May 13, 2018
3 min read

GDPR and Google Workspace

The big day has now long passed. GDPR Day. May 25th, 2018 - a date that many of us will be hard pushed to forget. While the day has passed, we’re still hearing from clients and non-clients alike about how Google Workspace (also known as G Suite) and Google’s Cloud address the new standards. There’s lots of information out there, but we thought it would be useful to pull it together in one place...

The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. If you don’t know much about The GDPR, its purpose is to strengthen the rights that individuals have regarding their personal data and aims to unify data protection across Europe, regardless of where it’s processed. As a Google Workspace customer, you may be thinking about how this affects you, given that all of your data is stored by Google.

In the video below, you can see an overview of Google's commitment to GDPR compliance across all Google Cloud Services while also highlighting some of the most important tools being used to do so.

Google’s Expertise

To ensure users' data is kept secure and private, Google employs some of the world’s foremost experts in information, application, and network security. This team looks after the company’s defence systems, develops security review processes, builds security infrastructure, and implements Google’s security policies.

Google also employs an extensive team of lawyers, regulatory compliance experts, and public policy specialists who look after privacy and security compliance.

These teams engage with users, industry stakeholders, and supervisory authorities to shape Google Workspace services in a manner that helps users meet their compliance needs.

Data Processing

Google’s data processing agreements for Workspace clearly articulate their privacy commitments to customers. These terms have evolved over the years based on feedback from users and regulators and have specifically been updated to reflect the GDPR.

Any data that users enter into Workspace will only be processed in accordance with the user’s instructions, as described in Google’s GDPR-updated data processing agreements.

Google’s Confidentiality

All Google employees are required to sign confidentiality agreements and complete confidentiality and privacy training, as well as Code of Conduct training. Google’s Code of Conduct specifically addresses responsibilities and behaviour with respect to data protection.

User Responsibilities

Google Workspace users will act as the data controller for any personal data they provide to Google in connection with their use of Google’s services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. Google is a data processor and processes personal data on behalf of the user, who is a data controller when using Workspace - your data is your data, not Google’s.

Data controllers (Workspace users) are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.


We've helped many businesses with GDPR, but not only that. We have clients that we've helped with their security ISOs, Cyber essentials, and more. Drop your email below, and we'll reach out with how we can help you!

Stay Social

© Cobry Ltd | 0333 789 0102
24 Sandyford Place, Glasgow, Scotland, UK, G3 7NG
167/169 Great Portland Street, 5th Floor, London, W1W 5PF
Privacy Policy

Care for a towel? 👀