Over a year ago, we wrote about our commitment to GDPR compliance across G Suite and Google Cloud Platform. Google Cloud’s focus on data security, privacy, and transparency provided a strong foundation towards achieving that commitment, and we’ve made multiple updates to ensure that Google Cloud customers can confidently use our services when the GDPR takes effect on May 25.

It’s important to note that GDPR compliance is a shared responsibility. Google Cloud generally acts as a data processor, and as a data processor we process data only as instructed by you—our customers. In turn, you own your data, and Google Cloud is committed to advancing tools and resources that put you in control.

Today, we’d like to highlight some key points for our enterprise customers to assist you along your GDPR journey.

Data processing terms

More than six months ago, well in advance of the GDPR coming into effect, we made important updates to our data processing terms for G Suite¹ and Google Cloud Platform designed to directly address GDPR requirements. These contractual updates clearly articulate our privacy commitments to customers, and are fundamental to GDPR compliance for both Google and our Cloud customers. If you’re an existing customer, you’ve received notifications about the new terms. If you haven’t already, you can opt in to the new terms by following the instructions for G Suite and for Google Cloud Platform.

Data portability

The GDPR’s assertion of a right to data portability aligns with our long-held belief that your data belongs to you. Google Cloud’s trust principles affirm that you can access and remove your business’ data whenever you want, and we’ve continually worked to enhance the robustness of our data export capabilities. We’ve introduced an enhanced data export feature to make it even easier to download a copy of your business’ data securely from our G Suite and Cloud Identity services.

Data incident notification

G Suite and Google Cloud Platform have provided contractual commitments to customers around incident notification for many years, and our updated terms reflect the notification timelines for processors put forth in Article 33 of the GDPR. With hundreds of Google engineers across the globe dedicated to security, Google Cloud has and will continue to invest in threat detection, prevention, and incident response capabilities.

Services and infrastructure built to ensure the security of processing

Google Cloud provides solutions that can help organizations keep their sensitive data confidential, available, and resilient. For example, we offer encryption at rest by default. We provide sensitive data classification, discovery, monitoring, and de-identification through our Cloud Data Loss Prevention (DLP) API to help customers manage and protect their data wherever it resides. And we provide notifications and an audit log whenever our support or engineering teams interact with your data and system configurations. You can find more examples on our security page.

Third-party audits and certifications

We regularly test, assess, and evaluate the effectiveness of our technical and organizational security and privacy measures via third-party audits and certifications for G Suite and Google Cloud Platform. These include international standards such as ISO 27001 for information security management systems, ISO 27017 for cloud security controls, and ISO 27018 for protection of personally identifiable information (PII) in public clouds acting as PII processors. These certifications, as well as other third-party audits such as SOC1, SOC2, and SOC3, cover numerous services within Google Cloud. We continue to expand the coverage of our certifications.

International data transfers

To address current EU data protection laws, G Suite and GCP are certified under Privacy Shield. We also offer model contract clauses,affirming that G Suite and GCP contractual commitments fully meet the requirements to legally frame transfers of data from the EU to the rest of the world. The regulatory decisions underlying these data transfer mechanisms remain in force under GDPR.

Educational resources

We provide GDPR-related documentation, white papers, videos, and other useful information for customers on our GDPR Resource Center, and will provide presentations, workshops, and opportunities for customers to engage directly with our compliance team in our global Cloud Summit and Cloud Next events throughout the year.

Finally, we recognize that the GDPR and privacy legislation will evolve. Our team of lawyers, regulatory compliance experts, and public policy specialists are committed to working with regulators to understand and address any new requirements or implementation guidance.

Compliance is central to Google Cloud’s mission of protecting the privacy and security of our customers’ information. We’ll continue our work in this space, and are committed to helping you meet your GDPR compliance needs. For more information, please visit our GDPR Resource Center.

