prote ct ion act pers onal data singapore’s - google cloud · 2019. 8. 1. · cloud as a leader...
TRANSCRIPT
GoogleCloudWhitepaper July2019
Singapore’s Personal Data Protection Act
2
Table of contents
Introduction 3
PersonalDataProtectionActoverview 4 Keyterms&concepts 5 DataintermediariesunderthePDPA 6 9dataprotectionobligations 7
GoogleClouddataprotectionoverview&theSharedResponsibilityModel 8 GoogleCloud’sapproachtodataprotectionandprivacy 9 GoogleCloud’sapproachtodatasecurity 11 TheSharedResponsibilityModel 14
GoogleCloudandthePDPA 15 DataintermediarycompliancewiththePDPA 16 Ourinternalcompliance-focusedteams 16 GoogleCloud’scertificationsandindependentthird-partyattestations 17 MappingGoogleClouddataprotectioncapabilitiestothePDPA&oursharedresponsibilities 19
Frequentlyaskedquestions 28 DoesthePDPAimposedatabreachnotificationrequirements? 28 DoesthePDPApermitcross-bordertransfersofpersonaldata? 29 Whattermsandconditionsdoweprovideourcustomersregardingdataprotection? 30 WhatistheCybersecurityActof2018andwhatdoesitrequireforcloudservice providers(CSPs)? 31 DoesSingaporehaveindustry-specificprivacylawsorregulations? 32
Conclusion 33
Additionalresources 34
Disclaimer ThiswhitepaperappliestoGoogleCloudproductsdescribedatcloud.google.com.Thecontent containedhereiniscorrectasofJuly2019andrepresentsthestatusquoasofthetimeitwaswritten. Google’ssecuritypoliciesandsystemsmaychangegoingforward,aswecontinuallyimproveprotection forourcustomers.
3
Introduction
Singaporeisaglobaltechepicenter,toppingtherankingsofthe2017 GlobalSmartCityPerformanceIndex.Inaddition,thecity-statehas launchedtheDigitalEconomyFrameworkforActiontomakeitthe world’sleadingdigitaleconomyandaSmartNation.
CloudcomputingisanintegralelementofSingapore’sdigital objectives.Asaresultofgovernmentalauthorities’strongpromotion ofcloudadoptionacrosstheeconomy,thecity-stateledthe Asia-PacificregionintheAsiaCloudComputingAssociation’s2018 CloudReadinessIndex.,The2018BSAGlobalCloudComputing ScorecardrankedSingaporesixthoutof24leadingITeconomiesfor itscloudcomputingpreparednessbasedonitslegalandregulatory environment,includingitsdataprotectionregime.
Singapore’sPersonalDataProtectionAct(PDPA)governsthe collection,use,disclosure,andcareofpersonaldata,asdescribedin theofficialQuickGuidetothePDPA.AtthecoreofthePDPAarethe9 MainDataProtectionObligations,whichattempttostrikeabalance betweenindividuals’rightstoprotecttheirpersonaldataand organizations’needsforthisdataforlegitimateandreasonable businesspurposes.
LikeSingapore,GoogleCloudisaworldleaderwithitsGoogleCloud Platform(GCP),GSuiteservices,andadvanceddataprotection controls.WithGoogleCloudastheirtrustedpartner,ourcustomers cangainthestrategicbenefitsofcloudcomputing,backedbyour robustinformationprotectionandprivacyinfrastructure.Infact, ForresterResearchrecentlynamedGoogleCloudasaleaderamong publiccloudplatformsinnativesecuritycapabilitiesandfeatures. Moreover,GCPandGSuitearebothcertifiedascompliantwiththe highestsecuritylevelofthecity-state’sMulti-TierCloudSecurity (MTCS)SingaporeStandard584.Asaresult,approximately114 GoogleCloudservicesand20datacentersiteshaveMTCSTier3 certifications,highlightingGoogleCloud'songoingandcontinuous commitmenttoensuringsoundoperationalandsecuritycontrols acrossallthreeservicemodels-infrastructure-as-a-service(IaaS), platform-as-a-service(PaaS),andsoftware-as-a-service(SaaS).
