GDPR Compliance for Google Drive 2024

gdpr compliance for google drive

The General Data Protection Regulation is a European Union regulation on information privacy. The goal of GDPR is to improve individuals’ control over their personal data.

Does your company need to comply with GDPR? The chances are, it does – if even a small part of your client base is located in the EU. GDPR applies to all organizations that process personal data of individuals located in the EU, regardless of whether or not a company is based in the EU and even if the data is being stored or used outside the EU.

Table of Contents

Is Google Drive compliant with GDPR?

Google Workspace, formerly known as G-Suite, upholds high standards for privacy and supports GDPR compliance. But is it compliant out of the box? As with any software, it is not – it depends on how you configure and use it.

Making sure a company’s Google Drive, filled with thousands of files spread across personal and shared drives, complies with GDPR might seem daunting. Since processing personal data is practically unavoidable these days, we have created this guide that covers GDPR’s key principles and steps you can take to ensure GDPR compliance for your company data in Google Drive.

GDPR principle: Lawfulness, fairness, and transparency

Lawfulness and fairness

This means collecting and processing data based on valid legal grounds. Typically, this involves consent, legitimate interests, fulfilling legal obligations, or fulfilling contracts.

For instance, if there’s a spreadsheet with emails and names somewhere in Google Drive, it’s unclear what legal basis was for collecting and storing this information.

Fortunately, Google Drive labels can help. Consider creating labels to categorize files containing personally identifiable information and specifying the legal basis for processing it.

Google Drive label basis for processing personal information under GDPR Drive label

Transparency

This means that people have the right to know exactly what data you collect about them, as well as how and why it’s processed. They have the right to request a copy of their personal data, as well as request to remove it.

That is another reason to create Drive labels to classify files in Google Drive. By using labels, you can swiftly locate personal information if it’s requested and promptly remove it if needed. Setting up Drive labels is easy, and it will save you a lot of time in the long run.

google drive labels access permissions overview florbs screenshot

GDPR principle: Purpose limitation

This means that you should only process personal information for the purpose that you originally obtained consent for. In simpler terms, avoid repurposing personal data.

Data classification in Google Drive can help here, too. Without clear labeling, it would be challenging to determine the initial intent behind collecting names and emails in an old sheet. Labeling files in Google Drive is essential to maintain clarity and ensure compliance with this GDPR principle.

GDPR principle: Data minimisation

This means that you should not collect and store more data than is necessary. In other words, under GDPR, companies should not hoard or process “nice-to-have”, “just-in-case-we-need-it” information, only that which is strictly needed.

Before collecting any personal data, ask “do we really need to know that right now?”. More data usually equals more (GDPR-related) issues.

For example, an external company you collaborate with shares a Google sheet with you that contains a large amount of personal information – for example, a guest list of a joint event your companies are planning. At this stage, you might only need basic details like names and dietary preferences. Even though the file containing excessive information was shared with you by an external partner and does not belong to you, it is now your responsibility to ensure compliance with the data minimization principle.

Do you know how many external files are shared with your organization? And how many of them contain personal information? Getting an answer to these questions in Google Admin Console is practically impossible. Reviewing and managing external files will require an additional tool, such as Florbs – File Security for Google Drive.

Minimizing the data will bring you closer to GDPR compliance, and reduce the impact of a possible data leak.

Google Drive labels for GDPR compliance

GDPR principle: Accuracy

This principle is about ensuring that the data you have is accurate and up-to-date.

One effective way to ensure data accuracy is to keep files as single copies. This is helpful because if information changes, you only need to update it in one place. Less copies, less problems. Fortunately, this is also what collaboration platforms such as Google Drive are great at.

Even in Google Drive, where many people can work on the same file simultaneously, maintaining a single copy of a file (for example, a CR record, or a sheet with contact details) can sometimes be challenging.

Consider moving as many files as possible to shared drives, where everyone who needs it can easily find it and work in it without having to create their own copy.

For most important documents, consider restricting downloading and copying.

bulk action prevent google drive files files from being downloaded, printed, and copied (1)

GDPR principle: Storage limitation

This means that you should not store data longer than necessary. It is also a good idea to remove access to data when it’s no longer necessary. Excessive access can lead to complications and risks. This aligns closely with one of the key data security principles – “Just in Time access”.

Consider setting up a security workflow that automatically unshares files after a certain time period.

Schedule reviews for most important data: it could be specific shared drives that are known to often contain files with personal information, or files with certain keywords in the title (for example, “CV”), or files with a certain Drive label.

remove anyone with the link access for google drive files with label contains pii (1)

GDPR principle: Integrity and confidentiality

Integrity means that you need to ensure that personal data you process remains accurate and protected against manipulation by unauthorized individuals (in other words, hackers).

Confidentiality means that you have to guarantee that no one has access to personal information except the people who need it. The latter is similar to the principle of “least privilege” – a key data protection principle.

It’s not uncommon for people to share files with their private email addresses, such as @gmail.com, @hotmail.com, and so on. It could be done for convenience, or to retain access after they leave your company. 

However, private accounts are notoriously more vulnerable to hackers due to weaker security measures and access from multiple devices and locations. They’re also prime targets for hackers.

Leaked company data access through these accounts can be used by hackers to launch phishing attacks on your organization. That’s why it’s important to make sure no files containing personal information are shared with private email addresses.

How can you do that? Since this is a common issue among companies using Google Drive, we have added the functionality in Florbs to find and remove access for private accounts. This can also be made into an automatic workflow that removes sharing every once in a while for all files, or only files labeled as containing personal information.

Google Drive access with personal accounts screenshot Florbs

GDPR principle: Accountability

This principle requires exactly that – you should be accountable for the proper data processing under GDPR. Not only that, you need to be able to prove that you are taking proactive measures to ensure safety and compliance of personal data under GDPR.

How do you do that?

Create proactive security measures and policies. That demonstrates proactive effort toward compliance. For example, you could create a policy that all files with the keyword “CV” in the tile can only remain accessible for 6 months, and after that all sharing must be removed. To make sure the policy is implemented without error and delay, you could create an automated workflow that would unshare all files as stated in the policy.

Maintain documentation. It’s important to maintain records demonstrating the implementation of data protection policies and procedures as tangible evidence of your efforts. In the example with unsharing all files with the keyword “CV” in the title, you could demonstrate the log of all instances when the workflow was automatically activated and how many files were unshared as a result.

Conduct audits for most important files. It’s a good idea to regularly review access to files labeled as “Contains PII” to ensure that only authorized individuals have access to sensitive personal information.

Florbs Google Drive Audit Overview screenshot

Additional: Restricted cross-border data transfers under GDPR

The GDPR has strict requirements when it comes to cross-border data transfers. It boils down to this: the European Commission determines whether the data protection practices of a “receiving” country are sufficient. Therefore, it is important to carefully consider where to store data, such as Google Drive files of employees after they leave your company.

The most cost-effective option for storing Google Drive files of former employees is in Google Cloud Storage. That way the data stays in your full control and you can retrieve it if necessary. Google Cloud Storage provides a variety of options for data storage locations. It is important to carefully choose locations: for example, it wouldn’t be a good idea to store files of former employees of your German branch in a Google Cloud Storage in Japan, because these two countries have different data protection regulations in place.

If your company has multiple locations in different countries around the world, you will need to create multiple “storage buckets” to store ex-employee’s Google Drive files.

Automate employee offboarding in Google Drive. It’s a good idea for multiple reasons:

  • It eliminates human error, making sure that all data in Google Drive is archived securely and without delay, blocking former employees from accessing company data after they leave.
  • It ensures compliance, since you can create workflows that archive data to the correct locations as dictated by GDPR.
  • It demonstrates your commitment to data protection and GDPR compliance. While the GDPR does not prescribe exact measures you need to take, it states that organizations must have “appropriate technical measures” in place to protect personal data.

How can Florbs help you meet GDPR requirements in Google Drive

Save time and money on GDPR compliance audits

Auditing file access in Google Admin Console is time-consuming, and worst of all – the results are incomplete. This is because Google’s auditing tools focus solely on “moving data” – files that have been opened in the past 6 months. If your company has been using Google Drive longer than 6 months, you won’t be able to audit and ensure compliance for any of the older files.

Florbs gives you a clear overview of all Google Drive file sharing in your organization. Find all files shared with “Anyone with the link”, private addresses (@gmail.com), or legacy files that have not been opened in a long time.

high risk files in Google Drive - Florbs screenshot

Data classification in Google Drive

Google Drive allows you to apply Drive labels in bulk based on keywords in the file title. With Florbs, it is possible based on other criteria, as well: for example, apply a specific label to files in a certain shared drive or folder, or organizational unit. Create a workflow that will automatically apply this label to all similar files in the future.

Automate data classification and GDPR compliance tasks

Create workflows that automatically perform data classification or remove file sharing – requiring no time or effort and without any impact on the daily work of employees.

Automate data archiving during employee offboarding

Set up automated workflows that transfer offboarded employee data to Google Drive Storage in the correct geographical location to avoid issues with cross-border data transfers under GDPR.

Improve personal data security

By making sure that files containing personal data are protected from unauthorized access, you improve your organization’s security stance. With Florbs, you can quickly find any file and remove access permissions for many files at once.

Document proactive effort towards compliance

Since all actions in Florbs (including automated workflows) are logged, during a GDPR audit you can demonstrate a record of actions taken to ensure compliance in Google Drive.

Include a GDPR disclaimer in your email signature

The right to have their data protected is important to many people, and by informing them that you are compliant with GDPR you will be building trust with your customers. This applies not only to B2B, but to B2C, as well: demonstrating GDPR compliance improves your reputation as a trustworthy business partner, reassuring other companies that you handle their data responsibly.

With Florbs Gmail signature automation you can easily manage Gmail signatures centrally for the whole organization. Design email signature templates that includes an accurate legal disclaimer tailored to the specific geographical locations where your company operates. For example, a GDPR disclaimer for your EMEA office, and a CCPA disclaimer for the California office. Assign templates to all relevant employees with one click: their contact and other information will be pulled from the Google Directory automatically.

Conclusion

GDPR compliance in a collaboration platform like Google Drive is possible, but requires a correct setup. Your colleagues share files every day, but with the help of data classification and automated workflows you can ensure that personal data remains compliant and protected, without it costing you too much time and effort.

About the author

Follow us on LinkedIn for Google Workspace tips