GoogleCloudWhitepaper July2019 

 

Singapore’s  Personal Data  Protection Act  

   

  

  

2  

 

Table of contents 

Introduction 3 

PersonalDataProtectionActoverview 4 Keyterms&concepts 5 DataintermediariesunderthePDPA 6 9dataprotectionobligations 7 

GoogleClouddataprotectionoverview&theSharedResponsibilityModel 8 GoogleCloud’sapproachtodataprotectionandprivacy 9 GoogleCloud’sapproachtodatasecurity 11 TheSharedResponsibilityModel 14 

GoogleCloudandthePDPA 15 DataintermediarycompliancewiththePDPA 16 Ourinternalcompliance-focusedteams 16 GoogleCloud’scertificationsandindependentthird-partyattestations 17 MappingGoogleClouddataprotectioncapabilitiestothePDPA&oursharedresponsibilities 19 

Frequentlyaskedquestions 28 DoesthePDPAimposedatabreachnotificationrequirements? 28 DoesthePDPApermitcross-bordertransfersofpersonaldata? 29 Whattermsandconditionsdoweprovideourcustomersregardingdataprotection? 30 WhatistheCybersecurityActof2018andwhatdoesitrequireforcloudservice  providers(CSPs)? 31 DoesSingaporehaveindustry-specificprivacylawsorregulations? 32 

Conclusion 33 

Additionalresources 34 

Disclaimer ThiswhitepaperappliestoGoogleCloudproductsdescribedatcloud.google.com.Thecontent containedhereiniscorrectasofJuly2019andrepresentsthestatusquoasofthetimeitwaswritten. Google’ssecuritypoliciesandsystemsmaychangegoingforward,aswecontinuallyimproveprotection forourcustomers.  

 

  

3  

 

Introduction 

Singaporeisaglobaltechepicenter,toppingtherankingsofthe2017 GlobalSmartCityPerformanceIndex.Inaddition,thecity-statehas launchedtheDigitalEconomyFrameworkforActiontomakeitthe world’sleadingdigitaleconomyandaSmartNation. 

CloudcomputingisanintegralelementofSingapore’sdigital objectives.Asaresultofgovernmentalauthorities’strongpromotion ofcloudadoptionacrosstheeconomy,thecity-stateledthe Asia-PacificregionintheAsiaCloudComputingAssociation’s2018 CloudReadinessIndex.,The2018BSAGlobalCloudComputing ScorecardrankedSingaporesixthoutof24leadingITeconomiesfor itscloudcomputingpreparednessbasedonitslegalandregulatory environment,includingitsdataprotectionregime. 

Singapore’sPersonalDataProtectionAct(PDPA)governsthe collection,use,disclosure,andcareofpersonaldata,asdescribedin theofficialQuickGuidetothePDPA.AtthecoreofthePDPAarethe9 MainDataProtectionObligations,whichattempttostrikeabalance betweenindividuals’rightstoprotecttheirpersonaldataand organizations’needsforthisdataforlegitimateandreasonable businesspurposes. 

LikeSingapore,GoogleCloudisaworldleaderwithitsGoogleCloud Platform(GCP),GSuiteservices,andadvanceddataprotection controls.WithGoogleCloudastheirtrustedpartner,ourcustomers cangainthestrategicbenefitsofcloudcomputing,backedbyour robustinformationprotectionandprivacyinfrastructure.Infact, ForresterResearchrecentlynamedGoogleCloudasaleaderamong publiccloudplatformsinnativesecuritycapabilitiesandfeatures. Moreover,GCPandGSuitearebothcertifiedascompliantwiththe highestsecuritylevelofthecity-state’sMulti-TierCloudSecurity (MTCS)SingaporeStandard584.Asaresult,approximately114 GoogleCloudservicesand20datacentersiteshaveMTCSTier3 certifications,highlightingGoogleCloud'songoingandcontinuous commitmenttoensuringsoundoperationalandsecuritycontrols acrossallthreeservicemodels－infrastructure-as-a-service(IaaS), platform-as-a-service(PaaS),andsoftware-as-a-service(SaaS). 

 

With Google Cloud as a trusted pa�ner, customers can gain the strategic bene�ts of cloud computing, backed by our robust information protection and privacy infrastructure. In fact, Forrester Research recently named Google Cloud as a leader among public cloud pla�orms in native security capabilities and features. 

  

 

  

4  

 

  ThiswhitepaperprovidesinformationtoourcustomersaboutthePDPAandhowGoogleCloud leveragesGoogle’sindustry-leadingdataprivacyandsecuritycapabilitiestostore,process,maintain, andsecurecustomerdata.Wearecommittedtopartneringwithourcustomerssotheycandeploy workloadsusingGCPandGSuitefortheirproductivityneedsinamannerthatalignswiththePDPA’s requirements.Weexplainourdataprotectionfeatures,howtheymaptothePDPA’srequirements,and howwesharecomplianceresponsibilitieswithourcustomers. 

 

Personal Data Protection Act overview 

ThePDPAappliestotheprocessingofpersonaldataby organizationswithinSingapore,evenwherean organizationmightcollectthepersonaldataoverseasand transferitintothecity-state.ThePersonalDataProtection Commission(theCommission)administers,promotes, andenforcesthePDPA.Tolearnmore,refertotheActand relatedsubsidiarylegislationandtheCommission’s guidance.   Cloudusersshouldensurethattheyfullycomplywiththe PDPA;thus,weencouragethemtoutilizethe Commission’srecommendedstepstomanagepersonal data,DataProtectionStarterKit,PDPAAssessmentTool,  

Purpose of the PDPA 

“Togovernthecollection,useand disclosureofpersonaldataby organizationsinamannerthat recognisesboththerightof individualstoprotecttheir personaldataandtheneedof organizationstocollect,useor disclosepersonaldatafor purposesthatareasonable personwouldconsider appropriateinthecircumstances.” 

 

  

5  

 

GuidetoDevelopingaDataProtectionManagementProgramme,andGuidetoDataProtection ImpactAssessments. 

ThissectiondefinesthePDPA’skeytermsandconcepts.Inparticular,webrieflydescribethe PDPA’s9MainDataProtectionObligations.Tolearnmore,seetheAct,theCommission’sOverview oftheObligations,andtheAdvisoryGuidelinesforKeyConceptsinthePDPA.  

Topics   

Keyterms&concepts Keytermdefinitions Keyconcepts 

DataintermediariesunderthePDPA Dataintermediaryobligations GoogleCloudasadataintermediary 

9MainDataProtectionObligations Collection,use,anddisclosureofpersonal datarequirements 

TheNotificationObligation TheConsentObligation ThePurposeLimitationObligation 

Accountabilityrequirements TheOpennessObligation TheAccessandCorrectionObligations 

Careofpersonaldatarequirements TheAccuracyObligation TheProtectionObligation TheRetentionLimitationObligation TheTransferLimitationObligation 

 

 

Key terms & concepts 

Key term de�nitions 

ThePDPAexplicitlydefinesthefollowingterms: 

Personaldata  Data,“whethertrueornot,aboutanindividualwhocanbeidentified－ fromthatdata;orfromthatdataandotherinformationtowhichtheorganization hasorislikelytohaveaccess.” 

Organization  Any“individual,company,associationorbodyofpersons,corporateor unincorporated,whetherornot－formedorrecognisedunderthelawof Singapore;orresident,orhavinganofficeoraplaceofbusiness,inSingapore.” 

Processing  The“carryingoutofanyoperationorsetofoperationsinrelationtothepersonal data,”including,butnotlimitedto,recording;holding;organization,adaptation,or alteration;retrieval;combination;transmission;erasureordestruction. 

Data intermediary 

An“organizationwhichprocessespersonaldataonbehalfofanother organizationbutdoesnotincludeanemployeeofthatotherorganization.” 

 

  

6  

 

Key concepts 

AlthoughthePDPAdoesnotdefinethefollowingconcepts,theCommissionprovidesexplanatory guidanceoninterpretingthem: 

Purpose  Thetermreferstoanorganization’s“objectivesorreasons”forcollecting,using, ordisclosingpersonaldata,nottheactivitiesitmayintendtotakewiththatdata. 

Reasonable  In attempting to comply with the PDPA, organizations must “act based on what a                           reasonablepersonwouldconsiderappropriateinthecircumstances.”  The “reasonable person” concept is an “objective standard” and essentially                   represents “a person who exercises the appropriate care and judgment in the                       particularcircumstances.” 

