Gartner Research

A Framework for Working Toward GDPR Compliance While Using Google G Suite or Microsoft Office 365

Published: 03 July 2018

ID: G00353923

Analyst(s): Guy Creese , Michael Disabato

Summary

Many organizations struggle with how to comply with the GDPR when storing employee and customer data in G Suite or Office 365. This research guides technical professionals on what cloud office features can help them comply with the GDPR and what processes they must put in place themselves.

Table Of Contents

Problem Statement

The Gartner Approach

The Guidance Framework

  • Prework
    • Read the Relevant Gartner and Vendor Documentation
    • Understand the GDPR's Definition of "Personal Data"
    • Understand the Work Required Peculiar to Each Suite
  • Step 1: Meet With Legal and the Data Protection Officer
  • Step 2: Define the Principles for Personal Data Within Cloud Office
    • Step 2.1: Define Cloud Office Data Collection and Storage Strategies
    • Shrink and Consolidate the Personal Data Footprint
    • Protect Personal Data at Rest and Data in Transit
    • Step 2.2: Define Personal Data Processing Strategies
    • Recognize That You're Dealing With Two Types of Data Subjects
    • Verify That You Can Report On, Export and Delete Personal Data
    • Step 2.3: Write Down Your Personal Data Principles
  • Step 3: Update the Governance Process and Create a Review Process
  • Step 4: Verify How You Will Manage, Protect and Locate Personal Data in Cloud Office
    • Step 4.1: Supporting the Data Subject Rights
    • Step 4.2: Supporting the Data Protection Articles
    • Step 4.3: Supporting the Data Location Articles
  • Step 5: Document the Processes
  • Step 6: Define the Communications Processes and Responsibilities
    • Conditions for Consent
    • Know Who the Controller Is
    • Notification to the Data Subject for Rectification, Erasure or Restriction of Processing
    • Notification of a Data Breach to the Supervisory Authority
    • Communication of a Data Breach to the Data Subject
  • Follow-Up

Risks and Pitfalls

  • Related Guidance

Gartner Recommended Reading

©2019 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Become a client