google drive and gdpr

Are you using Google Drive to store data for your business? With GDPR arriving, now is the time to put in place data management and security to make sure you comply. Here’s the The Truth About Google Drive and GDPR:

Control where your data is and how it’s stored, shared and accessed

Get Started Now

Google Drive is a great service that lets users store files in the cloud; that is to say, on Google’s servers located in server farms dotted around the world. It stores files so that they can be accessed from multiple devices and essentially from anywhere in the world. In effect its software and use is free but charges for heavy storage beyond certain limits. It also offers varying levels of backup protection in case users lose something.

Google Drive has great functionality, is very convenient and, as mentioned, in the most part is ‘free’; free if users understand that they are the product. Google unashamedly uses data uploaded to monetise and direct advertising. That’s how it makes revenues from its free use of the platform.

The recent Facebook controversy – another platform that offers free services but uses data to profile users and direct advertising – raises questions about data security and data privacy when using these free services.

Recommended Reading: Getting Your Business GDPR-Ready: Data Encryption Explained

How Google Drive Does Security

Because Google Drive is so uibiquituous, its security is standard and adequate for storing lots of data, depending on the privacy levels that data needs.

  • With Google, before data leaves a device, it is encrypted using the TLS standard. This is the same standard used to encrypt browser connections to secure (HTTPS) websites. It is then uploaded to Google Drive servers.
  • After data reaches Google, it gets unencrypted then re-encrypted using 128-bit AES. While not the more secure 256-bit algorithm, this is still perfectly fine for many types of data, albeit not for data that requires above standard security and encryption.
  • The Google encryption is done in transit before the data is actually stored, which helps prevent the possible leakage of unencrypted data on its hard drives.
  • The AES encryption keys that are used to encrypt data are then, themselves, encrypted with a rotating set of master keys. This adds another layer of standard security by requiring a second set of encryption keys to get to the data.
  • This process is simply reversed when a device retrieves data from Google.

Other data security features of Google Drive:

  • Two-factor authentication is supported: This is a necessary and now standard feature across most similar services as passwords are stolen so easily.
  • Metadata is also encrypted while stored; this is the data about the data that’s being stored.
  • Data is encrypted when moved internally: Google encrypts all data in transit on its internal network. Again while this is a standard security feature it is important because data is moved around Google’s own data centres so much that this data needs to be encrypted when passing between Google’s data centers across the world.

All things considered, Google seems to be doing a very good job of keeping certain types of data safe from hackers. But security is only half the story. What about privacy?

Recommended Reading: The Costs of a Data Breach May Shock You

Google Drive Privacy Practices

Google actively scans and analyses everything that’s uploaded. This, according to Google, is to “provide relevant product features, such as customized search results, tailored advertising, and spam and malware detection.” Mainly, it’s interested in monetizing with directed advertising after analysing data and profiling data subjects. That’s what its business model is based on.

Google also retains “a worldwide license to use, host, store, reproduce, modify, create derivative works.., communicate, publish, publicly perform, publicly display and distribute”. This license to use data specifically persists even after users stop using its services. Although it specifies that there are some services which will allow users to “access and remove” data, it is not specific in its terms of service as to which services these are.

As in the case of Facebook, this license to use data also applies to, in Google’s words, “those we work with”. This means third parties, which might include governments, social networking sites, and anyone else Google has relationships with. It doesn’t specify any further what entities this applies to.

Bottom line, if it’s on Google Drive, then it’s not private.
Bottom line, if it's on Google Drive, then it's not private. Click To Tweet

Google Drive and GDPR Privacy

If GDPR level privacy is required – especially if the user is a data controller and responsible for personal data and sensitive data aswell as being responsible for the actions of its data processor – then take note of Google’s terms:

Google says it simply processes the data on behalf of the data controller and it is the responsibility of the data controller to implement appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR.

This seems to be putting all the responsibilities back on the controller. However, under GDPR, data controllers must ensure proper data security arrangements are in place to protect the personal data processed; the data controller has an obligation to ensure that it engage only those processors who themselves have appropriate technical and organisational measures (TOMS) in place. As a processor, these processes to meet GDPR are not clear from Google’s terms.

If GDPR level privacy is required then the infrastructure storing that data should have certain administrative, physical and technical safeguards in place:

  1. Network, or transmission, security is a paramount safeguard to protect against unauthorised access of protected data. This concerns all methods of transmitting data, whether it be email, Internet, or even over a private network, such as a private cloud.
  2. Technical safeguards require access control to allow only the authorised to access electronic protected data. Access control includes using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption.
  3. Audit reports, or tracking logs, must be implemented to keep records of activity on hardware and software. This is especially useful to pinpoint the source or cause of any security violations.
  4. Technical policies should also cover integrity controls, or measures put in place to confirm that protected data hasn’t been altered or destroyed.
  5. Physical safeguards include limited facility access and control, with authorized access in place. Policies must be in place about use and access to workstations and electronic media. This includes transferring, removing, disposing and re-using electronic media and electronic protected data.
  6. IT disaster recovery and offsite backup are key to ensure that any electronic media errors or failures can be quickly remedied and data can be recovered accurately and intact.

Recommended Reading: Do You Have Command and Control Over Your Data

Ready to give Rinodrive a go? Signing up for a free trial is just

a click away

Is your company using Google Drive? Have you considered changing to meet GDPR requirements? Tell us your thoughts in the comments below. 

Join our conversation ‘all about data’ on Twitter and LinkedIn. And keep up with what’s going on in the world of data by trusting us with your email for monthly mailings (and we store it on Rinodrive so it’s super safe).

Tags: ,