_{1. G Suite includes G Suite for Business and G Suite for Education}

The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years.  It replaces the 1995 EU Data Protection Directive, strengthening the rights that EU individuals have over their data, seeking to unify data protection laws across Europe.

Our users can count on the fact that Google is committed to GDPR compliance across G Suite and Google Cloud Platform (GCP) services when the GDPR takes effect on May 25, 2018. We'll make important updates to contractual commitments that directly address GDPR requirements. We're also a committed partner in customers’ GDPR compliance efforts. Users can leverage Google Cloud services with confidence understanding the robust data protection capabilities built-in to Google Cloud.

Where do we stand?

We've worked diligently over the last decade to help our customers directly address EU data protection requirements. These efforts have been critical in our ongoing preparations for the GDPR:

Data processing terms: Strong data protection commitments between cloud providers and customers are fundamental to compliance. Our data processing terms for G Suite and Google Cloud Platform clearly articulate our privacy commitments to customers. We've evolved our terms over the years based on feedback from our customers and regulators.  Our terms will be updated for the GDPR as well.

Third-party audits and certifications: We offer a number of third-party audits and certifications for G Suite and GCP. We undergo ISO 27001 security audits, and have done so for several years.  In 2016, we introduced two new security and privacy certifications, ISO 27017 for cloud security and ISO 27018 for protection of personally identifiable information in public clouds. These certifications, as well as other third-party audits such as SOC1, SOC2 and SOC3 cover numerous services within Google Cloud.

International data transfers: The GDPR, like the Data Protection Directive it will replace, includes provisions on international data transfer mechanisms. To address current EU data protection laws, G Suite and GCP are certified under Privacy Shield. We've also gained confirmation of compliance from European Data Protection Authorities for our model contract clauses, affirming that G Suite and GCP contractual commitments fully meet the requirements to legally frame transfers of data from the EU to the rest of the world, in accordance with the Data Protection Directive.

Data export: The GDPR includes certain requirements for the export of personal data. The data you store in Google Cloud is yours. We've included data portability commitments in our data processing terms for several years, and are continually working to enhance the robustness of our data export capabilities.

Incident notifications: GDPR contains requirements around breach notifications. G Suite and GCP have provided contractual obligations around incident notification for many years. With hundreds of Google engineers dedicated to security, Google Cloud has and will continue to invest in our security, incident response, threat detection and prevention capabilities.

Where do you stand?

As a current or future customer of Google Cloud, now is a great time for you to begin preparing for the GDPR.  Consider these tips:

• Familiarize yourself with the provisions of the new regulation, particularly how they may differ from your current data protection obligations. Be aware that new requirements may require new agreements with service providers or completely new solutions that meet the stringent requirements ahead.
  
• Consider creating an updated and precise inventory of personal information that you process (you can use some of our tools like Data Loss Prevention to help).
  
• Review your current controls and processes to ensure that they're adequate, and build a plan to address any gaps.
• Consider how you can leverage Google Cloud compliance capabilities as part of your own regulatory compliance framework. Conduct a review of G Suite or Google Cloud Platform third-party audit and certification materials to see how they may help with this exercise. 
  
• Stay abreast of updated regulatory guidance as it becomes available and consider consulting a legal expert to obtain guidance applicable to you.

What’s next

We’re working to make additional operational changes in light of the new legislation, and will collaborate closely with our customers, partners and regulatory authorities throughout this process. We have a global team of regulatory compliance specialists, product managers, engineers, counsel and public policy specialists who continue to carefully monitor GDPR implementation guidance, and will update our contractual commitments accordingly. We'll make our updated data processing amendment available to our customers soon. We're also producing additional materials to assist customers with their due diligence efforts as they prepare for GDPR.

At Google Cloud, we work to earn the trust of our users every day. As such, protecting the privacy and security of our customers’ information is a top priority, and compliance is central to this mission. We'll continue to evolve our capabilities in accordance with the changing regulatory landscape and work with you to help facilitate your GDPR compliance efforts.

