G Suite Users: A Quick Guide on how to be ready for GDPR and Why it concerns you
GDPR (General Data Protection Regulation), is an important regulation enacted by the European Commission which will enter into force on May 25, 2018. Whether you have European customers or not, this must be of your concern. But why?
Have you heard about the latest news on "How Trump Consultants Exploited the Facebook Data of Millions" by working with Cambridge Analytica? Up until now US Authorities seemed to have a permissive posture when dealing with personal data, but the latest events have become an eye opener for everyone. Soon, laws similar to GDPR might be implemented all over the world. So how can you take measures? Let’s start by defining what is GDPR: GDPR (General Data Protection Regulation), is an important regulation enacted by the European Commission which will enter into force on May 25, 2018. The purpose of this regulation is to protect personal data of Europeans, stored by organizations and businesses like yours. It might seem that these new regulations only apply for Europeans only, but Facebook’s story shows that it’s not, as international authorities have decided to take the matter seriously. What are Google's obligations to the users of its services?
Google is committed to respect the GDPR and has implemented the necessary elements to their business. All companies collecting data must be endorsed by 3 principles:
There are a certain actions you must take in order to be compliant with the new regulation. To be compliant you essentially need to ensure the privacy and security of the stored users’ personal data, by doing the following:
1. Appoint a Data Protection Officer (DPO)
It is important that, in case of inspection, the authorities will be able to contact a designed person to have information about your internal processes for personal data management.
Have you heard about the latest news on "How Trump Consultants Exploited the Facebook Data of Millions" by working with Cambridge Analytica? Up until now US Authorities seemed to have a permissive posture when dealing with personal data, but the latest events have become an eye opener for everyone. Soon, laws similar to GDPR might be implemented all over the world. So how can you take measures? Let’s start by defining what is GDPR: GDPR (General Data Protection Regulation), is an important regulation enacted by the European Commission which will enter into force on May 25, 2018. The purpose of this regulation is to protect personal data of Europeans, stored by organizations and businesses like yours. It might seem that these new regulations only apply for Europeans only, but Facebook’s story shows that it’s not, as international authorities have decided to take the matter seriously. What are Google's obligations to the users of its services?
Google is committed to respect the GDPR and has implemented the necessary elements to their business. All companies collecting data must be endorsed by 3 principles:
- Data security
- Transparency of storage and use of data
- Users' access to their data management
There are a certain actions you must take in order to be compliant with the new regulation. To be compliant you essentially need to ensure the privacy and security of the stored users’ personal data, by doing the following:
1. Appoint a Data Protection Officer (DPO)
It is important that, in case of inspection, the authorities will be able to contact a designed person to have information about your internal processes for personal data management.
Make sure to add to your console your DPO’s details and set up your G Suite console in a way that indicates your awareness of the GDPR terms:
a/ Indicate the DPO's contact details: Go to Profile > Show more > Legal and compliance > Your EU representative details
b/ Indicate the DPO's contact details: Go to Profile > Show more > Legal and compliance > Your data protection officer details
2. Understand what kind of data you’re storing from European members
In case of inspection you may be asked to declare what you store about European nationals, and those users might as well exercise their “right to be forgotten”. Make sure you can locate this data in your information system by:
The aim is to answer a very basic question: Do you need all the information you store about individuals? If you do, for how long?
For example, if people registered on your site for the sole purpose of entering a contest, you will need to destroy that data at the end of the contest. If you keep that data beyond that date, you might keep you must be able to justify it, and it must be clearly specified to the users when they sign up. Therefore, consider the principle of “less is better”, by implementing a minimization at all levels of personal data collection:
If your clients have shared with you personal information such as annual income, political opinions, or religious affiliations, you may assume that they have trusted you to keep this information secure.
