This is a bold and exaggerated assertion, but since the tool is widely used by many voluntary organisations who don’t want the overhead of managing their own Workspace it deserves a little bit of attention.
Open AI says
Google Drive is a cloud storage and file-sharing service provided by Google. In terms of compliance with the UK General Data Protection Regulation (GDPR), it is necessary to consider several factors.
Firstly, it’s important to note that the UK GDPR is essentially the same as the EU GDPR, with some minor differences due to the UK’s exit from the European Union. Both regulations share common principles and requirements concerning the processing and protection of personal data.
When using a consumer version of Google Drive, you are subject to the terms of service and privacy policy provided by Google. Google is a data controller for the personal data you provide to them. As such, they have obligations under the GDPR and similar data protection laws to handle personal data appropriately.
Google has taken steps to comply with the GDPR and has implemented measures to protect personal data stored on Google Drive. However, the responsibility for compliance with the GDPR lies not only with Google but also with the users of Google Drive who handle personal data.
To ensure compliance, it is important to understand your obligations as a user of Google Drive. You need to ensure that you have a lawful basis for processing personal data, handle data securely, and respect the rights of individuals whose data you are processing. This includes obtaining consent if necessary, providing appropriate notice, and taking measures to protect data confidentiality, integrity, and availability.
Additionally, if you are a business or organization, you should carefully assess whether the consumer version of Google Drive is suitable for your specific compliance requirements. In some cases, you may need to consider using Google Workspace (formerly G Suite), which offers additional features and compliance options tailored for businesses.
So the assertion in the title is inaccurate and overly broad. Google, as the data controller, has implemented measures to comply with data protection regulations like the GDPR.
However, it is essential to understand the responsibilities and obligations of both the data controllers (such as Google) and the data processors (the users) when it comes to managing personal data. This includes considering the types of personal data being processed, the purposes for which it is processed, and ensuring appropriate safeguards are in place.
As a user of Google Docs and Drive, it is crucial to take responsibility for managing data containing personally identifiable information (PII). This includes considering the lawful basis for processing the data, obtaining necessary consent if required, and implementing appropriate security measures to protect the data.
Collaborators who have access to the data should also be aware of their responsibilities regarding data protection and be mindful of how they handle and share personally identifiable information.
It’s always recommended to carefully review the terms of service, privacy policy, and data processing agreements provided by Google to understand the specific measures in place and ensure compliance with data protection regulations. Additionally, consulting with legal professionals or data protection experts can provide further guidance based on your specific circumstances.
(our emphasis above)
So basically, data protection isn’t just a property of the system you use. Yet the assertion implies anything in the Google consumer cloud is structurally and systemically insecure.
In fact until recently it wasn’t Google but Yahoo! (and services provided to BT Internet) that were structurally less than secure, e.g. not enforcing SSL / TLS to deliver emails.
But what you do as a processor of personal information is as important, regardless of the system you use. I find that the main issue with using a consumer account for business, is that the typical user doesn’t separate their private business adequately or indulges in unsafe practices, e.g. using the same password for pretty much all their accounts; sharing their login details on the account; or neglecting good advice to turn on Two Factor Authentication and so on and so forth.
Another favourite of mine is to hand out sensitive data management tasks to the most recent acolytes of the “I am Technophobe Club” or staff that have just joined are under age (and just about to go away to University).
We should be cautious too about equating a company offering high levels of data security as inherently ethical or diligent.
Take any number of the mass communication apps we use today, whose distinctive offer or USP: “high levels of privacy through encryption” make them also attractive to bad actors.
Google Bard replies:
However, it is important to note that Google Drive is not a fully secure platform. There is always the risk that personal data could be compromised, either through hacking or through human error. Therefore, it is important to be aware of the risks and to take steps to mitigate them.
One way to mitigate the risks is to declare who the data controllers and processors are, and how you and your collaborators manage data which contains personally identifiable information. This will help to ensure that everyone involved in the processing of personal data is aware of their responsibilities and that the data is being handled in a compliant manner.
Here are some additional tips for managing personal data on Google Drive:
- Only share personal data with those who need to access it.
- Use strong passwords and two-factor authentication.
- Keep your software up to date.
- Back up your data regularly.
By following these tips, you can help to protect your personal data on Google Drive.