 Data intermediaries under the PDPA 

Data intermediary obligations 

Adataintermediaryprocessesdataonanotherorganization’sbehalf.Wheretheprocessingcontractis evidencedorinwrittenform,theorganizationandthedataintermediaryhavedifferentresponsibilities: 

Organization  The organization bears the same obligations under the PDPA as if it processed the                           personaldataitself. 

Data intermediary 

The data intermediary needs to only comply with the PDPA provisions classified as                         the “Protection Obligation” and the “Retention Limitation Obligation” (explained                 below). However, the data intermediary must comply with all of the PDPA’s data                         protection obligations where it engages in other activities that do not constitute                       processing on behalf of or for the purposes of the organization pursuant to the                           contract. 

 

Google Cloud as a data intermediary 

GoogleCloudqualifiesasadataintermediaryunderthePDPAbecauseitprocessespersonaldataon behalfof,orforthepurposesof,theorganizationpursuanttoacontractforcloudservices.Asaresult, GoogleCloudneedstocomplywiththePDPA’sProtectionandRetentionLimitationObligations.A subsequentsectionofthispaperexplainshowGoogleCloudsatisfiesitsownPDPAobligationsand howithelpscustomerorganizationsmeettheirPDPAobligations. 

 

  

7  

 

 9 data protection obligations  

OrganizationsthathandleandcontrolpersonaldatamustcomplywiththeobligationsunderthePDPA. The9MainDataProtectionObligationscanbeclassifiedasshowninthetablebelow.   

 

Category  Obligations 

Collection,use,anddisclosureof personaldata 

● Notification ● Consent ● Purposelimitation 

Accountability  ● Openness ● Accesstoandcorrectionofpersonaldata 

Careofpersonaldata  ● Accuracy ● Protection ● Retentionlimitation ● Transferlimitation 

 

    

 

  

8  

 

Google Cloud data protection overview & the Shared Responsibility Model 

GoogleCloud’srobustsecurityandprivacycontrolsgive customerstheconfidencetoutilizeGCPandGSuiteina manneralignedwiththerequirementsofthePDPA.Moreover, weareconstantlyworkingtoexpandourprivacyandsecurity capabilities.Tohelpcustomerswithcomplianceandreporting, Googlesharesinformationandbestpractices,andprovides easyaccesstodocumentation. 

Inthissection,wedescribeourcomprehensivedataprotection andprivacycapabilitiesandourrobustdatasecurityfeatures mostrelevanttothePDPA.Wethenexplainhowweshare securityandcomplianceresponsibilitiesaccordingtothe SharedResponsibilityModel. 

Topics 

GoogleCloud’sapproachtodataprotectionand privacy 

Dataprivacytrustprinciples Dedicatedprivacyteam Dataaccessandcustomercontrol Restrictedaccesstocustomerdata Lawenforcementdatarequests 

GoogleCloud’sapproachtodatasecurity Strongsecurityculture Securityteam Trustedinfrastructure Infrastructureredundancy State-of-the-artdatacentersecurity Dataencryption Cloud-nativetechnology TheSharedResponsibilityModel 

 

  

9  

 

Google Cloud’s approach to data protection and privacy 

DataprotectionandprivacyarefundamentaltoGoogle.Wedesignourproductsandservicesfromthe startwithprivacyandtrustasguidingprinciples.GoogleCloudworkstoensuretheprotectionand privacyofcustomers’datainthreeways:1)weprovidesuperiordataprotectionthroughasecurecore infrastructurethatisdesigned,built,andoperatedtohelppreventthreats;2)wegivecustomersrobust securitycontrolstohelpthemmeetpolicy,regulatory,andbusinessobjectives;and3)weworktofulfill ourcomplianceresponsibilitiesandtomakecomplianceeasierforourcustomers. 

Data protection and privacy trust principles 

WewantourcustomerstofeelconfidentwhenusingGCPandGSuiteproducts.Webelievethattrustis createdthroughtransparency,andwewanttobeopenaboutourcommitmentsandofferingstoour customerswhenitcomestoprotectingtheirdatainthecloud. 

Ourcommitmentstoyouaboutyourdata Yourdataiscriticaltoyourbusiness,andyoutakegreatcaretokeepitsafeandunderyour control.WewantyoutofeelconfidentthattakingadvantageofGSuiteandGoogleCloud Platformdoesn'trequireyoutocompromiseonsecurityorcontrolofyourbusiness'sdata.  AtGoogleCloud,webelievethattrustiscreatedthroughtransparency,andwewanttobe transparentaboutourcommitmentsandwhatyoucanexpectwhenitcomestoourshared responsibilityforprotectingandmanagingyourdatainthecloud. 

WhenyouuseGSuiteorGoogleCloudPlatform,youcan:  1. Knowthatyoursecuritycomesfirstineverythingwedo.  

Wepromptlynotifyyouifwedetectabreachofsecuritythatcompromisesyourdata. 2. Controlwhathappenstoyourdata. 

Weprocesscustomerdataaccordingtoyourinstructions.Youcanaccessitortakeitoutat anytime.  

3. Knowthatcustomerdataisnotusedforadvertising. Youownyourdata.GoogleClouddoesnotprocessyourdataforadvertisingpurposes. 

4. KnowwhereGooglestoresyourdataandrelyonitbeingavailablewhenyouneedit.  WepublishthelocationsofourGoogledatacenters;theyarehighlyavailable,resilient,and secure. 

5. DependonGoogle’sindependently-verifiedsecuritypractices. Ouradherencetorecognizedinternationalsecurityandprivacystandardsiscertifiedand validatedbyindependentauditors—whereveryourdataislocatedinGoogleCloud. 

6. Trustthatwenevergiveanygovernmententity“backdoor”accesstoyourdataortoour serversstoringyourdata.  Werejectgovernmentrequeststhatareinvalid,andwepublishatransparencyreportfor governmentrequests.  

Tolearnmoreaboutourcommitmentstosafeguardingcustomerinformation,refertotheGoogle CloudPrivacypage.SeedataprocessingtermsforGSuiteandGoogleCloudPlatformforfurther details. 

 

  

10  

 

 

Dedicated privacy team 

TheGoogleprivacyteamoperatesseparatelyfromproduct developmentandsecurityorganizations,butparticipatesinevery Googleproductlaunchbyreviewingdesigndocumentationand performingcodereviewstoensurethatprivacyrequirementsare followed.Theyhelpreleaseproductsthatreflectstrongprivacy practices:transparentcollectionofuserdata,providingusersand administratorswithmeaningfulprivacyconfigurationoptions,and continuingtobegoodstewardsofanyinformationstoredonour platform.Tolearnmoreaboutourprivacyteam,refertothe privacyteamsectionoftheGooglesecuritywhitepaper. 

Data access and customer control 

GoogleCloudcustomersowntheirdata,notGoogle.Googlewill onlyprocesscustomerdatainaccordancewithcontractual obligations.Wealsoprovidecustomerswithsolutionsthatallow granularcontrolofresourcepermissions.Forexample,using CloudIdentityandAccessManagement,customerscanmapjob functionstogroupsandrolessousersonlyaccessthedatathey needtogetthejobdone.Furthermore,customersmaydelete customerdatafromoursystemsortakeitwiththemifthey choosetostopusingourservices. 

Restricted access to customer data 

Tokeepdataprivateandsecure,Googlelogicallyisolateseach customer’sdatafromthatofothercustomersandusers,even whenthedataisstoredonthesamephysicalserver.Onlyasmall groupofGoogleemployeeshasaccesstocustomerdatapursuant toexplicitreasonsbasedonjobfunctionandrole.Anyadditional accessisgrantedaccordingtostringentproceduresandtracked throughauditrecords.Infact,GCPistheonlycloudservice provider(CSP)tooffernearreal-timelogswhenitsadministrators accesscustomers’contentthroughAccessTransparency.   

 

  

11  

 

Google Cloud’s approach to data security  

Inthissection,weprovideanoverviewoftheorganizationalandtechnicalcontrolsthatweuseto protectyourdataatGoogleCloud.PleaserefertoGooglesecuritywhitepaper,andGoogleCloud SecurityandCompliancewhitepaperforadditionalinformationonoursecuritypractices. 

Strong security culture 

SecurityiscentraltoGoogleculture.Itisreinforcedinemployeesecuritytrainingandcompany-wide eventstoraiseawarenessanddriveinnovationinsecurityandprivacy. 

Tolearnmoreaboutoursecurityculture,refertothesecurityculturesectionsinourGooglesecurity whitepaperandourGoogleCloudSecurityandCompliancewhitepaper. 

Security team 

Googleemploysmorethan850securityprofessionals,includingsomeoftheworld’sforemostexperts. Thisteammaintainsthecompany’sdefensesystems,developssecurityreviewprocesses,builds securityinfrastructure,implementsGoogle’ssecuritypolicies,andactivelyscansforsecuritythreats. OurteamalsotakespartinresearchandoutreachactivitiestoprotectthewidercommunityofInternet users,beyondjustthosewhochooseGooglesolutions.Ourresearchpapersareavailabletothepublic. Aspartofouroutreachefforts,wehaveateamknownasProjectZerothataimstopreventtargeted attacksbyreportingbugstosoftwarevendors. 

Inaddition,oursecurityteamworks24/7toquicklydetectandresolvepotentialsecurityincidents.Our securityincidentmanagementprogramisstructuredaroundindustrybestpracticesandtailoredinto our"IncidentManagementatGoogle(IMAG)"program,whichisbuiltaroundtheuniqueaspectsof Googleanditsinfrastructure.Wealsotestourincidentresponseplansregularly,sothatwealways remainprepared. 

Tolearnmore,refertothesecurityteam,vulnerabilitymanagement,andmonitoringsectionsintheGCP securitywhitepaper.Inaddition,refertothesecurityteam,vulnerabilitymanagement,andmonitoring sectionsintheGoogleCloudSecurityandCompliancewhitepaper. 

   

 

  

12  

 

Trusted infrastructure 

Weconceived,designed,andbuiltGoogleCloudtooperatesecurely. Googleisaninnovatorinhardware,software,network,andsystem managementtechnologies.Wecustomdesignourservers,proprietary operatingsystem,andgeographicallydistributeddatacenters.Using “defenseindepth”principles,wehavecreatedanITinfrastructurethatis moresecureandeasiertomanagethanmostotherdeploymentoptions. Ourinfrastructureprovidessecuredeploymentofservices,securestorage ofdatawithenduserprivacysafeguards,securecommunications betweenservices,secureandprivatecommunicationwithcustomers overtheInternet,andsafeoperationbyadministrators.Weensurethe securityofthisinfrastructureinprogressivelayers,startingfromthe physicalsecurityofourdatacenters,buildingwithunderlying security-designedhardwareandsoftware,continuingwithsecureservice deployment,securedatastorage,andsecureinternetcommunication, andfinally,operatingtheinfrastructureinasecurefashion. 

Tolearnmore,refertotheGoogleCloudInfrastructureSecurityDesign Overview,aswellastheGCPDataProcessingandSecurityTerms, Appendix2:SecurityMeasuresandGSuiteDataProcessingAmendment, Appendix2:SecurityMeasures. 

Infrastructure redundancy 

Google’sinfrastructurecomponentsaredesignedtobehighlyredundant. Thisredundancyappliestoserverdesignanddeployment,datastorage, networkandInternetconnectivity,andthesoftwareservicesthemselves. This“redundancyofeverything”createsarobustsolutionthatisnot dependentonasingleserver,datacenter,ornetworkconnection.Ourdata centersaregeographicallydistributedtominimizetheeffectsofregional disruptionsonglobalproducts,suchasnaturaldisastersandlocal outages.Intheeventofhardware,software,ornetworkfailure,platform servicesandcontrolplanesarecapableofautomaticallychanging configurationsothatcustomerscancontinuetoworkwithout interruption.Ourhighlyredundantinfrastructurealsohelpscustomers protectthemselvesfromdataloss.Customerscancreateanddeployour cloud-basedresourcesacrossmultipleregionsandzones,allowingthem tobuildresilientandhighlyavailablesystems.Tolearnmore,refertothe lowlatencyandhighlyavailablesolutionintheGooglesecurity whitepaperandtheGoogleCloudSecurityandCompliancewhitepaper.   

 

  

13  

 

State-of-the-a� data center security 

Googledatacentersfeaturelayersofphysicalsecurityprotections.Welimitaccesstothesedata centerstoonlyaverysmallfractionofemployeesandhavemultiplephysicalsecuritycontrolsto protectourdatacenterfloorssuchasbiometricidentification,metaldetection,vehiclebarriers,and custom-designedelectronicaccesscards.Wemonitorourdatacenters24/7/365todetectandtrack intruders.Datacentersareroutinelypatrolledbyexperiencedsecurityguardswhohaveundergone rigorousbackgroundchecksandtraining.Tolearnmore,refertoourDataCenterInnovationpage. 

Data encryption 

Googleencryptsdataatrestandencryptsdataintransit,bydefault.Thetypeofencryptionused dependsontheOSIlayer,thetypeofservice,andthephysicalinfrastructurecomponent.Bydefault,we encryptandauthenticatealldataintransitatoneormorenetworklayerswhendatamovesoutside physicalboundariesnotcontrolledbyoronbehalfofGoogle.Tolearnmore,refertotheEncryptionin TransitinGoogleCloudwhitepaper. 

Cloud-native technology 

Wecontinuetoinvestheavilyinsecurity,bothinthedesignofnewfeaturesandthedevelopmentof cutting-edgetoolsforcustomerstomoresecurelymanagetheirenvironments.Someexamplesarethe CloudSecurityCommandCenterforGCPandtheGSuiteSecurityCenterforGSuitethatbring actionableinsightstosecurityteamsbyprovidingsecurityanalyticsandbestpractice recommendationsfromGoogle,andVPCServiceControls,whichhelptoestablishvirtualsecurity perimetersforsensitivedata.Tolearnmoreaboutoursecuritytechnologies,refertooursecurity products&capabilitiespage. 

   

 

  

14  

 

The Shared Responsibility Model 

UndertheSharedResponsibilityModel,thecloudcustomeranditsCSPsharetheresponsibilitiesof managingtheITenvironment,includingthoserelatedtosecurityandcompliance.Asatrustedpartner, GoogleCloud’sroleinthismodelincludesprovidingservicesonahighlysecureandcontrolledplatform andofferingawidearrayofsecurityfeaturesfromwhichcustomerscanbenefit.Sharedresponsibility enablesourcustomerstoallocateresourcesmoreeffectivelytotheircorecompetenciesand concentrateonwhattheydobest.AlthoughtheSharedResponsibilityModeldoesnotremovethe accountabilityandriskfromcustomersusingGoogleCloudservices,wehelpbyoperatingand controllingsystemcomponentsandphysicallycontrollingfacilities.Moreover,usingourcloudservices isamorecost-effectiveapproachforcustomersbecausewemanageasubstantialportionofthe securityandcomplianceefforts.ThefigurebelowvisuallydemonstratesanexampleoftheShared ResponsibilityIaaS,PaaS,andSaaSofferings.Keepinmindthatresponsibilitieswillvarydependingon thespecificservicesbeingused. 

 

 

  

15  

 

Google Cloud and the PDPA  

 ThePersonalDataProtectionCommission(theCommission)advises organizationsthattheymaybearresponsibilityiftheirserviceproviders violatethePDPA.TheCommissionrecommendsthatanorganization ensurethatthecontractwithaserviceprovidercontainprovisions requiringtheserviceprovidertotakesufficientmeasurestocomplywith thePDPA.Additionally,organizationsshouldestablishstandardoperating proceduresfortheserviceprovider’shandlingofpersonaldataand initiateprocessestomonitortheprovider’scompliancewiththestandard operatingprocedures. 

Complianceisbuiltuponoursecurityandprivacyinfrastructure.Weare committedtocomplyingwithapplicabledataprotectionlawsand undergoregularaudits,maintaincertifications,provideindustry-standard contractualprotections,andsharetoolsandinformationwithcustomers. GoogleCloudcontinuestomakesignificantinvestmentsinsecurity, privacy,andcompliancemanagementtosupportcustomersinmeeting theircurrentandemergingregulatorycomplianceandriskmanagement obligations.Ourapproachtosupportingregulatorycomplianceincludes collaboratingwithcustomerstounderstandandaddresstheirspecific complianceobligations,delineatingresponsibilities,conductinginternal andindependentaudits,anddeliveringtransparency. 

