Is Google Workspace Cloud Legal?

Cloud computing provides convenience and market advantage to thousands of modern enterprises in Poland. However, with each successive wave of official controls, questions about how to use the cloud legally and safely keep coming back like a boomerang.

What is public cloud? 

Public cloud is a data processing service on external servers that are used by many entities simultaneously. The most popular cloud service providers are, among others Google, Microsoft, Dropbox or Amazon. 

If you do not use any Cloud Computing technology in your company yet, read more about it on our blog: 

• Google Workspace Microsoft 365 – which service to choose from?
• Google Drive – how to store corporate documents and files
• Dropbox for Gmail – how to integrate Dropbox with Google Workspace?

One of the services that provide both cloud space for data and the entire set of web applications for data processing is Google Workspace. 

Google Workspace in the light of regulations

We undertake the subject of Google Workspace compliance with applicable regulations because of to the fact that, as an official Google partner, we often receive questions related to this issue. We implement this universal suite of office applications on a daily basis in companies from many industries – including those they concern special restrictions on the protection of processed information. Thanks to this, we know what actions are taken by, among others, financial institutions, educational institutions and medical portals to ensure the security of data of their employees and clients in Google Workspace. 

Want to participate in the discussion of the Google Cloud Tools enthusiast community? Join to the largest Polish Facebook group dedicated to Google Workspace. 

To begin with, we will dispel some basic doubts: there are no legal restrictions against using Google Workspace for business. In the light of the GDPR, a company using a cloud service is a personal data controller, and a cloud computing provider is a data processor. Google provides its customers with risk prevention tools and holds international security certificates. 

However, we would like to remind you that the data controller is responsible for assessing each time whether the technical and organizational measures taken by the processor in connection with data processing are sufficient and adequate to the manner and type of personal data being processed.

So what makes the data processing processes in the company get out of control? 

The boundaries between what is allowed and what enters dangerous areas are defined by many European, local and specialised regulations. Therefore, it is worth knowing the basic risk factors:

• Badly structured contract between a cloud service provider and a data controller,
• Incorrect service configuration,
• User error
• Hacking attack, malware.

A bug, attack, theft or random accident can cause data leakage in both private and public infrastructure, so use all available preventive measures. 

How do you stay in control of your data in the cloud?

Most doubts among entrepreneurs who consider outsourcing to cloud computing are the apparent lack of control. Insufficient information on operations that take place in the cloud is a huge risk, especially for companies from the medical and financial industries.

Companies that have specialised needs to control digital processing of sensitive data, already at the stage of negotiating the terms with the supplier, should pay special attention to the agreements in the contract concluded with the supplier. The choice of the provider should be preceded by a detailed analysis of the legal requirements applicable to the data controller and an assessment of whether the selected service will meet them. The following should be taken into consideration: 

• Server location, i.e. data processing regions,
• Regulations on sharing data with subcontractors of a cloud service provider,
• Procedures for the effective deletion of data,
• Possibility of data recovery and archiving.

However, the issues of digital data processing security, which we will address in the contract, are just the beginning. It is also necessary to take appropriate action on the part of the service provider and the data controller.

Google Threat Prevention

Protecting user data is at the core of Google’s design of business services and a fundamental value that Google declares to provide. 

Safety culture at Google

To maintain the security of data in the cloud, it is necessary to control the processes taking place inside the organization that processes the data. How does Google take care of its internal security? Here are some elements of their strategy:

• Thorough checking of employees’ past,
• Regular safety training for employees,
• A team of security and privacy specialists,
• Internal security and compliance audits,
• Close cooperation with the community of researchers of digital threats. 

Malware protection

Google uses a variety of antivirus engines to detect, identify and neutralize threats in Gmail, Google Drive, and its server rooms and workstations. 

Data encryption

Google Workspace customer data is encrypted both during rest time and during transfer. The latest cryptographic solutions protect files, Email messages, chat history and other data related to our activity in applications.

Service availability

One of the risks of using external servers is the risk of failure and unavailability of data. Even short interruptions in access to the cloud service can significantly disrupt the company’s operation, so it is worth trusting suppliers with extensive experience in this matter. 

Gmail has recorded an availability of 99.984% in recent years. Maintenance, updates and changes made to Google are planned in such a way that they do not negatively affect the user experience. 

External security certificates

However, Google Workspace users don’t just rely on declarations from Google, whether they can be trusted or not. The security, privacy and compliance with the regulations of this service are confirmed by prestigious certificates issued by independent statutory auditors. 

ISO 27001

ISO 27001 is one of the most recognised safety standards. Google won it for the systems, technologies, processes and data centers that support Google Workspace. 

View certificate

ISO 27017 

ISO 27017 is an international standard for information security in cloud services.

View certificate

ISO 27018 

ISO 27018 is an international confirmation of data protection that can be used for personal identification.

