Google Drive and GDPR: How to Stay Compliant with GDPR Laws

Google Drive and GDPR

In business, regulatory compliance can be a huge deal. Violations can range from minimal fines all the way to such severe penalties that the business can no longer remain in operation. It’s something most companies need to take seriously. It’s also very difficult to navigate with all of the tools we use throughout our operations, Google Drive included.

One of the more prominent pieces of regulatory legislation businesses need to be aware of is the GDPR. GDPR is important, but it’s also tricky; how do you know whether or not you’re compliant?

Let’s talk about how Google Drive and GDPR work together or the conflicts they have.

What is the GDPR?

The GDPR is the General Data Protection Regulation. It’s the European Union’s answer to broad-spectrum data security and privacy concerns. In a way, it’s like a shield that protects user personal information from misuse. Though the GDPR itself isn’t software or security, it’s law. It sets forth rules about how companies have to handle user data, what data they can harvest and track in the first place, and how they have to protect it.

Over the years, the internet has gotten more and more focused on tracking user data to, among other things, target those users with advertising. This has long since reached a point of being intrusive, and various calls for privacy protections have been heard.

Whether it’s the Right to be Forgotten or the GDPR, it all gives users ways to opt out of tracking and trust that their personal information is protected.

What is GDPR

The biggest impact the GDPR has had on the internet at large is obvious just about everywhere you go.

Do you know how so many websites now have a pop-up when you visit them for the first time that tells you all about the different kinds of cookies they track and the data they monitor about you? And how you have to either agree with them or jump through hoops to disable the few you can turn off before being able to use the site? That’s a repercussion of the GDPR. It’s not that sites weren’t tracking you before; it’s just that they didn’t have to disclose it or let you opt-out.

What does all of this have to do with using Google Drive?

It’s actually a pretty interesting question.

Who Needs to Care About GDPR

Are you a personal user using Google Drive to manage your family photos, digital music, and homework? If so, you don’t really need to care about GDPR much beyond how it impacts you as a user and how you can use it to protect your own privacy.

GDPR is a regulation that governs businesses. However, while the regulation is European in origin, that doesn’t mean it’s limited to just Euro businesses.

GDPR Information For Businesses

Here’s who has to care about GDPR in a business sense:

  • Any business located in the European Union. It doesn’t matter whether you’re the International Monetary Fund or a solo entrepreneur running an affiliate marketing blog out of a studio apartment in Paris; you fall under the purview of the GDPR.
  • Any business dealing with European residents’ data. Don’t think that just because your business is headquartered in Silicon Valley (or the Caymans or Delaware), you’re exempt. If your business does business with European citizens – whether you’re a blogger and you have EU visitors, or you’re an Etsy seller with European customers, or you’re Coca-Cola – you need to comply with the GDPR rules.

Now, if you’re a small business located in Florida and you not only don’t operate in the EU, you can’t even sell your services there (because, say, you’re a cleaning service and only operate in Miami), then you don’t really have to care about GDPR. Online businesses, though, generally do, simply because any online business is potentially accessible to EU citizens; if you track information about your users, that information needs to be protected under GDPR rules.

If your business doesn’t collect any personal user information, then you can probably ignore it, too. Of course, that’s shooting yourself in the foot across the board since using that data is a huge part of how you can compete as a successful online business these days.

How to Use Google Drive Without Violating GDPR

If your business uses Google Drive, whether or not you’re violating GDPR depends a whole lot on how you’re using it.

The crux of the issue is centered around user data. That user data can be just about anything relevant to an individual. Some potential examples include:

  • Your hiring managers using Google Drive to share the resumes/CVs and cover letters for promising applicants to collaborate and pick candidates to interview.
  • Storing a backed-up file containing your email mailing list as a backup in case your primary list is lost somehow.
  • Storing customer lists and shipping information in Google Drive to maintain records.

These are a few simple examples of how a business might be using Google Drive in a way that handles user information. All of these uses fall under the purview of GDPR.

Customer Information Stored on Google Drive

On the other hand, there are plenty of ways that a business might use Google Drive without having to care about GDPR. Using it to store internal documents and files, training materials, and collaborative information is fine. Using it to store media that your marketing team is working on before it’s uploaded for ads is fine. Using it to back up company data, as long as it’s company data and not customer data, doesn’t matter to GDPR.

GDPR is all about protecting individual user data from misuse by a company. It doesn’t much care about protecting company data.

Is Google Drive Compliant with GDPR?

No, not out of the box. Google Drive, Google Workspace, and all of the other Google services are potentially compliant with GDPR, but they require some additional work on your part.

