Get ready for GDPR compliance for Google Suite

Published on 12 October 2017 by Tomislav Rozman

For: Google Apps business users, CIOs, CISOs

Reading time: 4 min

This morning I have received an email from Google about GDPR. Until now I haven’t focused much on this topic. But now it is the time I have to because 1) I run a business and use Google Suite and 2) I deal with customer’s data.

As you may already know, on 25. 5. 2018 the most significant EU data protection legislation (GDPR) will come into force.

If your business uses Google Suite (Google Apps, Drive, Docs, Mail, …), you can get ready now. Google is rolling out their Data Processing Amendment 2.0, which reflects the GDPR.

What you have to do?

Just login to your G Suite admin account and update your company details under the Company profile > Profile > Legal Compliance.

For now, you just need to specify details for the following roles: “EU representative” and “DPO (Data Processing Officer)”.

Why is this needed?

To protect the online activity of natural persons, in this case, the data of your customers, if it is stored in your Google Suite.

What are the next steps?

What are the next steps for the business who use Google suite (or store the customer data in other systems)?

  1. Educate yourself. Firstly, read (or, at least skim) the original GDPR. I know it is a lengthy document. Reading only short FAQ articles about GDPR on LinkedIn is the first step, but it is not enough. You just have to go to the source. Especially if your role is CIO (Chief Information Officer) or CISO (Chief Information Security Officer)
  2. Educate your employees.
  3. Adapt your processes, which have touchpoints with your customers. E.g. marketing processes, customer onboarding, opt-in, opt-out, customer data transfer, customer service, helpdesk, post-sales support and similar.
  4. Adapt your internal processes, especially those which include activities, which process the data of your customers (e.g. marketing actions/customer segmentation/communication/processing).

In short, your processes should reflect ‘lawfulness, fairness and transparency’ when dealing with customer data.

Terminology

GDPR = General Data Protection Regulation (GDPR)

Customer EU representative = A person, who designated, where applicable, to represent customers not established in the EU with regard to their obligations under the GDPR

DC (Data Controller) = A person, who determines the purposes and means of processing of personal data

DPO (Data Protection Officer) = A person, who facilitates compliance with the provisions of the GDPR

Further reading