Google Cloud continues to make signi�cant investments in security, privacy, and compliance management. 

 

Topics 

DataintermediarycompliancewiththePDPA 

Ourinternalcompliance-focusedteams 

GoogleCloud’scertificationsandindependentthird-party attestations 

Multi-TierCloudSecuritySingaporeStandard584 ISO27001 ISO/IEC27018 

MappingGoogleClouddataprotectioncapabilitiestothePDA &oursharedresponsibilities 

Collection,use,anddisclosureofpersonaldata Accountabilityofdatasubjects Careofpersonaldata 

 

  

16  

 

Data intermediary compliance with the PDPA 

Whereanorganizationemploysadataintermediarytoprocesspersonaldata,theCommission recommendsthattheorganizationperformaduediligencereviewofthedataintermediary’sdata protectionandsecuritypolicies,practices,andprocessestoensurethattheintermediaryisableto complywiththePDPA’srequirements. 

Asatrustedcloudserviceprovider,GoogleCloudiscommittedtofulfillingourprotectionandretention limitationobligationsunderthePDPA.Moreover,westrivetosupportourcustomersinmeetingtheir legalobligationsunderthePDPA.   

Our internal compliance-focused teams 

AtGoogleCloud,weemployanextensiveteamoflawyers,regulatorycomplianceexperts,andpublic policyspecialistswhooverseeprivacyandsecuritycompliance.Theseteamsengagewithcustomers, industrystakeholders,andsupervisoryauthoritiestoshapeourcloudservicesinamannerthathelps customersmeettheircomplianceneeds.Theseteamsworkcloselywithourcustomerstounderstand theiruniquecompliancerequirementsandthencollaborativelydevelopastrategytoaddressthe requirementsidentified. 

Inaddition,Googlehasadedicatedteamofinternalauditorsandcompliancespecialiststhatreviews compliancewithsecuritylawsandregulationsaroundtheworld.Asnewauditingstandardsare created,theinternalauditteamdetermineswhatcontrols,processes,andsystemsareneededtomeet them.Thisteamfacilitatesandsupportsindependentauditsandassessmentsbythirdparties.   

 

  

17  

 

Google Cloud’s ce�i�cations and independent third-pa�y a�estations 

GoogleCloudproductsregularlyundergoindependentverificationofsecurity,privacy,andcompliance controls,achievingcertificationsagainstglobalstandardstoearnthetrustofourcustomers.Weare constantlyworkingtoexpandourcoverage.  

BelowarecertificationsmostrelevanttotheAsia-Pacificregion.Tolearnmore,refertoourStandards, regulations&certificationspage. 

 

    

 

  Multi-Tier Cloud Security Singapore Standard 584 

TheMulti-TierCloudSecurity(MTCS)SingaporeStandard584isacloudsecurity certificationmanagedbytheSingaporeInfo-communicationsMedia DevelopmentAuthority.Thestandardhasthreetiersdesignedtocertifycloud serviceprovidersatdifferentlevelsofoperationalsecurity,withTier3havingthe moststringentrequirements.InobtainingtheMTCScertification,acloudservice providermustcompleteaself-disclosureformthatdetailsitslevelofsecurity andcovers,amongotherthings,dataretention,dataportability,liability, availability,businesscontinuity,disasterrecovery,aswellasincidentandproblem management. 

GCPunderwentassessmentsfortheMTCScertification,whichincludedanaudit byanindependentMTCScertifyingbody.Attheconclusion,114GoogleCloud servicesand20datacentersitesreceivedTierLevel3certification,thehighest level.ThescopeofservicesincludedinthecertificationshighlightsGoogle Cloud'songoingandcontinuouscommitmenttoensuringsoundoperationaland securitycontrolsacrossallthreeservicemodels—IaaS,PaaS,andSaaS. BecauseGoogle’sTierLevel3certificationisappropriateforregulated organizations,suchasthoseinvolvedinfinancialandhealthservices,GCPmeets themostrigoroussecuritystandards. 

GCPandGSuitearecertifiedasMTCScompliant.ForafulllistofGoogleCloud productsandservicesthathavereceivedMTCSLevel3certifications,refertoour MTCSpage. 

 

 

  

18  

 

 

ISO 27001 

TheInternationalOrganizationforStandardization(ISO)27001isasecurity standardthatoutlinesandprovidestherequirementsforaninformationsecurity managementsystem.The27001standardlaysoutaframeworkandchecklistof controlsthatallowGoogletoensureacomprehensiveandcontinuallyimproving modelforsecuritymanagement.GCPiscertifiedasISO27001compliant. 

 

 

ISO/IEC 27018 

ISO27018isa“codeofpracticeforprotectionofpersonallyidentifiable information(PII)inpubliccloudsactingasPIIprocessors.”Thisstandard primarilyfocusesonsecuritycontrolsforpublic-cloudserviceprovidersactingas PIIprocessors.GCPandGSuitearecertifiedasISO27018compliant. 

 

   

 

  

19  

 

Mapping Google Cloud data protection capabilities to the PDPA & our shared responsibilities 

Inthistable,weidentifywhobearstheresponsibilitytomeetthePDPA’s9MainDataProtection Obligations.ThetableindicateseachlegalobligationandwhetherourcustomersorGooglemust satisfytheobligation,aswellaswherewecansupportourcustomersinmeetingtheirlegal requirements. 

WhilecustomersareultimatelyresponsibleforcompliancewiththePDPA,ourcommitmentto complyingwithdataprotectionandprivacyprinciplesandregulationsgivescustomerstheconfidence totakeadvantageofGCPandGSuiteservices. 

Collection,use,anddisclosureofpersonaldata 

Data protection obligations  Who has the responsibility 

Notificationofpurpose Section20 ●Theorganizationmustnotifyindividuals 

ofthepurposesforthecollection,use,or disclosureoftheirpersonaldata.A notificationshouldalsoprovideother information,suchasthebusinesscontact informationofthedataprotectionofficer, howanindividualmaywithdrawconsent, howanindividualmayaccessorcorrect hispersonaldata,andtheorganization’s retentionpolicies,amongothermatters. 

Customerresponsibilitytoprovidenotificationofthepurposesforthe collection,use,ordisclosureofindividualpersonaldata. ● Tolearnmore,refertotheCommission’sAdvisoryGuidelineson 

theNotificationObligationanditsGuidetoNotification.  GoogleCloudSupport ● GooglefeaturessuchastheIdentity-AwareProxycansupport 

customersinthisactivity. 

Consent Sections13-17 

● Theorganizationmustobtainindividuals’ consenttocollect,use,ordisclosetheir personaldata,unlessanexemption applies.Therequestforpersonaldata shouldbereasonableforprovidingthe productorservice. 

 ● Theorganizationmustallowindividuals 

towithdrawconsent.Uponwithdrawalof consent,theorganizationmustcease suchcollection,use,ordisclosureofthe personaldata. 

 

Customerresponsibilitytoobtainindividuals’consenttocollect,use ordisclosetheircustomers’personaldata. ● Tolearnmore,werecommendtheCommission’sAdvisory 

GuidelinesontheConsentObligation.  GoogleCloudSupport  ● GooglefeaturessuchastheIdentity-AwareProxycansupport 

customersinthisactivity. 

 

  

20  

 

Data protection obligations  Who has the responsibility 

Purposelimitation Section 18 ●Anorganizationmaycollect,use,or 

disclosepersonaldataaboutan individualonlyforpurposesthata reasonablepersonwouldconsider appropriateinthecircumstancesand,if applicable,onlyafterithasnotifiedthe individualofthosepurposes. 

●Theorganizationmustcollect,use,or disclosepersonaldataonlyforthe purposesforwhichtheindividualsgave consent. 

Customerresponsibilitytoensurecollection,use,ordisclosureof personaldataislimitedtothepurposesforwhichtheindividualsgave theirconsent. 

GoogleCloudsupport ● ThedatayouentrusttoGoogleCloudbelongstoyour 

organization.Weprocessyourorganization’sdataaccordingto yourexplicitinstructionsunderourcontractualobligationstoyou. Ourautomatedsystemsprocessyourdatatoprovideyouservices andprotection,suchasperformingspamandmalwaredetection, sortingemailforfeatureslikePriorityInbox,andreturningfast searchresultsforinformationinyouraccounts.Wemayonly accessdatainyouraccountinstrictcompliancewithourprivacy policyandyourcustomeragreement.Weoffercustomersdetailed termsofservicethatdescribeourcommitmenttoprotectingyour data.Toreadmore,pleasevisitSection5.2oftheDataProcessing andSecurityTerms(DPST)forGCPandSection5.2oftheData ProcessingAmendment(DPA)forGSuite. 

