View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cloud
October 11, 2018

Google Cloud Highlights its GDPR Compliance at Next London 2018

"For us, everything started originally in 1995 with the EU data protection directive," says Marc Crandall at Google Cloud.

By jonathan chadwick

Google Cloud has detailed how its privacy and data handling has been bolstered by Europe’s recently enforced general data protection regulation (GRPR), which came into effect earlier this year.

Marc Crandall, director for data protection and compliance at Google Cloud, said at the company’s Next 2018 event in London on Wednesday that data processing terms and amendments were not something the company “did from scratch” in the run-up to May 25 this year.

Google Cloud started offering these amendments in about 2012, around four to five years after it started offering Google Cloud services, based on feedback from data regulators. These were then updated with GDPR-specific terms last year, he said, ahead of GDPR taking effect.Google Cloud

“The creation of this separate data processing amendment, the genesis of that was really based on regulatory feedback from European data protection authorities, who suggested having a separate amendment, just dealing with data protection.

“So not only did we deploy this with our cloud contracts generally, it’s now available to anyone in the world, based on European guidance. It helped set the stage for how we set these contracts up globally.”

While some aspects of GDPR compliance were not new and others needed tweaking, things like greater fines, recording of processing, and detailed contractual provisions all needed to be taken on board.

Data processing terms for Google Cloud now include strict data incident notification, certifications, subprocessors, audits and reports processes, processing limitations, and data deletion, and being able to show customers that once their data is deleted, it’s gone for good.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Google Cloud: Our GDPR Compliance Stems From EU Data Protection Directive in 1995

However, for Google Cloud, data compliance in Europe began with the EU’s data protection directive back in 1995, Crandall said.

“Everything started originally in 1995 with the EU data protection directive, which created very strict obligations on data processors, data controllers with respect to the protection of EU data subjects; restrictions on how the data could be used, how long the data could be stored, right to correction.

However, 20 years after the data protection was passed there were “only a handful” of countries that maintained adequate privacy protections as it didn’t have direct force of law, resulting in a “hodge podge” of how countries were enforcing the directive, Crandall said.

To accommodate an increased reliance on the internet, the European Commission created lawful means of data transfer to allow data to be stored globally or internationally, including the Safe Harbour provision in 2000.

“For Google, probably around 2010, 2011, we got the sense that some of the data protection authorities weren’t that thrilled with safe harbour. We were using it, all of Google was using it, and all the major cloud providers were using it.”

See Also: GDPR Encryption Clause: Is This the “Get Out of Jail Free” Card for a Data Breach?

Many companies had been relying on Safe Harbour up until it being overturned by the European Court of Justice in 2015. Google, meanwhile, had already had model clauses for a couple of years, as well as a privacy shield and an “alternative transfer solution” to stay a step ahead.

“These data transfer mechanisms, privacy shields, and model clauses are still recognised under GDPR, but things may change,” Crandall concluded. “Of course we have legal policy staff, engineering people, compliance personnel; they’re constantly evaluating this and updating our services appropriately.”

Crandall urged cloud customers, regardless of country or industry, to “think like a regulator” when making sure they’re GDPR-compliant, touting the company’s GDPR resource centre.

“You need to familiarise yourself with GDPR, obviously you’re going to talk with your council – they’re the ones who can advise you what you need to do. You should be reviewing controls, reviewing security capabilities, product capabilities, create an inventory of the personal data that you can handle. And of course monitor updates of regulatory guidance.

“You must conduct your due diligence; you must evaluate very carefully the capabilities of your cloud provider before you just dump your very important information to the cloud.”

See Also: Facebook on €7 billion GDPR Lawsuit: We Absolutely Are Compliant

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.