Notes on navigating GDPR requirements on Google Cloud

  • ISO 27018: Focuses on privacy in cloud services, aligning with GDPR encryption and consent requirements.

  • Data Processing Terms: Incorporate GDPR obligations and SCCs for international transfers.

Data residency & control

  • Data Regions: Customers pin data to specific geographies (e.g., Belgium, Netherlands).

  • Default Encryption: All data encrypted at rest and in transit; CMEK (Customer-Managed Encryption Keys) optional.

  • Access Transparency: Logs Google staff access to customer data for auditability.

Subprocessor transparency

  • Publicly lists subprocessors (e.g., Google subsidiaries, third-party vendors) with service-specific details.

  • Requires subcontractors to meet GDPR standards via contractual clauses.

Breach notification & tools

  • Security Command Center: Provides unified threat detection and compliance monitoring.

  • Incident Response: 24/7 security team with documented workflows for breach containment.

Data location

  • Configurable Services: Many GCP services (e.g., BigQuery, Cloud Storage) let customers pin data to specific Regions (e.g., Belgium, Netherlands) or Multi-Regions (e.g., EU).

  • AI/ML Data: Vertex AI and other AI services may process data globally unless using Assured Workloads to restrict locations.

Jurisdiction

  • Assured Workloads: For strict residency (e.g., EU-only), this feature enforces Resource Location Policies at the folder or project level.

  • Data Transfers: Google’s Service Terms incorporate SCCs and ISO 27018 for international transfers.

How to verify

  • Google Cloud Console: Review resource locations under “IAM & Admin” > “Resource Location.”

  • Assured Workloads Dashboard: Monitor compliance with geo-restrictions.

Detailed documentation


Last update: 2025-06-07 06:04