 Accountabilityofdatasubjects 

Data protection obligations  Who has the responsibility 

Openness Sections11and12 ●Theorganizationmustappointadata 

protectionofficer(DPO)whois responsiblefortheorganization’s compliancewiththePDPAandmakethe DPO’sbusinesscontactinformation publiclyavailablesothatdatasubjects cancontacttheDPOforPDPA-related queriesorcomplaints. 

●Theorganizationmustpublish informationonitsdataprotection policies,practices,and complaint-handlingprocess. 

Customerresponsibilitytoappointadataprotectionofficer(DPO)and satisfythisobligation. ● Tolearnmore,werecommendtheCommission’sAdvisory 

GuidelinesontheOpennessObligation. 

GoogleCloudsupport ● Googlebelievestransparencyisessentialtobuildtrustand 

recommendsthatdatausersinformtheirdatasubjectsabout theiruseofGCPandGSuite. 

● Googlehasup-to-datesecurityandprivacypoliciesthathavebeen reviewedandapprovedbymanagementandarepublishedand communicatedtoemployeesandvendorswithaccesstothe Googleenvironment.Thesepoliciesdescribeinformation governanceobjectives,provideinformationsecurityguidelines, andemphasizetheimportanceofdataprotectionandprivacyto Google’sbusiness.Policiesarereviewedatleastannuallyand testedaspartoftheSOC2audit.Googlereviewsandupdatesour policiesasneededtocomplywiththelatestregulatory requirementsandinformationgovernancebestpractices. 

● Inaddition,customersmaycontactGoogle’sdataprivacyofficer forquestionsorcomments. 

 

  

21  

 

Requestsforaccesstoandcorrection ofpersonaldata Sections 21-22 ●Uponrequest,anorganizationmust 

provideindividualswiththeirpersonal dataandinformthemofthewaysin whichitcollected,used,ordisclosedtheir personaldatawiththepastyear(i.e.,12 months). 

●Anorganizationmustcorrectanyerroror omissioninindividuals’personaldata upontheirrequest(unlessanexception applies). 

Customerresponsibilitytoprovideaccesstoandcorrectionof personaldatacollected,used,ordisclosedwithinthepastyear. ● Tolearnmore,werecommendtheCommission’sAdvisory 

GuidelinesontheAccessandCorrectionObligationsanditsGuide toHandlingAccessRequests. 

GoogleCloudsupport ● GCPandGSuiteallowcustomerstoeasilyandsafelyaccessand 

correctthepersonaldatastoredinthecloudinordertofulfilltheir datasubjects’requests. 

● GoogleCloudiscertifiedtoISO27018,whichdemonstratesthe controlsandguidelinesGoogleimplementstoprotectpersonal dataheldwithinapubliccloudenvironment.Morecontextonthe ISO27018standardandauditcanbefoundatISO/IEC 27018:2014generalinformation. 

Data protection obligations  Who has the responsibility 

Requestsforaccesstoandcorrection ofpersonaldata(continued) 

● Fordatasubjectrequestsorenquiriesrelatingtotheirpersonal data,ourprivacyteamwilladviserequesterstosubmittheir requesttotheGoogleCloudcustomer.GoogleCloudcustomers canthentakecontrolforrespondingtotheserequestsaspertheir internalproceduresandrequirements.  

● GooglewillassistGCPandGSuitecustomersperourtermsin respondingtothesedatasubjectrequests. 

● GCPandGSuiteadministrativeconsolesandservicespossess thefunctionalitytoaccessorrectifyanydatathattheyandtheir usersputintooursystems.Thisfunctionalitywillhelpour customersfulfilltheirobligationstorespondtorequestsfromdata subjectstoexercisetheirrightsunderthePDPA. 

● Weencourageyoutoviewsections9.2.1and9.2.2oftheseterms ofserviceformoreinformationaboutdatasubjectrights.  

 

 

 

     

 

  

22  

 

Careofpersonaldata 

Data protection obligations  Who has the responsibility 

Accuracy Section23 ●Anorganizationmustmakereasonable 

effortstoensurethatanindividual’s personaldatacollectedisaccurateand complete,ifitislikelytousethatdatato makeadecisionthatimpactsthat individualortodisclosethatdatato anotherorganization. 

Customerresponsibilitytosatisfythisobligation. ● Tolearnmore,werecommendtheCommission’sAdvisory 

GuidelinesontheAccuracyObligation. 

GoogleCloudsupport ● GCPandGSuiteadministrativeconsolesandservicespossess 

thefunctionalitytomaintaintheaccuracyoftheirdata. 

Protection Section24 ●Anorganizationmustimplement 

reasonablesecurityprocessestoprotect thepersonaldataagainstunauthorised access,collection,use,disclosure, copying,modification,disposalorsimilar risks.Theorganizationshouldhave:  

1)comprehensivepoliciesand procedurestoensureappropriatelevels ofsecurityforpersonaldataofdifferent sensitivities 

2)securitymeasuresappropriatetothe natureofthepersonaldataandthe potentialimpacttoindividualsfrom unauthorizeduseordisclosure  

3)reliable,well-trainedpersonnel  

4)robustsecuritybreachresponseplans, includingadatabreachmanagement programandaproceduretonotifythe Commissionassoonaspossibleofany databreachesthatmightcausepublic concernorwherethereisariskofharm toagroupofaffectedindividuals. 

● Withrespecttodataintermediaries,the organizationshouldcontractuallydefine theresponsibilityofreporting, investigating,andtakingremedial actions. 

SharedGoogleandcustomerresponsibility. ● Tolearnmore,werecommendtheCommission’sAdvisory 

GuidelinesontheProtectionObligation,itsGuidetoSecuring PersonalDatainElectronicMedium,anditsGuidetoBasicData AnonymisationTechniques. 

HowGoogleCloudmeetstheDataProtectionObligationIndustry certificationsandthird-partyattestations  ● Securityteam:Googleemploysmorethan850securityand 

privacyprofessionalswhomaintainthecompany’sdefense systems,developsecurityreviewprocesses,buildsecurity infrastructure,implementGoogle’ssecuritypolicies,andactively scanforsecuritythreats.Wealsotakepartinresearchand outreachactivitiestoprotectthewidercommunityofInternet users,beyondjustGooglecustomers. 

● Industrycertificationsandthird-partyattestations:GCPandG Suiteproductsregularlyundergoindependentverificationof security,privacy,andcompliancecontrols,achievingcertifications againstglobalstandardstoearncustomertrust.Weare constantlyworkingtoexpandourcoverage.GCPandGSuiteare bothMulti-TierCloudSecurity(MTCS)andISO/IEO27018 compliant/certified.Tolearnmoreaboutthecertificationswehave achieved,thelawsandregulationswecomplywith,andthe frameworkswealignto,refertoourStandards,regulations& certificationspage. 

● Physicalsecurity:GoogleCloudhasadedicatedsecurityteam thatsupportsstate-of-the-artdatacenters.Ourdatacenter physicalsecurityfeaturesalayeredsecuritymodel,including safeguardslikecustom-designedelectronicaccesscards,alarms, vehicleaccessbarriers,perimeterfencing,metaldetectors,and biometrics.Ourdatacenterfloorfeatureslaserbeamintrusion detection.Ourdatacentersaremonitored24/7byhigh-resolution interiorandexteriorcamerasthatcandetectandtrackintruders. Shouldaphysicalsecurityincidentoccur,wewillprovideaccess logs,activityrecords,andcamerafootagetothecustomer’s designatedpersonnelasdefinedintheservicelevelagreement. 

 

  

23  

 

Data protection obligations  Who has the responsibility 

Protection(continued)  ● Defenseindepth:GoogleCloudbuildsourcloudinfrastructure securitythroughlayerstoprovidedefenseindepth.Thesecurity oftheinfrastructureisdesignedinprogressivelayersstarting fromthephysicalsecurityofdatacenters,continuingontothe securityofthehardwareandsoftwarethatunderliethe infrastructure,andfinally,thetechnicalconstraintsandprocesses inplacetosupportoperationalsecurity. 

