GDPR & Google Workspace: How to stay compliant with GDPR

Google Workspace has become a dominant force in the business productivity software market. The product, formerly known as G-Suite has reached mass adoption in the market, shaking off fierce competition from rival Microsoft’s Office365 – which has been arguably slow to the market, considering their prior dominance with the Microsoft Office suite.

Official statistics on the number of Google Workspace users has been hard to pin down as Google rarely breaks down the performance of individual Google Cloud products in their earnings reports. 

However, some recent press can give us insight into the size of the market. On April 7th 2020, CNBC reported that Google executive Javier Soltero told them in an interview that “G-Suite” had “passed 6 million paying customers”. A few months prior the same executive shared with Axios that “G-Suite” products had surpassed 2 billion total users.

While Soltero did not disclose how many of the 2 billion users were paying customers, this gives us an insight into the huge reach of Google’s productivity and email products.

Recent earnings reports suggest that the number of users has continued to grow since then. Google’s 2021 Q2 earnings report stated that Google Cloud revenue growth was strong, climbing nearly 54 percent. No product breakdown was provided but the report does make clear that “Google Cloud generates revenues primarily from fees received for Google Cloud Platform services and Google Workspace collaboration tools”.

With such a large number of users within the UK and EU you might assume that Google’s product was fully compliant with EU GDPR and UK GDPR. However, as is often the case, that’s not quite how it works out of the box.

Note: The UK GDPR and EU GDPR are technically different laws. As of the time of writing, there are no significant differences between the two laws so we will refer solely to GDPR throughout the article for brevity.

What Google Workspace does

First, let’s make sure we’re clear about what we mean when we refer to Google Workspace. 

Google Workspace is Google’s productivity suite for business customers. It includes:

  • enterprise-grade email and communications tools such as Google Chat for instant messaging and Google Meet for video conferencing
  • cloud-based word processing application Google Docs, presentation software Google Slides and spreadsheet software Google Sheets

Lesser-known elements of Google Worsplace include:

  • ability to manage basic employee information such as employee’s line manager and department, basic contact details and working locations.
  • Google Currents a work focussed internal social media tool. 

Google Workspace is almost exclusively used by businesses. While many of the products available in Google Workspace are also available for free to individuals, the data processing terms of these free services are different from those of the Workspace versions. For example, the messages in your personal Gmail account may be read by Google’s AI software in order to display relevant advertisements within your browser, this differs from the Google Workspace edition of Gmail where there are no advertisements. 

In this article, we’ll be focusing on Google Workspace products for business customers only in our analysis of the GDPR risks and potential solutions.

Is Google Workspace GDPR Compliant?

Google Workspace is clearly a handy tool for many businesses. But is it GDPR compliant? The answer, as with nearly all software, is “No, not out of the box”. 

But can it be made compliant? Yes.

To do so you’ll need to analyse your risks, set up some processes, and complete some documentation. So what do we need to be aware of when using Google Workspace?

In the following section, we’ll go through each of the principles of GDPR. We’ll:

  1. Explore what compliance challenges there are when using Google Workspace
  2. Provide some short workarounds and practical steps you can take to improve your compliance with GDPR when using this product.

Please note that this list may not be exhaustive to your specific needs. We recommend consulting with a professional who can fully advise on your individual situation.

GDPR Principle: Lawfulness, fairness and transparency

This principle is fairly straightforward. Organisations must ensure that their data processing falls under a legally permitted purpose, that the processing is fair and that individuals are aware of how their personal data is being processed. 

Issues

You may end up storing a large amount of personal data in Google Workspace. All personal data you process must have a legal basis for processing under GDPR. In most situations, this will be either consent, legitimate interests, to fulfill a legal obligation, or to fulfill a contract. 

Customers may expect you to process their personal data in order to deliver your products and services to them. They may reasonably expect that you will store and process their data in a cloud-based tool, for example, you may use Google Sheets to track the stages of a client’s project, or to make a list of key contacts on a project. 

These use cases can be covered easily by describing the types of data processing you will do in your privacy policy. 