The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years.  It replaces the 1995 EU Data Protection Directive, strengthening the rights that EU individuals have over their data, seeking to unify data protection laws across Europe.

Our users can count on the fact that Google is committed to GDPR compliance across G Suite and Google Cloud Platform (GCP) services when the GDPR takes effect on May 25, 2018. We'll make important updates to contractual commitments that directly address GDPR requirements. We're also a committed partner in customers’ GDPR compliance efforts. Users can leverage Google Cloud services with confidence understanding the robust data protection capabilities built-in to Google Cloud.

Where do we stand?

We've worked diligently over the last decade to help our customers directly address EU data protection requirements. These efforts have been critical in our ongoing preparations for the GDPR:

Data processing terms: Strong data protection commitments between cloud providers and customers are fundamental to compliance. Our data processing terms for G Suite and Google Cloud Platform clearly articulate our privacy commitments to customers. We've evolved our terms over the years based on feedback from our customers and regulators.  Our terms will be updated for the GDPR as well.

Third-party audits and certifications: We offer a number of third-party audits and certifications for G Suite and GCP. We undergo ISO 27001 security audits, and have done so for several years.  In 2016, we introduced two new security and privacy certifications, ISO 27017 for cloud security and ISO 27018 for protection of personally identifiable information in public clouds. These certifications, as well as other third-party audits such as SOC1, SOC2 and SOC3 cover numerous services within Google Cloud.

International data transfers: The GDPR, like the Data Protection Directive it will replace, includes provisions on international data transfer mechanisms. To address current EU data protection laws, G Suite and GCP are certified under Privacy Shield. We've also gained confirmation of compliance from European Data Protection Authorities for our model contract clauses, affirming that G Suite and GCP contractual commitments fully meet the requirements to legally frame transfers of data from the EU to the rest of the world, in accordance with the Data Protection Directive.

Data export: The GDPR includes certain requirements for the export of personal data. The data you store in Google Cloud is yours. We've included data portability commitments in our data processing terms for several years, and are continually working to enhance the robustness of our data export capabilities.

Incident notifications: GDPR contains requirements around breach notifications. G Suite and GCP have provided contractual obligations around incident notification for many years. With hundreds of Google engineers dedicated to security, Google Cloud has and will continue to invest in our security, incident response, threat detection and prevention capabilities.

Where do you stand?

As a current or future customer of Google Cloud, now is a great time for you to begin preparing for the GDPR.  Consider these tips:

• Familiarize yourself with the provisions of the new regulation, particularly how they may differ from your current data protection obligations. Be aware that new requirements may require new agreements with service providers or completely new solutions that meet the stringent requirements ahead.
  
• Consider creating an updated and precise inventory of personal information that you process (you can use some of our tools like Data Loss Prevention to help).
  
• Review your current controls and processes to ensure that they're adequate, and build a plan to address any gaps.
• Consider how you can leverage Google Cloud compliance capabilities as part of your own regulatory compliance framework. Conduct a review of G Suite or Google Cloud Platform third-party audit and certification materials to see how they may help with this exercise. 
  
• Stay abreast of updated regulatory guidance as it becomes available and consider consulting a legal expert to obtain guidance applicable to you.

What’s next

We’re working to make additional operational changes in light of the new legislation, and will collaborate closely with our customers, partners and regulatory authorities throughout this process. We have a global team of regulatory compliance specialists, product managers, engineers, counsel and public policy specialists who continue to carefully monitor GDPR implementation guidance, and will update our contractual commitments accordingly. We'll make our updated data processing amendment available to our customers soon. We're also producing additional materials to assist customers with their due diligence efforts as they prepare for GDPR.

At Google Cloud, we work to earn the trust of our users every day. As such, protecting the privacy and security of our customers’ information is a top priority, and compliance is central to this mission. We'll continue to evolve our capabilities in accordance with the changing regulatory landscape and work with you to help facilitate your GDPR compliance efforts.