Ourinfrastructurewasdesignedtobemulti-tenantfromthestart, andmultiplemechanismsareutilizedtoestablishandmaintain trustbetweenservices. 

Wedesignandmanufacturepurpose-builtserversandnetwork hardwarewithoutunnecessarycomponents,suchasvideocards, chipsets,orperipheralconnectors,eliminatingvulnerabilities introducedbythird-partymanufacturers.Furthermore,weoperate theinfrastructuresecurelybydefendingagainstthreatstothe infrastructurefrombothinsidersandexternalactors.Weprotect ouremployees’credentialsfromcompromisebyreplacing phishable,one-time-passwordsecondfactorswithmandatoryuse ofU2F-compatiblesecuritykeys.Weaggressivelylimitand activelymonitortheactivitiesofemployeeswhoaregranted administrativeaccesstotheinfrastructure.GoogleCloud continuallyworkstoeliminatetheneedforprivilegedaccessfor particulartasksbyprovidingautomationthatcanaccomplishthe sametasksinasafeandcontrolledway.Thisincludesrequiring two-partyapprovalsforsomeactionsandintroducinglimitedAPIs thatallowdebuggingwithoutexposingsensitiveinformation. 

● Dataencryption:Googleencryptsdataatrestandencryptsdatain transit,bydefault.ThetypeofencryptionuseddependsontheOSI layer,thetypeofservice,andthephysicalinfrastructure component.Bydefault,weencryptandauthenticatealldatain transitatoneormorenetworklayerswhendatamovesoutside physicalboundariesnotcontrolledbyoronbehalfofGoogle.To learnmore,refertotheEncryptioninTransitinGoogleCloud whitepaper. 

● Threatandvulnerabilitymanagement:GoogleCloud’sdedicated securityteamactivelyscansanddetectssecuritythreatstoour infrastructurefrombothinsidersandexternalactors,24/7/365. Weuseacombinationofcommerciallyavailableandin-house tools,automatedandmanualpenetrationtesting,quality assuranceprocesses,softwaresecurityreviews,andexternal auditstosupportthevulnerabilitymanagementprocess. 

 

  

24  

 

Data protection obligations  Who has the responsibility 

Protection(continued)  ● Unauthorizedaccessprevention:Topreventunauthorizedaccess byothertenantssharingthesamephysicalserver,welogically isolateourcustomers’data.Wealsohaveavarietyofisolation andsandboxingtechniquesforprotectingaservicefromother servicesrunningonthesamemachine.Thesetechniquesinclude normalLinuxuserseparation,languageandkernel-based sandboxes,andhardwarevirtualization.Furthermore,weperform encryptionattheapplicationlayer,whichallowsourinfrastructure toisolateitselffrompotentialthreatsatthelowerlevelsof storagesuchasmaliciousdiskfirmware. 

Topreventunauthorizedaccesstoyourdatafromexternalthreat actors,weemployadefense-in-depthapproachstartingwith state-of-the-artphysicalsecurityatourdatacenters.Wehavealso designedourentireinfrastructurestackforsecurity,using cryptographicsignaturestoensurenounauthorizedchangescan bemadewithoutdetection.Thisstartsfromlow-level components,suchastheBIOS,andincludesallkeycomponents ofthebootprocess,suchasthebootloader,kernel,andthebase operatingsystem.Allofthesearecontrolled,built,andhardened byus.Inaddition,ouroperationsteamsdetectandrespondto threatstotheinfrastructurefrombothinsidersandexternal actors,24/7/365. 

Topreventunintendeddisclosureorunauthorizedaccesstoyour datafromGoogleinsiders,wetightlyrestrictandmonitorany internalaccesstouserdata.Thesmallsetofemployeeswith accesstoyourdataissubjecttorigorousauthentication measures,detailedlogging,andactivityscanningtodetect inappropriateaccessvialoganalysis.Googleemployees’access rightsandlevelsarebasedontheirjobfunctionsandroles. Technicalcontrolsareappliedtoenforcetheconceptsof least-privilegeandneed-to-knowtomatchaccessprivilegesto definedresponsibilities.Requestsforadditionalaccessfollowa formalprocessthatinvolvesarequestandanapprovalfroma dataorsystemowner,manager,orotherexecutives,asdictatedby Google’ssecuritypolicies.Approvalsaremanagedbyworkflow toolsthatmaintainauditrecordsofallchanges.Furthermore, Google’ssecurityteamactivelymonitorsGoogleemployees’ accesspatternsandinvestigatesunusualevents.Finally,Google employeesarerequiredtosignaconfidentialityagreementand completemandatorytrainingonourCodeofConduct,data protection,dataconfidentiality,anddataprivacy.Google’sCodeof Conductspecificallyaddressesresponsibilitiesandexpected behaviorwithrespecttotheprotectionofinformation. 

 

  

25  

 

Data protection obligations  Who has the responsibility 

Protection(continued)  ● Incidentresponseplananddatabreachnotification:Wehavea rigorousincidentmanagementprocessforsecurityeventsthat mayaffecttheconfidentiality,integrity,oravailabilityofsystemsor data.Weassignthehighestprioritytoeventsthatdirectlyimpact ourcustomers.Ourprocessspecifiescoursesofaction, proceduresfornotification,escalation,mitigation,and documentation.Keystaffaretrainedinforensicsandhandling evidenceinpreparationforanevent.Wetestincidentresponse plansforkeyareas,suchassystemsthatstoresensitivecustomer information.TheGooglesecurityteamoperates24/7. 

Additionally,wewillpromptlynotifycustomersifwedetecta securitybreachleadingtotheaccidentalorunlawfuldestruction, loss,alteration,unauthorizeddisclosureof,oraccesstotheirdata onsystemswemanage.Moreover,wewillassistwith investigativeeffortsviaoursupportteam.Tolearnmore,referto ourDataincidentresponseprocesswhitepaper. 

● Businesscontinuityanddisasterrecovery:AtGoogleCloud,we planonourservicesbeingalwaysavailable,evenwhenweare upgradingourservicesormaintainingoursystems.Theservice levelagreements(SLAs)forGoogleCloud’sserviceofferingsmeet orexceedsystemavailabilityrequirementsforenterprisesacross variousindustries.Wehavedatacentersgeographically distributedacrosstheAmericas,Europe,andAsiatominimizethe effectsofdisruptionscausedbylocalandregionalincidents.Our applicationandnetworkarchitecturedesignmaximizesreliability anduptime.Weutilizerobustsoftwarefailoverwithinourcloud computingplatformtominimizetheimpactofunlikelyhardware disruptions.AllsystemswithintheGoogleinfrastructurethat supportGoogleCloudservicesareredundantbydesign,andeach subsystemisnotdependentonanyparticularphysicalorlogical serverforongoingoperation.Dataisreplicatedmultipletimes acrossactiveserverssointhecaseofamachinefailure,datawill stillbeaccessiblethroughanothersystem.Dataisalsoreplicated acrosssecondarydatacenterstoensureprotectionfromdata centerfailures.FormoreinformationregardingourSLAs,please seeourGCPSLAsandGSuiteSLA. 

Furthermore,wehaveabusinesscontinuityplanforourdata centersandproductionoperationstoaccountformajordisasters suchasearthquakesorotherincidentslikehealthcrises.This planallowsustocontinuedeliveryofourservicestoour customers.Likewise,ourDRprogramenablescontinuousand automateddisasterreadiness,response,andrecoveryofour business,systems,anddata. 

 

  

26  

 

Data protection obligations  Who has the responsibility 

Protection(continued)  WeconductDRtestingonaregularbasistoprovideacoordinated venueforinfrastructureandapplicationteamstotest communicationplans,failoverscenarios,operationaltransition, andotheremergencyresponses.Allteamsthatparticipateinthe DRexercisedeveloptestingplansandpostmortemswhich documenttheresults,lessonslearned,andremediationplans(if applicable). 

Finally,GCPprovidesmanyofthefacilitiescustomersneedto implementabusinesscontinuityplanordisasterrecoveryplan, suchasredundancy,scalability,compliance,andsecurity.The DisasterRecoveryCookbookprovidessomescenariostoshow howGCPcanhelp. 