When acquiring customers

Things are more complex when you process the personal data of people with who you do not have an established business relationship with. In this case, we are referring to processing the personal data of someone with who you do not have a relationship with as either a customer, employee, supplier, partner and who has not contacted you to enquire about or purchase products and services from you.

Let’s run through a scenario. You’re making a list of prospective customers in Google Sheets that you populate with data like their name, company, or even contact details you found on LinkedIn.

There would be a compliance issue at this stage as you can only apply the lawful basis of legitimate interests to this type of processing. This means you would need to complete a balancing test first.

Legitimate interests are “where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.”

The issue is present as there are no built in safeguards or prompts within the Google Workspace tool to check that you have run this kind of analysis first.

Within the internal team

Another example where issues are likely to occur is when your wider team is not adequately trained on the principles of GDPR. This could be:

  • Putting user information at risk by storing data in their own drive rather than the shared office drive.
  • Putting the company at risk of GDPR fines by storing personal data that has not been legally acquired on company Google Workspace drives and apps.
  • Making information difficult to manage by unorganised and poorly tagged data – a headache to any new team members or when trying to find a certain document.

When a user makes a GDPR request

Under GDPR, a data subject has the right to request a copy of their personal information from you. In the process of fulfilling the request, you may check your main systems but forget to check individual files stored by employees in their Google Drive folders or in their email attachments. 

Solutions

To help comply with this principle when using Google Workspace you should consider:

  • Making updates to your privacy policy about the types of processing you routinely perform in Google Workspace.
  • Adding Google Workspace to your DPIA and data mapping exercises so you can make sure that these tools are adequately disclosed.
  • Training your staff on GDPR principles so that only lawfully acquired data is processed within Google Workspace.
  • Running legitimate interests balancing tests on all data processing activities before entering personal data into Google Workspace products.
  • Getting familiar with administrative controls in Google Workspace that can help you fulfil any data subject access requests.

GDPR Principle: Purpose limitation

Under GDPR organisations should be upfront about the purposes for which they are collecting personal data. They should only use the personal data they have collected for those reasons and should not collect additional personal data for purposes that are not currently defined.

Issues

When personal data is stored in Google Workspace products, it may be unclear what the purpose for data processing is. For example, there’s a list of emails and names sitting in an unnamed Google Sheets doc and there’s only a vague guess on what it should be used for.

The nature of Google Workspace products does not specifically cater for features like custom fields, which can help you label the data with the purposes of processing is permitted. 

Solutions

  • One solution would be to advise staff to limit the amount of personal data that they upload into Google Workspace products. For example you may state that customer details are never to be processed using Google Workspace products, they should instead remain in your CRM or order management system. If staff need to upload data into Google Workspace products, for example into Google Sheets for data analysis then they should anonymise the data before upload, removing all personal identifiers. Or they should mark the file, with a “DEL LATER” or “TEMP” title, allowing the team to regularly purge the files stored in Google Workspace products, simply by searching for files that should only be retained on a temporary basis.
  • This approach would be best complemented with adequate staff training. Staff who have not been trained on the principles of GDPR may assume that any personal data they find can be used for any processing task that the business commonly performs. If they have only a partial understanding of GDPR they may also assume that they can perform additional processing tasks that are different to the original purposes stated at collection as long as they fall under the legitimate interests of the business. To remedy this issue, all staff using Google Workspace products should be fully trained on GDPR and they should receive regular refresher training which challenges them to work through the principles of GDPR via practical simulations. The Google Workspace file storage of any staff member who scores poorly on GDPR training should be reviewed to ensure that no personal data is being incorrectly processed.

GDPR Principle: Data minimisation

Under GDPR organisations should only collect the data that is necessary to fulfill their processing. 

Issues

  • Google Workspace products do not automatically prompt for excessive information. In this case staff will need a basic awareness of this GDPR principle to help you avoid most issues.
  • Using a high volume of data by working with third parties, particularly via email. The volume of data may be unnecessary for your processing. For example, a recruiter forwards you a large amount of personal information about a candidate by email. At that stage, you may only require basic information about their employment history and their contact details. Even though the recruiter is the person who sent the unnecessary information, you now have a responsibility to ensure that the principle of data minimisation is met. In this case, you may retain the email and relevant content as part of your standard recruitment processes.

