How-to guide: Achieving digital sovereignty with Google Workspace

According to the International Association of Privacy Professionals (IAPP), 79.3% of the world’s population is now covered by some form of national data privacy law. The increased proliferation of data privacy and protection laws, juxtaposed with the globalized nature of many businesses, underscores the need for all organizations to adopt a well-defined digital sovereignty strategy. Legacy productivity solutions can often struggle with the increasingly more complex demands required to achieve true sovereignty. Google Workspace can help simplify this by offering a secure-by-design infrastructure, technical data access controls, and industry certifications — all as a cloud-native service, without the need for custom software. 

This blog offers guidance to compliance and privacy officers, as well as enterprise administrators, for using Workspace to help achieve their compliance goals and meet regulatory requirements. With Assured Controls for Workspace, we firmly place customers in control over their data across the three pillars of sovereignty: data, software, and operational sovereignty. 

Establish your data sovereignty strategy

1. Understand the industry regulations that apply to the data generated within your organization. Workspace holds a comprehensive set of industry certifications and can help customers meet compliance and regulatory requirements:

• CCPA: California state law that grants consumers rights over their personal data.

• HIPAA: US federal law that sets standards for the use and disclosure of patient health data.

• CSA STAR: Globally-recognized program that certifies the security posture of cloud service providers.

• ISO 27001, 27017, 27018, 27701, 9001, 42001: Third-party verification that a company’s products, services, and processes meet international security and privacy standards. 

• SOC 1, 2, 3: Reports that assess an organization’s controls across financial reporting, security, and privacy.

• FedRAMP High: Highest US security authorization level for cloud service providers that manage sensitive federal data.

• DoD IL4: A security standard for protecting Controlled Unclassified Information (CUI) and sensitive data used by US federal agencies and defense contractors. 

In addition to industry regulations, many organizations face overlapping data regionalization requirements, as detailed in the operational sovereignty section.

2. Control the geographical storage and processing of your organization’s data using data regions. You can select the US, EU, or both as your data region(s), helping to ensure that the data is stored and processed in data centers located in your selected region(s).

3. Apply client-side encryption (CSE) to keep your organization’s most sensitive data confidential with end-to-end encryption that helps to prevent any third-party entity, including Google, from decrypting your data. You own the encryption keys, and can opt to store them in-country of your choice with local Key Management Service partners, such as Thales.

Establish your software sovereignty strategy

1. Ensure that your data is portable for added resilience against black swan events. Workspace is certified for SWIPO Data Portability Code of Conduct — a framework designed to facilitate data portability between Cloud Service Providers (CSP). This helps to ensure that customers can effectively migrate their data between SaaS and IaaS cloud environments.

2. For in-country data localization, you can export your Workspace data using local data storage. This enables you to store a copy of your Workspace data in Google Cloud Storage (GCS) buckets in a country of your choice.

3. Consider the interoperability of your data and systems, and avoid overreliance on a single vendor. Workspace APIs based on open protocols like REST and IMAP allow integration and data flow into other systems. 

Establish your operational sovereignty strategy

1. Ensure you are meeting your local data protection and privacy requirements with Workspace’s adherence to the following compliance regulations:

• GDPR: An EU law that protects the privacy of personal data

• EU AI Act: A legal framework that establishes obligations for AI systems based on their potential risks and levels of impact

2. Keep track of all Google support interactions with your data for troubleshooting purposes with Access Transparency logs.

3. Help prevent out-of-region data transfers for troubleshooting purposes by selecting the physical location (EU or US) of Google personnel with Access Management.

4. Require Google support staff to request your explicit approval before viewing support data for troubleshooting purposes with Access Approvals.

Learn more

In today’s complex regulatory environment, the need for a well-defined digital sovereignty strategy is paramount. By leveraging secure-by-design infrastructure, comprehensive compliance controls, and adherence to key data privacy and compliance regulations, Workspace can help your organization achieve digital sovereignty while also minimizing effort and cost. 

Learn more about our digital sovereignty approach, or get started with a no-cost trial. 

For more technical content, check out our eBook and view our blog post on adopting Zero Trust security.