With Google Cloud as a trusted pa�ner, customers can gain the strategic bene�ts of cloud computing, backed by our robust information protection and privacy infrastructure. In fact, Forrester Research recently named Google Cloud as a leader among public cloud pla�orms in native security capabilities and features.
4
ThiswhitepaperprovidesinformationtoourcustomersaboutthePDPAandhowGoogleCloud leveragesGoogle’sindustry-leadingdataprivacyandsecuritycapabilitiestostore,process,maintain, andsecurecustomerdata.Wearecommittedtopartneringwithourcustomerssotheycandeploy workloadsusingGCPandGSuitefortheirproductivityneedsinamannerthatalignswiththePDPA’s requirements.Weexplainourdataprotectionfeatures,howtheymaptothePDPA’srequirements,and howwesharecomplianceresponsibilitieswithourcustomers.
Personal Data Protection Act overview
ThePDPAappliestotheprocessingofpersonaldataby organizationswithinSingapore,evenwherean organizationmightcollectthepersonaldataoverseasand transferitintothecity-state.ThePersonalDataProtection Commission(theCommission)administers,promotes, andenforcesthePDPA.Tolearnmore,refertotheActand relatedsubsidiarylegislationandtheCommission’s guidance. Cloudusersshouldensurethattheyfullycomplywiththe PDPA;thus,weencouragethemtoutilizethe Commission’srecommendedstepstomanagepersonal data,DataProtectionStarterKit,PDPAAssessmentTool,
Purpose of the PDPA
“Togovernthecollection,useand disclosureofpersonaldataby organizationsinamannerthat recognisesboththerightof individualstoprotecttheir personaldataandtheneedof organizationstocollect,useor disclosepersonaldatafor purposesthatareasonable personwouldconsider appropriateinthecircumstances.”
5
GuidetoDevelopingaDataProtectionManagementProgramme,andGuidetoDataProtection ImpactAssessments.
ThissectiondefinesthePDPA’skeytermsandconcepts.Inparticular,webrieflydescribethe PDPA’s9MainDataProtectionObligations.Tolearnmore,seetheAct,theCommission’sOverview oftheObligations,andtheAdvisoryGuidelinesforKeyConceptsinthePDPA.
Topics
Keyterms&concepts Keytermdefinitions Keyconcepts
DataintermediariesunderthePDPA Dataintermediaryobligations GoogleCloudasadataintermediary
9MainDataProtectionObligations Collection,use,anddisclosureofpersonal datarequirements
TheNotificationObligation TheConsentObligation ThePurposeLimitationObligation
Accountabilityrequirements TheOpennessObligation TheAccessandCorrectionObligations
Careofpersonaldatarequirements TheAccuracyObligation TheProtectionObligation TheRetentionLimitationObligation TheTransferLimitationObligation
Key terms & concepts
Key term de�nitions
ThePDPAexplicitlydefinesthefollowingterms:
Personaldata Data,“whethertrueornot,aboutanindividualwhocanbeidentified- fromthatdata;orfromthatdataandotherinformationtowhichtheorganization hasorislikelytohaveaccess.”
Organization Any“individual,company,associationorbodyofpersons,corporateor unincorporated,whetherornot-formedorrecognisedunderthelawof Singapore;orresident,orhavinganofficeoraplaceofbusiness,inSingapore.”
Processing The“carryingoutofanyoperationorsetofoperationsinrelationtothepersonal data,”including,butnotlimitedto,recording;holding;organization,adaptation,or alteration;retrieval;combination;transmission;erasureordestruction.
Data intermediary
An“organizationwhichprocessespersonaldataonbehalfofanother organizationbutdoesnotincludeanemployeeofthatotherorganization.”
6
Key concepts
AlthoughthePDPAdoesnotdefinethefollowingconcepts,theCommissionprovidesexplanatory guidanceoninterpretingthem:
Purpose Thetermreferstoanorganization’s“objectivesorreasons”forcollecting,using, ordisclosingpersonaldata,nottheactivitiesitmayintendtotakewiththatdata.