● Identityandsecurityproductsandservices:GCPoffers capabilitiesthatincludecloudidentityandaccessmanagement, clouddatalossprevention,cloudsecurityscanner,stackdriver logging,andcloudkeymanagementservicethathelpmeetyour policy,regulatory,andbusinessobjectives.Moreover,GSuite’s centralizedadministratorconsoleprovidesuniquesecurity capabilitiesincludingtwo-stepverification,singlesign-on,usage monitoring,mobileappmanagement,andauditlogging. 

● Subcontractors:Googlereviewstheinformationgovernance practicesandsecuritypostureofthird-partyvendorsandservices thatGooglesharesconfidentialorsensitiveinformationwith.We ensurethattheyprovidealevelofsecurityandprivacyappropriate totheiraccesstodataandthescopeoftheservicestheyare engagedtoprovide.Googleincludesaninformationprotection addendum(IPA)tocontractswithitssub-processorswhohave accesstocustomerdata.Alistofsub-processorsandthe servicestheyprovideisavailableforbothGCPandGSuite.The IPAdefinesthesecurityandprivacyobligationssub-processors mustmeettosatisfyGoogle’srequirementsregardingcustomer data. 

Data protection obligations  Who has the responsibility 

Retentionlimitation Section25 

● Anorganizationmustceasetoretain personaldataorremovethemeansby whichthepersonaldatacanbe associatedwithparticularindividuals whenthedataisnolongernecessaryfor anybusinessorlegalpurposes. 

SharedGoogleandcustomerresponsibility. ● Tolearnmore,werecommendtheCommission’sAdvisory 

GuidelinesontheRetentionLimitationObligation,Advisory GuidelinesonAnonymization,andGuidetoBasicData AnonymisationTechniques. 

   

 

  

27  

 

● Ceasingtoretainpersonaldatameans safelydisposingofpersonaldataor anonymizingit. 

● Theorganizationshouldsetaretention periodforvarioustypesofpersonaldata. 

HowGoogleCloudsatisfiestheDataRetentionLimitationObligation ● Googlewillretain,return,destroy,ordeletethepersonaldatain 

accordancewiththecontractorservicelevelagreements.GCP andGSuiteadministrativeconsolesandservicespossessthe functionalitytodeleteanydatathattheyandtheirusersputinto oursystems.Ifcustomersdeletetheirdata,wecommitto deletingitfromoursystemswithin180days.Wealsoprovide toolsthatmakeiteasyforcustomerstotaketheirdatawiththem iftheychoosetostopusingourservices,withoutpenaltyor additionalcost.TolearnmoreaboutdatadeletionatGoogle,refer toourDatadeletiononGoogleCloudPlatformwhitepaper. 

 ● AllGoogledatacentersadheretoastrictpolicyforequipment 

disposalandreuse.Whenaharddriveisretired,authorized individualsverifythatthediskiserasedbywritingzerostothe driveandperformingamultiple-stepverificationprocessto ensurethedrivecontainsnodata.Ifthedrivecannotbeerased foranyreason,itisstoredsecurelyuntilitcanbephysically destroyed.Physicaldestructionofdisksisamultistageprocess thatincludesacrusherandshredderfollowedbyrecyclingata securefacility.  

Transferlimitation Section26 ●Whentransferringpersonaldata 

overseas,anorganizationmust1)take stepstoensurethatitprotectsthedatain compliancewiththePDPAwhilethedata isstillinitspossessionorcontrol;and2) ensurethatthestandardofprotection affordedtothatdatainaseparate jurisdictionorregioniscomparabletothe PDPA. 

Customerresponsibilitytosatisfythisobligation. ● Tolearnmore,werecommendtheCommission’sAdvisory 

GuidelinesontheTransferLimitationObligation. 

GoogleCloudsupport ● GCPservicesareavailableinvariousgeographicalregionsand 

zonesacrossNorthAmerica,SouthAmerica,Europe,Asia,and Australia.Withrespecttocloudlocations,GCPhas18regions,55 zones,over100pointsofpresenceacross35countries,anda well-provisionedglobalnetworkwith100,000sofmilesoffiber opticcable. 

 

● GSuite’sdatacentersarelocatedintheU.S.,Europe,Chile, Singapore,andTaiwan.Customersmayverifythedataprotection standardsinthesecountriesandregionspriortoanytransfer. 

● Googleoffersarangeofinternationaldata-transfermechanisms andiscommittedtohavingalawfulbasisfordatatransfersin compliancewithapplicabledataprotectionlawsworldwide. Indeed,Googlefollowsthehigheststandardsforcross-border datatransferprotectionsasrequiredbytheEU’sGeneralData ProtectionRegulation:wecontractuallycommitunderourcurrent dataprocessingagreementstomaintainamechanismthat facilitatestransfersofpersonaldataoutsideoftheEU.Moreover, theEuropeandataprotectionauthoritieshaveconfirmedthe complianceofourmodelcontractclauses,affirmingthatour contractualcommitmentsforGSuiteandGCPfullymeetthe requirementstolegallytransferpersonaldatafromtheEUtothe restoftheworld. 

● Googleinformsitscustomersofthestoragelocationsandlegal jurisdictionsofthepersonaldata.FormanyGCPandGSuite services,customerscanchoosewheretheirdataisstored. 

 

  

28  

 

  

Frequently asked questions ThePDPAsetsforthrigorousdataprotectionrequirementsbutleavessomeissuesunaddressed.In additiontothePDPA,severalindustriesmayfacesector-specificprivacyorsecurityrequirements.In thissection,weidentifyseveralpotentialquestionsregardingcompliancerisksandbrieflydescribehowwecansupportourcustomersinassessingandmitigatingthem.Customersultimatelybearthe responsibilityforcomplyingwiththePDPAandshouldseeklegalcounseltounderstandtheirspecific complianceobligations.       Does the PDPA impose data breach noti�cation requirements? 

ThePDPAdoesnotexplicitlyrequireorganizationstohaveincidentresponseplansortoreportdata breaches.Nevertheless,thePDPA’sProtectionObligationrequiresorganizationsanddata intermediariestosafeguardpersonaldatawithreasonablesecurityarrangements.Tomeetthis obligation,theCommissionencouragesorganizationstoestablishdatabreachmanagementand responseplansandtonotifyitpromptlyofanydatabreachesthatmightcausepublicconcernorpose arisktoagroupofindividuals.SuchmeasuresmayserveasmitigatingfactorsintheCommission’s determinationofafinancialpenaltyforaviolationoftheProtectionObligationcausedbyadatabreach. Tolearnmore,readtheCommission’sGuidetoManagingDataBreaches. 

What’smore,theCommissionintendstoamendthePDPAtoincludeexplicitdatabreachnotification requirementsthatwillprescribethecriteriafornotification,thetimeperiodforgivingnotice,and exceptionstotherequirement.Uponincorporatingthemintothelaw,theCommissionwillissue guidelinestohelporganizationscomplywiththenewobligations. 

Google’ssecurityteamworks24/7toquicklydetectandresolvepotentialsecurityorprivacyincidents. Oursecurityincidentmanagementprogramisstructuredaroundindustrybestpracticesandtailored intoour“IncidentManagementatGoogle”program,whichisbuiltaroundtheuniqueaspectsofGoogle anditsinfrastructure.Intheeventofabreachthatleadstotheaccidentalorunlawfuldestruction,loss, alteration,unauthorizeddisclosureof,oraccessto,customerdataonsystemsmanagedbyor otherwisecontrolledbyGoogle,ourexpertteamofincidentrespondersworkstoprotectcustomers’ data,restorenormalserviceasquicklyaspossible,andmeetbothregulatoryandcontractual compliancerequirements. 

GoogleCloudmaintainsandcontinuestoinvestinadvancedthreatdetectionandavoidance technologies,frommachinelearningtodataanalytics.Wealsotestourincidentresponseplans regularly,sothatwearealwaysready.GoogleCloudpromptlyinformsourcustomersofincidents involvingtheircustomerdatainlinewiththedataincidenttermsinourcurrentandanyupdated agreements.TolearnaboutGoogle’sprincipledapproachtomanagingandrespondingtodataincidents forGoogleCloud,refertotheDataincidentresponseprocesswhitepaper. 

 

  

29  

 

Does the PDPA permit cross-border transfers of personal data?  

