need to transfer EU customer data to Google without fear of running afoul of GDPR requirements.
Other changes that Google has made to bring it privacy polices in line with the GDPR include new data portability commitments as well as updated incident and breach notification clauses. “We’re working to make additional operational changes in light of the new legislation, and will collaborate closely with our customers, partners and regulatory authorities throughout this process,” Frey and Crandall said.