Reasonable In attempting to comply with the PDPA, organizations must “act based on what a reasonablepersonwouldconsiderappropriateinthecircumstances.” The “reasonable person” concept is an “objective standard” and essentially represents “a person who exercises the appropriate care and judgment in the particularcircumstances.”
Data intermediaries under the PDPA
Data intermediary obligations
Adataintermediaryprocessesdataonanotherorganization’sbehalf.Wheretheprocessingcontractis evidencedorinwrittenform,theorganizationandthedataintermediaryhavedifferentresponsibilities:
Organization The organization bears the same obligations under the PDPA as if it processed the personaldataitself.
Data intermediary
The data intermediary needs to only comply with the PDPA provisions classified as the “Protection Obligation” and the “Retention Limitation Obligation” (explained below). However, the data intermediary must comply with all of the PDPA’s data protection obligations where it engages in other activities that do not constitute processing on behalf of or for the purposes of the organization pursuant to the contract.
Google Cloud as a data intermediary
GoogleCloudqualifiesasadataintermediaryunderthePDPAbecauseitprocessespersonaldataon behalfof,orforthepurposesof,theorganizationpursuanttoacontractforcloudservices.Asaresult, GoogleCloudneedstocomplywiththePDPA’sProtectionandRetentionLimitationObligations.A subsequentsectionofthispaperexplainshowGoogleCloudsatisfiesitsownPDPAobligationsand howithelpscustomerorganizationsmeettheirPDPAobligations.
7
9 data protection obligations
OrganizationsthathandleandcontrolpersonaldatamustcomplywiththeobligationsunderthePDPA. The9MainDataProtectionObligationscanbeclassifiedasshowninthetablebelow.
Category Obligations
Collection,use,anddisclosureof personaldata
● Notification ● Consent ● Purposelimitation
Accountability ● Openness ● Accesstoandcorrectionofpersonaldata
Careofpersonaldata ● Accuracy ● Protection ● Retentionlimitation ● Transferlimitation
8
Google Cloud data protection overview & the Shared Responsibility Model
GoogleCloud’srobustsecurityandprivacycontrolsgive customerstheconfidencetoutilizeGCPandGSuiteina manneralignedwiththerequirementsofthePDPA.Moreover, weareconstantlyworkingtoexpandourprivacyandsecurity capabilities.Tohelpcustomerswithcomplianceandreporting, Googlesharesinformationandbestpractices,andprovides easyaccesstodocumentation.
Inthissection,wedescribeourcomprehensivedataprotection andprivacycapabilitiesandourrobustdatasecurityfeatures mostrelevanttothePDPA.Wethenexplainhowweshare securityandcomplianceresponsibilitiesaccordingtothe SharedResponsibilityModel.
Topics
GoogleCloud’sapproachtodataprotectionand privacy
Dataprivacytrustprinciples Dedicatedprivacyteam Dataaccessandcustomercontrol Restrictedaccesstocustomerdata Lawenforcementdatarequests
GoogleCloud’sapproachtodatasecurity Strongsecurityculture Securityteam Trustedinfrastructure Infrastructureredundancy State-of-the-artdatacentersecurity Dataencryption Cloud-nativetechnology TheSharedResponsibilityModel
9
Google Cloud’s approach to data protection and privacy
DataprotectionandprivacyarefundamentaltoGoogle.Wedesignourproductsandservicesfromthe startwithprivacyandtrustasguidingprinciples.GoogleCloudworkstoensuretheprotectionand privacyofcustomers’datainthreeways:1)weprovidesuperiordataprotectionthroughasecurecore infrastructurethatisdesigned,built,andoperatedtohelppreventthreats;2)wegivecustomersrobust securitycontrolstohelpthemmeetpolicy,regulatory,andbusinessobjectives;and3)weworktofulfill ourcomplianceresponsibilitiesandtomakecomplianceeasierforourcustomers.