Whatever you’re doing with personal data, just ask yourself the following:
Are you sharing contact directories within your domain or with others? You can read more about how to be compliant when doing it, here
a/ Indicate the DPO's contact details: Go to Profile > Show more > Legal and compliance > Your EU representative details
b/ Indicate the DPO's contact details: Go to Profile > Show more > Legal and compliance > Your data protection officer details
2. Understand what kind of data you’re storing from European members
In case of inspection you may be asked to declare what you store about European nationals, and those users might as well exercise their “right to be forgotten”. Make sure you can locate this data in your information system by:
- Referencing the location of your CRM, customer files and contact lists
- Setting up a Google Drive shared folder managed by a Data Protection Officer (DPO). This folder should contain all the files with personal data. Organize such information in subfolders, and define access permissions.
- Maintaining the Drive root directory (or Team Drive), that it contains the location of all files that include the users’ personal data (encompassing as well information that isn’t storable on the Drive, such as data from a CRM) in order to keep a registry of the data processing operations.
- Making sure that each member of your organization that holds this type of information has made it available to you, on the shared Drive. Your DPO should eventually merge the duplicates and optimize the organization. To do this, you can conduct an internal inquiry using a Google Form to keep the DPO informed about any data collection.
The aim is to answer a very basic question: Do you need all the information you store about individuals? If you do, for how long?
For example, if people registered on your site for the sole purpose of entering a contest, you will need to destroy that data at the end of the contest. If you keep that data beyond that date, you might keep you must be able to justify it, and it must be clearly specified to the users when they sign up. Therefore, consider the principle of “less is better”, by implementing a minimization at all levels of personal data collection:
- If you do not have a website to automate this process and you store this information in Google Drive, organize such data in a way that allows you to search for it easily.
- When collecting information from an individual, ask only for the information that is strictly necessary for the purpose you are proclaiming.
- Once the use of this data is complete, delete the data
- Make it easy for users to access their data: You will need to be able to tell them, at any time, what information you have about them and let them claim their “right to be forgotten” by making it easy to delete their information.
- Promote Google spreadsheets with concise column names for quick filtering
- Automate the deletion of some data through Google scripts
- If you use email as a tool for collecting personal data, be sure to focus these collections on a limited number of mailboxes (for example inquiries@our-domain.com) and use:
- Either Google Vault to manage your information retention periods, if you are in the Business version.
- Or G Suite> Gmail admin console by defining a number of days for the labels and organizations of your choice. For example, you can define that all emails received by the "legal-services@your-domain.com" box with the wording "personal requests" should be deleted automatically after 30 days.
- You can use a Google Script to automate deletion according to the rules you define. ( click here to read more)
- If a customer asks you to delete all the exchanges you had with them containing a sensitive subject, use Gmail search to easily find and delete those messages.
If your clients have shared with you personal information such as annual income, political opinions, or religious affiliations, you may assume that they have trusted you to keep this information secure.
Therefore your responsibility is to make sure that this data is accessible only by those who are authorized to have it.
Google technologies have one of the most secure infrastructures of the world, and guarantee a maximum protection of the data you store on their servers.
The data security processes used by Google are validated by the most strict certifications. In order to read more about the measures taken and the certifications, go to this page in your administration console.
Your DPO must be able to access all Drive's shared settings in real time so that you can always ensure that access to personal data is justified.
A few more tips: - Set expiry dates to your Drive sharings: When you share a document or folder in Google Drive, you have the option of setting up an expiration time.
- If these actions are not necessary, disable the ability to download, print, or copy these files from your shared Drive
- Centralize sharing and prevent users, other than the administrator or DPO, from sharing these files and folders from Drive.
- Find out how to operate these controls here
Whatever you’re doing with personal data, just ask yourself the following:
- Do the users whom you have this information from, know that you’re storing their data? If yes, can they ask for its deletion?
- Do you need all this data?
- Until when do you need it?
- Can you guarantee them the security of their data?
Are you sharing contact directories within your domain or with others? You can read more about how to be compliant when doing it, here
0 comments: