Is Google Workspace compliant with current legislation?

Cloud computing provides convenience and market advantage to thousands of modern enterprises in Europe. However, with each successive wave of official compliance controls, questions about using the public cloud legally and safely keep coming back like a boomerang.

What is a public cloud? 

A public cloud is a service of data processing conducted via the Internet on external servers managed by a third-party provider and used by many entities simultaneously. The most popular cloud service providers are Google, Microsoft, Dropbox, and Amazon.

If you do not use any cloud computing technology in your company yet, read more about some easy-to-implement SaaS solutions on our blog:

• Google Workspace Microsoft 365 – which one should you choose?
• Google Drive – how to store corporate documents and files
• Dropbox for Gmail – how to integrate Dropbox with Google Workspace?

One of the services that provide cloud storage for data and the complete set of web applications for communication and file editing is Google Workspace. 

Google Workspace in the light of regulations

We undertake the subject of Google Workspace compliance with applicable regulations because we often receive questions related to this issue as an official Google Cloud partner. We implement this universal suite of office applications daily in companies from various industries – including those that need to be concerned with special restrictions on the protection of processed information. Thanks to a wide range of customers, we know what actions are taken by, among others, financial institutions, educational institutions, and medical portals to ensure the security of data processed in Google Workspace. 

To begin with, we will dispel some fundamental doubts: there are no legal restrictions against using Google Workspace for business. In the light of the GDPR, a company using a cloud service is a personal data controller, and a cloud computing provider is a data processor. Google supplies its customers with risk prevention tools and holds international security certificates. 

However, remember that you, as the data controller, are responsible for assessing whether the technical and organisational measures taken by the processor in connection with data processing are sufficient and adequate for the manner and type of personal data you’re processing.

So what could make the data processing procedures in the company get out of control?

Various European, local, and specialised regulations define the boundaries between what is allowed in the cloud and what enters dangerous areas. Therefore, it is worth knowing the basic risk factors:

• A poorly structured contract between a cloud service provider and a data controller;
• Incorrect service configurations;
• User errors;
• Hacking attacks, malware.

A bug, attack, theft, or random accident can cause data leakage in private and public infrastructure, so use all available preventive measures.

How do you stay in control of your data in the cloud?

The apparent lack of control is the most prevalent doubt among entrepreneurs who consider outsourcing to a public cloud. Insufficient information on operations in the cloud is a considerable risk, especially for companies in the medical and financial industries.

Companies that have specialised needs to control the digital processing of sensitive data should pay special attention to the agreements in the contract concluded with the supplier. The choice of the provider should be preceded by a detailed analysis of the legal requirements applicable to the data controller and an assessment of whether the selected service will meet them. Always take into consideration the following factors:

• Server location, i.e. data processing regions;
• Regulations on sharing data with subcontractors of a cloud service provider;
• Procedures for the effective deletion of data;
• Possibility of data recovery and archiving.

However, the digital data processing security issues you will address in the contract are just the beginning. As a data controller, you need to take appropriate action to adjust service configuration to the security requirements of your business. The cloud provider also should constantly be working to uphold the physical safety of data centres and create a transparent environment for clients’ operations.

Threat prevention at Google Cloud

Protecting user data is at the core of Google’s design of business services and a fundamental value that Google declares to provide.

Google Cloud’s culture of safety

To maintain data and infrastructure security, a cloud service provider needs to take the control procedures inside the organization seriously. How does Google take care of its internal security? Here are some elements of their strategy:

• Thorough checking of employees’ past,
• Regular safety training for employees,
• A team of security and privacy specialists,
• Internal security and compliance audits,
• Close cooperation with the community of researchers of digital threats. 

Malware protection

Google uses a variety of antivirus engines to detect, identify, and neutralise threats in Gmail, Google Drive, as well as its server rooms and workstations.

Data encryption

Google Workspace customers’ data is encrypted both in transit and at rest. The latest cryptographic solutions protect files, email messages, chat history, and other data related to your activity in applications.

Service availability

One of the dangers of using external servers is the risk of failure and unavailability of data. Even short interruptions in access to the cloud service can significantly disrupt the company’s operation, so trust only suppliers with extensive experience and reliable SLA (Sevice Level Agreement) terms.

The guaranteed uptime of Google Workspace is 99.9%, and Google is keeping its promise. Gmail has recorded an availability of 99.984% in recent years. Maintenance, updates and changes made to cloud apps are planned so that they do not negatively affect the user experience.

External security certificates

However, Google Workspace users don’t need to rely solely on declarations from Google. The security, privacy and compliance with the regulations of this service are confirmed by prestigious certificates issued by independent statutory auditors.

ISO 27001

ISO 27001 is one of the most widely recognised safety standards. Google achieved it for the systems, technologies, processes, and data centres that support Google Workspace.

View certificate

ISO 27017 

ISO 27017 is an international standard for information security in cloud services.

View certificate

ISO 27018 

ISO 27018 is an international confirmation of the protection of data that can be used for personal identification.

View certificate

SOC 2, SOC 3, and FedRAMP

In addition to international certificates, Google has also successfully passed security controls and audits of American authorities that prepare SOC (Service Organization Controls) and FedRAMP (Federal Risk and Authorization Management Program) reports.

Administrative options that affect Google Workspace’s compliance with applicable regulations

On its side, Google takes many measures to ensure data protection, which it processes on behalf of its customers. However, the companies using the cloud remain the administrators and are responsible for data. That is why Google has equipped the people managing the Google Workspace instance with many tools that will help adjust the level of protection to the company’s individual needs.

User authorization

Company data stored in the cloud is available on any device an employee logs in. Therefore, Google Workspace administrators should pay close attention to the process of authorising access to accounts. Tools that make this more straightforward include:

• Two-step verification – requires validation with an additional device during login, which adds another prevention layer against account hijacking.
• Security keys – U2F devices are an advanced variant of two-step verification where the user has a physical key (a device looking like a USB flash drive) to log in.
• Single sign-on based on SAML 2.0 – SSO (Single Sign-On) is a service that allows you to access many applications with your Google account.
• Protocols OAuth 2.0 and OpenID Connect – enable SSO configuration across a wide variety of cloud solutions.

Data handling

• IRM security (Information Rights Management) allows administrators to disable the copy, print, and download options for any file in Google Drive.
• Google Drive audit log for monitoring user activity in the domain allows administrators to check records of changes made to files stored in work Google accounts. 
• Personalised security alerts will let administrators know whenever someone performs suspicious activity in Google Drive. For example, an alert may notify the admin if a file with the word confidential in the title becomes shared outside the domain.
• Trusted domains – administrators can create a white list of safe domains that will not be affected by restrictions related to external file sharing. 

Security of digital correspondence

• Additional encryption – Google Workspace admin can force emails sent to or from a specific domain to be encrypted using TLS protocol (Transport Layer Security).
• Protection against phishing – Email scammers sometimes try to impersonate trusted domains to steal sensitive information. Gmail in Google Workspace supports advanced sender verification thanks to DMARC, SPF records, and DKIM keys.
• Data Loss Prevention in Gmail – The DLP system in Gmail scans incoming and outgoing mail traffic for the presence of sensitive content. 
• Rules for handling controversial content – A Google Workspace administrator can set up rules to automatically reject, quarantine, or revoke messages that contain specific words. 
• Limiting the exchange of messages – admin can authorise selected domains to send and receive messages.

Archiving in the event of evidence proceedings

Google Workspace in the Business Plus and Enterprise variant provides companies with a tool helpful in the course of eDiscovery. Google Vault is a service for archiving, storing, searching and exporting data from other Google applications.

• Mail archive storage rules – the administrator can set custom email retention rules for the entire domain. Retained messages will remain in the archive even when users delete them from their inboxes. 
• Search Drive and Gmail on the domain – with the help of Google Vault, the administrator can search the entire Google Workspace domain, including the content of work correspondence. 
• Evidence export – Google Vault helps collect and export evidence in files, emails, or chat history that the company wants to provide to law enforcement. 

Endpoint security

• Mobile device management – each device with access to company data is listed in the administration console. Thanks to this, the admin can quickly react to the theft or suspicious activity of the device.
• Chrome browsing safety – administrators can set the rules for logging users to browsers.
• Managing Chrome OS-based devices – laptops or video conference equipment with Chrome operating system and Chrome Enterprise licenses are fully controlled by the Google Workspace administrator. 

Learn more about Mobile device management in Google Workspace.

Data recovery

• Restore a deleted Google account – The administrator can restore the account of any Google Workspace user within five days of its deletion.
• Data recovery from Google Drive and Gmail – Gmail correspondence and files stored on Google Drive can be retrieved by the administrator for 25 days after the user deletes them from their account.

Security centre

Google Workspace administrators in the Enterprise package also have access to universal protection and threat analytics tool. The security centre allows, among others: 

• Generate security reports which show the current configuration and indicate methods of adjusting security to the best practices recommended by Google. 
• Identify and group up security and privacy issues in your domain.
• Monitor unusual events transparently Dashboard.

Summary

Each company has different requirements for services that process the data of customers, employees and contractors. It all depends on the area in which it operates and what legal regulations apply to it. Although Google makes every effort to ensure that data processing centres function flawlessly, the administrators of the Google Workspace system have the most significant influence on security.

Google Workspace has several variants of options, each giving administrators a different level of control over domain security. How do the protection options differ from edition to edition? You will find a complete comparison of all services on this page.

It is vital to analyse legal regulations and assessment before choosing the appropriate cloud service. For example, suppose your company is to store data in the archive for a certain period in the event of an inspection. In that case, we recommend Google Workspace in the Business Plus option. On the other hand, if you need advanced monitoring of suspicious activities and have experienced system administrators on your team, you can discover the full potential of the cloud with the Enterprise package.