Data protection and privacy trust principles
WewantourcustomerstofeelconfidentwhenusingGCPandGSuiteproducts.Webelievethattrustis createdthroughtransparency,andwewanttobeopenaboutourcommitmentsandofferingstoour customerswhenitcomestoprotectingtheirdatainthecloud.
Ourcommitmentstoyouaboutyourdata Yourdataiscriticaltoyourbusiness,andyoutakegreatcaretokeepitsafeandunderyour control.WewantyoutofeelconfidentthattakingadvantageofGSuiteandGoogleCloud Platformdoesn'trequireyoutocompromiseonsecurityorcontrolofyourbusiness'sdata. AtGoogleCloud,webelievethattrustiscreatedthroughtransparency,andwewanttobe transparentaboutourcommitmentsandwhatyoucanexpectwhenitcomestoourshared responsibilityforprotectingandmanagingyourdatainthecloud.
WhenyouuseGSuiteorGoogleCloudPlatform,youcan: 1. Knowthatyoursecuritycomesfirstineverythingwedo.
Wepromptlynotifyyouifwedetectabreachofsecuritythatcompromisesyourdata. 2. Controlwhathappenstoyourdata.
Weprocesscustomerdataaccordingtoyourinstructions.Youcanaccessitortakeitoutat anytime.
3. Knowthatcustomerdataisnotusedforadvertising. Youownyourdata.GoogleClouddoesnotprocessyourdataforadvertisingpurposes.
4. KnowwhereGooglestoresyourdataandrelyonitbeingavailablewhenyouneedit. WepublishthelocationsofourGoogledatacenters;theyarehighlyavailable,resilient,and secure.
5. DependonGoogle’sindependently-verifiedsecuritypractices. Ouradherencetorecognizedinternationalsecurityandprivacystandardsiscertifiedand validatedbyindependentauditors—whereveryourdataislocatedinGoogleCloud.
6. Trustthatwenevergiveanygovernmententity“backdoor”accesstoyourdataortoour serversstoringyourdata. Werejectgovernmentrequeststhatareinvalid,andwepublishatransparencyreportfor governmentrequests.
Tolearnmoreaboutourcommitmentstosafeguardingcustomerinformation,refertotheGoogle CloudPrivacypage.SeedataprocessingtermsforGSuiteandGoogleCloudPlatformforfurther details.
10
Dedicated privacy team
TheGoogleprivacyteamoperatesseparatelyfromproduct developmentandsecurityorganizations,butparticipatesinevery Googleproductlaunchbyreviewingdesigndocumentationand performingcodereviewstoensurethatprivacyrequirementsare followed.Theyhelpreleaseproductsthatreflectstrongprivacy practices:transparentcollectionofuserdata,providingusersand administratorswithmeaningfulprivacyconfigurationoptions,and continuingtobegoodstewardsofanyinformationstoredonour platform.Tolearnmoreaboutourprivacyteam,refertothe privacyteamsectionoftheGooglesecuritywhitepaper.
Data access and customer control
GoogleCloudcustomersowntheirdata,notGoogle.Googlewill onlyprocesscustomerdatainaccordancewithcontractual obligations.Wealsoprovidecustomerswithsolutionsthatallow granularcontrolofresourcepermissions.Forexample,using CloudIdentityandAccessManagement,customerscanmapjob functionstogroupsandrolessousersonlyaccessthedatathey needtogetthejobdone.Furthermore,customersmaydelete customerdatafromoursystemsortakeitwiththemifthey choosetostopusingourservices.
Restricted access to customer data
Tokeepdataprivateandsecure,Googlelogicallyisolateseach customer’sdatafromthatofothercustomersandusers,even whenthedataisstoredonthesamephysicalserver.Onlyasmall groupofGoogleemployeeshasaccesstocustomerdatapursuant toexplicitreasonsbasedonjobfunctionandrole.Anyadditional accessisgrantedaccordingtostringentproceduresandtracked throughauditrecords.Infact,GCPistheonlycloudservice provider(CSP)tooffernearreal-timelogswhenitsadministrators accesscustomers’contentthroughAccessTransparency.