View certificate

SOC 2, SOC 3, and FedRAMP

In addition to international certificates, Google has also successfully passed security controls and audits of American authorities that prepare SOC (Service Organization Controls) and FedRAMP (Federal Risk and Authorization Management Program) reports.

Administrative options that affect Google Workspace compliance with applicable regulations

On its side, Google takes many measures to ensure data protection, which it processes on behalf of its customers. However, it is the companies using the cloud that remain the data controllers and are responsible for them. That is why Google has equipped the people managing the Google Workspace instance with a number of tools that will help adjust the level of protection to the individual needs of the company. 

User authorization

Company data stored in the cloud is available on any device to which an employee logs in. Therefore, Google Workspace administrators should pay close attention to the process of authorising access to accounts. Tools that make this easier include:

• Two-step verification – admin can force an additional item to share during login which prevents the account from being hijacked.
• Security keys – U2F devices are an advanced variant of two-step verification where the user must have a physical key to log in.
• Single sign-on based on SAML 2.0 – Single sign-on (Single Sign-On) is a service that allows you to access many applications with your Google account.
• Protocols OAuth 2.0 and OpenID Connect enable SSO configuration across a wide variety of cloud solutions.

Data Handling

• IRM security (Information Rights Management) – Allow administrators to block the copy, print, and download options for any file in Google Drive.
• Google Drive audit log – monitoring user activity in the domain. Allows administrators to check logs of changes made to files stored in work Google accounts. 
• Personalised security alerts will let administrators know whenever someone performs suspicious activity in Google Drive. For example, an alert may notify the admin if a file with the word “confidential” in the title becomes shared outside the domain.
• Trusted domains – administrators can create a “white list” of domains that will not be affected by restrictions related to external file sharing.

Security of digital correspondence

• Additional encryption – Google Workspace admin can force emails sent to or from a specific domain to be encrypted using TLS protocol (layer security transport).
• Protection against phishing – Email scammers sometimes try to impersonate trusted domains to steal sensitive information. Gmail in Google Workspace supports advanced sender verification thanks to DMARC and SPF records and DKIM keys.
• Data Loss Prevention in Gmail – The DLP system in Gmail scans incoming and outgoing mail traffic for the presence of sensitive content. 
• Rules for handling controversial content – A Google Workspace administrator can set up rules to automatically reject, quarantine, or revoke messages that contain certain words. 
• Limiting the exchange of messages – admin can authorize selected domains to send and receive messages.

Archiving in the event of evidence proceedings

Google Workspace in the Business Plus and Enterprise variant provides companies with a tool helpful in the course of eDiscovery. Google Vault is a service for archiving, storing, searching and exporting data from other Google applications.

• Mail archive storage rules – the administrator can set any email storage rules for the entire domain. Such messages will remain in the archive even when the user deletes them from his inbox. 
• Search Drive and Gmail on the domain – with the help of Google Vault, the administrator can search the entire Google Workspace domain, including the content of work correspondence. 
• Evidence export – Google Vault helps collect and export evidence in the form of files, emails or chat history that the company wants to provide to law enforcement. 

Endpoint security

• Mobile device management – each device that has access to company data is assigned in the administration console. Thanks to this, the admin can quickly react to theft of the device or suspicious activity.
• Chrome browsing safety – the administrator can set the rules for logging users to browsers.
• Managing Chrome OS based devices – laptops or video conference equipment with Chrome operating system and Chrome Enterprise licenses are fully controlled by the Google Workspace administrator. 

Data recovery

• Restore a deleted Google account – The administrator can restore the account of any Google Workspace user within 5 days of its deletion.
• Data recovery from Google Drive and Gmail – Gmail correspondence and files stored on Google Drive can be retrieved by the administrator for 25 days from the moment the user deleted them from his account.

Security center

Google Workspace administrators in the Enterprise package also have access to a universal tool for protection and threat analytics. The security center allows, among others: 

• Generate security reportswhich show the current configuration and indicate methods of adjusting security to the best practices recommended by Google. 
• Identify and group up security and privacy issues in your domain.
• Monitor unusual events transparently Dashboard.

Want to see the inside of the Google Workspace Admin Console and learn the best ways to configure your settings? Check the webinar recording – The administrative console fundamentals.

Summary

Each company has different requirements for services that process the data of customers, employees and contractors. It all depends on the area in which it operates and what legal regulations apply to it. Although Google makes every effort to ensure that data processing centers function flawlessly, the administrators of the Google Workspace system have the greatest influence on security. 

Google Workspace has several variants of options, each giving administrators a different level of control over domain security. How do the protection options differ from package to package? You will find a complete comparison of all services on this page.

That is why it is so important to analyze legal regulations and risk assessment before choosing the appropriate cloud service. For example, if your company is to store data in the archive for a certain period of time in the event of an inspection, we recommend Google Workspace in the Business Plus option. On the other hand, if you need advanced monitoring of suspicious activities and have experienced system administrators on your team, you can discover the full potential of the cloud with the Enterprise package.