WHAT CAN YOU DO What are your responsibilities as a customer? 1 G Suite and Google Cloud Platform customers will typically act as the data controller for any personal data they provide to Google in connection with their use of Google’s services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. Google is a data processor and processes personal data on behalf of the data controller when the controller is using G Suite or Google Cloud Platform. Data controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is Where should you start? performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, As a current or future customer of Google fairness and transparency, purpose limitation, data Cloud, now is a great time for you to begin minimisation, and accuracy, as well as fulfilling data preparing for the GDPR. Consider these tips: subjects’ rights with respect to their data. Familiarize yourself with the provisions If you are a data controller, you may find guidance of the GDPR, particularly how they may related to your responsibilities under GDPR by regularly differ from your current data protection obligations. checking the website of your national or lead data 2 protection authority under the GDPR (as applicable) , Consider creating an updated inventory as well as by reviewing publications by data privacy of personal data that you handle. You can use some of our tools to help identify and associations such as the International Association of classify data. Privacy Professionals (IAPP). You should also seek independent legal advice relating Review your current controls, policies, and processes to assess whether they meet the to your status and obligations under the GDPR, as only requirements of the GDPR, and build a plan a lawyer can provide you with legal advice specifically to address any gaps. tailored to your situation. Please bear in mind that nothing on this website is intended to provide you with, Consider how you can leverage the existing data protection features on Google Cloud or should be used as a substitute for legal advice. as part of your own regulatory compliance framework. Conduct a review of G Suite or Google Cloud Platform third-party audit and certification materials to see how they may help with this exercise. Monitor updated regulatory guidance as it becomes available, and consult a lawyer to obtain legal advice specifically applicable 1 to your business circumstances.  G Suite includes G Suite for Business and G Suite for Education. 2  We recommend you seek independent legal advice to determine your appropriate national or lead data protection authority. PAGE 2