Solutions

  • Build data minimisation principles into all your processes. Ensure you only collect what is necessary to complete your tasks. When we work with clients at Measured Collective, this issue comes up time and time again. Typically, more data = more problems. To apply this principle properly processes should be reviewed regularly, and all staff members should be asking “do we really need to know that?” when designing business processes. If you don’t need it, don’t ask for it.
  • Set up processes for handling data sent to you by third parties. For example, this could be a simple “data cleaning” process in which you remove unnecessary data from incoming files. E.g. delete unrequired columns in a spreadsheet of potential customers. You can enhance your process by telling third parties exactly what data fields you are interested in receiving. For example, “at this stage we are only interested in gathering the first name and email address of interested candidates”. You can tell third parties that any additional information sent will be rejected and deleted from your systems. 

GDPR Principle: Accuracy

Under GDPR organisations should make sure that the data they process is accurate. This means they should maintain the data and take steps to ensure that it is correct and kept up to date.

Issues

  • Most data within Google Workspace products isn’t tied to one individual profile. For example some old CVs might sit in the attachments folder of a manager’s email address, while an old sales campaign spreadsheet might list multiple key account contact details.
  • With a CRM system data accuracy is less of a problem, you have one central record for each individual and each staff member can keep the information up to date when they interact with the individual in question.
  • With Google Workspace in general, it’s very difficult to maintain accuracy across individual people’s records, unless you figure out a method to connect all your data.

Solutions

  • A solution may be to evaluate the impact of holding inaccurate information. 
  • For one-off projects, then the impact is likely to be low, the data is collected, used and then it is no longer required. It should just be deleted from Google Workspace products when the project is complete. 
  • For projects where the impact on individuals could be high, such as if you were using customer information to determine credit worthiness, then consider moving personal details to the one storage system. For example a single CRM or contact book which is updated company wide. You can then ask staff not to add contact details or other personal information into Google Workspace files. Instead they can add the ID or reference of the CRM contact, or a hyperlink to their record in the CRM. This separation of personal data creates one source of truth for personal information that you collect, and greatly reduces your administration work in keeping your data up to date. When a data property for a contact changes, for example they switch to a new email address, you just need to update it in one place. Less systems, less problems.

GDPR Principle: Storage limitation

Under GDPR, organisations should only store personal data for as long as is necessary to fulfill their processing needs. The length of time that data should be retained is not set in stone. Personal data should not be retained indefinitely, instead organisations should figure out how long they require to keep the data and should put in place processes to ensure that data is deleted when it is no longer required. Organisations should be aware when legal requirements mandate them to keep data, for example keeping records of financial transactions.

Issue

The core issue with this principle and Google Workspace is the sheer scale of information that can end up being stored in your Google Workspace products and drive. Personal information can end up hidden within spreadsheets, which may be difficult to find when you search your drive. This means that you could end up storing personal data for an unnecessary length of time, which would breach the storage limitation principle.

Solutions

The first solution is to fully implement the data minimisation principle, so that you only gather what you need to process.

The next solution would be to schedule regular reviews of the data stored in your Google Workspace drives. You can run this process by searching through all files stored in your Workspace drives, and sorting them by date created (furthest away day first) so that you can see the oldest files in your drive. You can then begin removing files that are no longer needed, or make a note on them so that the appropriate employee can review if the data is still needed.

Another solution would be to minimise the personal data stored in Google Workspace from the outset. You can do this by referring to people anonymously, for example by an ID or reference used in a system like a CRM. Or by removing any personal information from documents before entering them into your Google Workspace products.

GDPR Principle: Integrity and confidentiality

This principle, also known as the accountability principle, covers the requirement for organisations to put technical and organisational measures in place to protect personal data. It specifically mentions security. While it does not prescribe exact measures such as the locking of office doors, or the installation of antivirus software on employee devices, it does state that personal data must be:

“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

Issue

The main issue with Google Workspace in relation to this principle is that your employee’s accounts may potentially be accessed by third parties unlawfully. This may be the result of a data breach, or it may be the result of one of your employee’s login details being compromised. Perhaps through keylogging malware, brute force if the password used is simple or easily guessed, or by a phishing attack. This principle also covers issues arising from theft or loss of employee devices.

Solutions

There are many actions you can take to minimise the risk of a breach of your Google Workspace account. You may choose to employ a strict security policy through the admin panel, this could include actions like:

  • Making 2fa (two-factor authentication) which requires a user to confirm their login with a 2nd device like a mobile phone, mandatory for login.
  • Enforcing a strict password policy. Above a certain number of characters and made up of a mixture of letters, numbers and symbols. 
  • Restricting access to your Google Workspace services if the user’s behaviour is suspicious, for example a login attempt from an unusual country, or a login from an IP address associated with fraud.
  • Preventing your employees from accessing Google Workspace on non-company devices. This may limit your risk of malware on personal devices that could compromise your accounts.

You can learn more about all the different methods that you can protect your Google Workspace account on the Google Workspace website.

If you cannot afford cybersecurity expertise in your business, we would recommend that you at least seek and implement free advice. For companies in the UK advice from the government’s National Cyber Security Center can be a handy place to start.

GDPR Principle: Google Workspace and restricted data transfers

The problem

Under GDPR, data transfers to restricted countries require a transfer mechanism. For the UK GDPR this means transfers outside of the UK to countries without existing adequacy decisions. For the EU GDPR this means transfers outside of the EEA to countries without existing adequacy decisions. 

Where does Google Workspace store data?

Google Workspace stores data on Google servers in:

North America

  • USA

South America

  • Chile

Europe

  • Ireland 
  • Denmark
  • Belgium
  • Netherlands
  • Finland

Asia

  • Singapore
  • Taiwan

If you are using the default setup of Google Workspace and have not edited the permitted server locations then this means that you are likely performing restricted data transfers each day that you use Google Workspace products. 

In this situation you should have a transfer mechanism in place, since at the time of writing the third-countries (countries located outside the EEA and UK) in which data is being processed are not covered by an adequacy decision under UK GDPR or EU GDPR.

The most appropriate transfer mechanism is likely to be SCCs (Standard Contractual Clauses). These are a set of documents signed by both parties that outline what data protection mechanisms are in place. 

Some companies refer to these documents as DPAs (Data Processing Agreements). Within these DPAs you will find the relevant SCCs.

To put these in place with Google, you should visit the admin panel. Navigate to Account settings > Legal & compliance. Scroll down the list, you will come across a section with GDPR documents. You can then view the DPA and record your acceptance. You can also add in details of your supervisory authority if you are based within the UK or EEA. If you are unsure who your supervisory authority is you can use our supervisory authority directory.

Google Workplace DPA Settings Page

Note: If you are a Google Workspace enterprise customer you can change the default server location for your Workspace data. In this case you may not require SCCs if you can ensure that data is only stored and transferred to servers within the UK and EEA. You can change these settings from your Workspace admin panel or by contacting your Google Workspace support team.

After you have signed your SCCs/data processing agreement you should make sure that you have documented the steps taken to protect this data transfer. You should also make sure that appropriate disclosures are made in your privacy policy about any restricted data transfers you make

Summary

Using Google Workspace can help improve your productivity, but it can also easily turn into a GDPR nightmare if the data collected and stored within your products are allowed to get out of hand.

Applying the principles of GDPR from the outset will make your life easier.

The data minimisation principle and purpose limitation principle will reduce the maintenance work required to keep your Google Workspace use GDPR compliant. We recommend that anyone using this product within your organisation has access to training which will help them apply the principles as they go, as this can significantly reduce problems in the future.

It’s also important to remember that just because Google Workspace is a popular product and it comes from a reputable company, it does not mean that it will be GDPR compliant out of the box. 

Completing other GDPR processes like data mapping, and keeping documents like privacy policies and data transfer logs up to date will all help to improve your overall compliance, and provide a great experience for the staff, customers, and suppliers who trust you to look after their data.

We hope this guide helped you understand some of the issues that you need to be aware of and the solutions suggested support your work in improving data privacy law compliance in your organisation.