That said, most of the issues with GDPR don’t come from Google Drive. They come from Gmail, Google Sheets, or other parts of Google Workspace that are more in tune with user data. Of course, as productivity apps, it all comes down to how you use it.

For the most part, Google does its best. Google has a huge page for its cloud services focused on data protection and GDPR, which you can feel free to read through if you like.

Google Cloud and the General Data Protection Regulation

The tricky part, of course, is just that Google is a service provider, and while they can do everything in their power to provide the tools necessary to protect user information, the companies using their services also need to take action, and those companies are often not as proactive about it as a huge corporation like Google might be.

How to Stay Compliant with GDPR While Using Google Drive

If you’re concerned about GDPR, it’s really not terribly difficult to maintain compliance with regard to Google Drive specifically. Other Google apps may be a little more difficult, but overall, it’s not too bad, as long as you aren’t trying to do anything with user data that you shouldn’t be.

First, you should work to understand what your role is in GDPR and what your responsibilities are. Basically, take a long, hard look at your use of user data, where that data goes, and how it’s used. Do you just store user data for records? Do you use it in your analytics and marketing? Do you take user data and process it in other forms? Any of these require you to have safeguards in place for that data.

Of course, the easiest way to make sure you’re compliant with GDPR, at least in terms of Google Drive, is to just make sure you aren’t putting any user data on Google Drive. That means your personal Drive, your company Drive, or any user Shared Drives. The less you store or handle, the easier it is to make sure it’s all secure when you do need to handle it. In fact, minimizing how much you store and use is a key part of GDPR protections as well.

Removing User Data From Google Drive

If you’re putting any form of user data into a Google Drive, then you need to make sure you have proper precautions in place. Fortunately, Google has a bunch of options and features that help here.

  • Make sure everyone uses two-factor authentication. MFA is an added layer of security so that if any of your users are phished or otherwise have their accounts potentially compromised, they are still protected, and the hacker is unable to access the account without that secondary code. You’ll also want to provide training to make sure everyone understands that those 2FA codes should never be shared.
  • Use access controls. One of the best core principles of access control is the principle of least access. Every employee should have the least possible amount of access to systems that are necessary to do their jobs. This should be audited regularly. So, everyone who has a Google Drive account in your company should have access only to the data they need to do their job, and anyone with access to a shared drive should only have access to the drives they need. Any time a role, responsibility, or job changes, access controls should change as well.
  • Use encryption. Google Drive already encrypts data, but you can add another layer of encryption on top to make sure even if someone has access to your Drive, they don’t have access to the data within it. This can be a hassle in some cases, but it’s important for protecting user data.

You should also review and emphasize information and consent in user data.

Information means making sure your users are informed about the data you collect and how you use it. Those cookie pop-ups may be irritating, but they’re also an important part of informed consent. This isn’t directly related to Google Drive, but it does form an important part of GDPR compliance.

Consent, of course, means that the user is given the option to opt out of having their data collected and used. If you’re implementing this retroactively, you also want to have some means in place for the records to be purged if a user chooses to opt-out. You can’t legally keep using data that a user has revoked your access to, after all.

Another key is to have an incident response in place. Your Google Drives should have access controls enabled, and if there’s ever unauthorized access detected, you should have a response already developed on how to handle the breach. Identify what may have been accessed, how the account was compromised, and how you can fix the issue. On top of that, audit trails can be a huge help here for compliance.

In general, using Google Drive isn’t going to automatically fail you if a GDPR audit looks your way. The key is more about ensuring restrictions on access and doing as little data harvesting as is feasible, with informed consent attached. Beyond that, this is a question you’d need to ask a lawyer, not a blog.

Can Filerev Help?

Filerev isn’t a tool designed to help with data compliance. That said, there are a few features you might be able to make use of to help you with GDPR compliance.

In particular, if your company has been using Google Drive for quite some time, it’s possible that there are files storing user data that have been lost somewhere along the way. They still exist and, if not adequately handled, can be a GDPR violation. Filerev can help you identify and remove those files. Filerev can also help you scan and audit what’s in your various shared drives and where your shared files are shared, all of which can help with compliance.

The Filerev Platform

Of course, as a web service, we have to comply with GDPR ourselves. That’s why when we scan your Drive, everything is secure and encrypted. We also don’t copy or store any of your information; all we do is provide information pulled from Google’s API and let you make decisions about the information in your Drive. 

Interested in using Filerev to clean up your Google Drive accounts, or just purge it all and start over? It’s easy to get started; just click here and sign up.

Brett Batie Avatar