ThePDPA’sTransferLimitationObligationlaysouttheparametersforcross-bordertransfersof personaldata.AnorganizationmaytransferpersonaldataoutsideofSingaporeifittakesappropriate measurestoguaranteeitscompliancewiththedataprotectionrequirements.Furthermore,ifthe organizationintendstotransferpersonaldatatoanoverseasrecipient,itmusttakeappropriatesteps toascertainandensurethatthedatarecipient,suchasthedataintermediary,willaffordthepersonal data“astandardofprotectionthatisatleastcomparableto”thePDPApursuantto“legallyenforceable obligations,”includingthoseimposedbylaw,contract,bindingcorporaterules,oranyotherlegally bindinginstrument.  

Inshort,thePDPArequiresthattheorganizationcarryoutappropriateduediligenceofthedata protectionandprivacylaworrulesinplaceintheforeigncountry.Tolearnmore,refertothe Commission’sGuidetoPreventingAccidentalDisclosurewhenProcessingandSendingPersonalData, andGuidetoDataSharing. 

GoogleCloudoffersarangeofinternationaldata-transfermechanismsandcontinuestomonitorthe evolutionofinternationaldata-transfermechanisms.Wearecommittedtohavingalawfulbasisfor datatransfersincompliancewithapplicabledataprotectionlawsworldwide.Weinformourcustomers ofthestoragelocationsandlegaljurisdictionsofthepersonaldata.GoogleCloudPlatformservicesare availableinlocationsacrossNorthAmerica,Europe,andAsia.GoogleCloudcustomerscantransfer datatobestmeettheirlatency,availability,durability,andsecurityrequirements. 

   

 

  

30  

 

What terms and conditions do we provide our customers regarding data protection? 

GoogleCloudcontractuallyagreestoarangeoftermswithitscustomers,includingthatitwillcomply withtheapplicablelegalandregulatoryrequirementsdependingonthejurisdiction.TheGCPData ProcessingandSecurityTermsandGSuiteDataProcessingAmendmentsupplementthelicensing agreementanddescribeourcommitmenttoprotectingcustomerdata.Intheterms,weandour customersagreetovarioustermsgoverningtheprocessing,deletion,andsecurityofcustomerdata. Similarly,weagreetoassistcustomersinrespectofdataprotectionimpactassessments,datasubject requestassistance,andinternationaldatatransfers.ServiceLevelAgreementsapplytomanyofour serviceofferingsinwhichweagreewithourcustomersonvariousaspectsoftheservice(e.g.,uptime, downtime,errorrates)dependingontheofferingused. 

   

 

  

31  

 

What is the Cybersecurity Act of 2018 and what does it require for cloud service providers (CSPs)? 

Asoneofthemostdigitallyconnectednations,Singaporerecognizestheimportanceofbuildinga cyber-resilientdigitalinfrastructure.TheCybersecurityActof2018(theAct)establishesaregulatory frameworktoprevent,manage,andrespondtocybersecuritythreatsandincidentsinSingapore.The Actregulatescomputersorcomputersystemsexplicitlydesignatedascriticalinformation infrastructure(CII)inSingapore,whichcurrentlyincludeessentialservicesrelatedtoenergy, info-communications,water,healthcare,bankingandfinance,securityandemergencyservices, aviation,landtransport,maritime,governmentfunctions,andmedia. 

 The Cybersecurity Act of 2018 

Ingeneral,criticalinformationinfrastructureownersneedto  

● Complywithcodesofpracticeandperformancestandards  ● Performcybersecurityauditsandriskassessments  ● Participateincybersecurityexercises  ● NotifythecommissioneroftheCyberSecurityAgencyofSingaporeofprescribed 

cybersecurityincidentsthatoccurintheCIIorsystemsundertheircontrol  

  

TheActempowersthecommissionertopreventandinvestigatecybersecurityincidents,amongother relatedmatters.BecausetheActdoesnotclassifythecomputersystemsinthesupplychainthat supportaCII’soperationsasCII,third-partyvendorssuchascloudserviceproviderscurrentlyfall outsidetheAct’sscope. 

 

   

 

  

32  

 

Does Singapore have industry-speci�c privacy laws or regulations? 

AlthoughthePDPAestablishesanindustry-widedataprotectionframework,certainorganizations mightalsoneedtocomplywithapplicablesector-specificlawsandregulationsorcommonlaw.Here, wehighlighttwosectorsthatmustcomplywiththePDPAandsector-specificrules. 

Financial services  

TheMonetaryAuthorityofSingapore(MAS)approvesoffinancialinstitutions’useofcloudservicesin itsGuidelinesonOutsourcing.Formoreinformation,refertoGoogleCloud’sGuidelinesforFinancial InstitutionsinSingaporeUsingCloudServiceswhitepaper.Inadditiontotheoutsourcingguidelines, financialinstitutionsshouldreviewotherapplicablelawsandguidancetodeterminetheir responsibilitieswhenusingaCSP. 

Inaddition,theMASrequiresfinancialinstitutionstonotifytheMASofdataincidentsthathaveasevere andwidespreadimpactontheinstitution’soperationsormateriallyaffectsitsservicetocustomers. BanksseekingfurtherguidanceoncomplyingwiththePDPAshouldconsulttheAssociationofBanksin Singapore’sCodeofBankingPractices-PDPA. 

Healthcare services  

Singaporeauthoritiespromotecloudusewithinthehealthcaresector.Althoughadoptionofthe Multi-TieredCloudComputingSecurity(MTCS)SingaporeStandard(SS584)isvoluntary,CSPsmustbe MTCS-certifiedtoprovidecloudservicestothegovernment,suchaspublichealthcareinstitutions. 

Toadvanceclouduseintheprivatehealthcaresector,theInfo-communicationsMediaDevelopment AuthorityandtheMinistryofHealthmappedtheMTCStotheHealthcareITSecurityPolicy&Standards (HITSecP).ThemappingaimstohelpMTCS-certifiedCSPsunderstandtheHITSecP’sexpectations. HealthcareserviceprovidersthatseektohosttheirapplicationsonsuchCSPsmustperformdue diligenceanddeployadditionalsecurityandriskcontrolsthatareappropriatebasedontheirown securitypoliciesandriskassessments.Tolearnmore,refertotheAlignmentofMTCStoHealthcareIT SecurityPolicy&StandardsGapAnalysisReport. 

Finally,tobetterunderstandtheirobligationsunderthePDPA,weencouragehealthcareservice providerstoreviewtheCommission’sAdvisoryGuidelinesfortheHealthcareSector. 

   

 

  

33  

 

Conclusion Wehavedescribedhowinformationissecurelystored,processed,maintained,andaccessedinGoogle Cloud.WhetherthecustomerprocessespersonaldatawithinSingaporeorprocessespersonaldataof individualsinSingaporebutoutsidethecity-state,thisinformationcanhelpthemdeterminewhether theGoogleCloudPlatformandGSuiteproductsorservicesaresuitablefortheminlightofthePDPA. 

   

 

  

34  

 

Additional resources  

AsyoucontinueonyourjourneytobuildSingaporePDPAcompliantapplicationsorenvironments,we inviteyoutotakeadvantageoftheresourceslistedbelow. 

Learn more 

  GCP  GSuite 

Learnwhyotherorganizations arechoosingGoogleCloud 

WhyGoogleCloud?  WhyGSuite 

Learnmoreaboutourservices  GoogleCloudsolutions  GSuiteLearningCenter 

Learnmoreaboutourpricing  GoogleCloudpricing   GSuitesolution  

Learnhowwerespondto governmentrequests 

TransparencyReport(GoogleCloud) GovernmentRequestsforCloudCustomer Data(GoogleCloud) 

 

Engage 

  GCP  GSuite 

TryGoogleCloudforfree  GCPFreeTier  GSuiteFreeTrial 

CallourKnowledgeCenter  844-613-7589  855-312-7191 

Havequestionsregarding security,privacy,orcompliance? 

Contactyourtechnicalaccountmanagerorsalesrepresentative 

 

Act 

  GCP  GSuite 

GetGoogleonyourteam  Filloutthisformorcall844-613-7589  Filloutthisformorcall855-312-7191 

Trainyourteam  GoogleCloudtraining   GSuitetraining  

Quickstarts-Deployyourfirst solutionin10minutesorless 

GettingstartedwithGCP   GSuitequickstartguide  

 

Get suppo� 

  GCP  GSuite 

Frequentlyaskedquestions  GCPFAQs   GSuiteFAQs  

Customertechnicalsupport  ContactourGoogleCloudsupportcenter