11
Google Cloud’s approach to data security
Inthissection,weprovideanoverviewoftheorganizationalandtechnicalcontrolsthatweuseto protectyourdataatGoogleCloud.PleaserefertoGooglesecuritywhitepaper,andGoogleCloud SecurityandCompliancewhitepaperforadditionalinformationonoursecuritypractices.
Strong security culture
SecurityiscentraltoGoogleculture.Itisreinforcedinemployeesecuritytrainingandcompany-wide eventstoraiseawarenessanddriveinnovationinsecurityandprivacy.
Tolearnmoreaboutoursecurityculture,refertothesecurityculturesectionsinourGooglesecurity whitepaperandourGoogleCloudSecurityandCompliancewhitepaper.
Security team
Googleemploysmorethan850securityprofessionals,includingsomeoftheworld’sforemostexperts. Thisteammaintainsthecompany’sdefensesystems,developssecurityreviewprocesses,builds securityinfrastructure,implementsGoogle’ssecuritypolicies,andactivelyscansforsecuritythreats. OurteamalsotakespartinresearchandoutreachactivitiestoprotectthewidercommunityofInternet users,beyondjustthosewhochooseGooglesolutions.Ourresearchpapersareavailabletothepublic. Aspartofouroutreachefforts,wehaveateamknownasProjectZerothataimstopreventtargeted attacksbyreportingbugstosoftwarevendors.
Inaddition,oursecurityteamworks24/7toquicklydetectandresolvepotentialsecurityincidents.Our securityincidentmanagementprogramisstructuredaroundindustrybestpracticesandtailoredinto our"IncidentManagementatGoogle(IMAG)"program,whichisbuiltaroundtheuniqueaspectsof Googleanditsinfrastructure.Wealsotestourincidentresponseplansregularly,sothatwealways remainprepared.
Tolearnmore,refertothesecurityteam,vulnerabilitymanagement,andmonitoringsectionsintheGCP securitywhitepaper.Inaddition,refertothesecurityteam,vulnerabilitymanagement,andmonitoring sectionsintheGoogleCloudSecurityandCompliancewhitepaper.
12
Trusted infrastructure
Weconceived,designed,andbuiltGoogleCloudtooperatesecurely. Googleisaninnovatorinhardware,software,network,andsystem managementtechnologies.Wecustomdesignourservers,proprietary operatingsystem,andgeographicallydistributeddatacenters.Using “defenseindepth”principles,wehavecreatedanITinfrastructurethatis moresecureandeasiertomanagethanmostotherdeploymentoptions. Ourinfrastructureprovidessecuredeploymentofservices,securestorage ofdatawithenduserprivacysafeguards,securecommunications betweenservices,secureandprivatecommunicationwithcustomers overtheInternet,andsafeoperationbyadministrators.Weensurethe securityofthisinfrastructureinprogressivelayers,startingfromthe physicalsecurityofourdatacenters,buildingwithunderlying security-designedhardwareandsoftware,continuingwithsecureservice deployment,securedatastorage,andsecureinternetcommunication, andfinally,operatingtheinfrastructureinasecurefashion.
Tolearnmore,refertotheGoogleCloudInfrastructureSecurityDesign Overview,aswellastheGCPDataProcessingandSecurityTerms, Appendix2:SecurityMeasuresandGSuiteDataProcessingAmendment, Appendix2:SecurityMeasures.
Infrastructure redundancy
Google’sinfrastructurecomponentsaredesignedtobehighlyredundant. Thisredundancyappliestoserverdesignanddeployment,datastorage, networkandInternetconnectivity,andthesoftwareservicesthemselves. This“redundancyofeverything”createsarobustsolutionthatisnot dependentonasingleserver,datacenter,ornetworkconnection.Ourdata centersaregeographicallydistributedtominimizetheeffectsofregional disruptionsonglobalproducts,suchasnaturaldisastersandlocal outages.Intheeventofhardware,software,ornetworkfailure,platform servicesandcontrolplanesarecapableofautomaticallychanging configurationsothatcustomerscancontinuetoworkwithout interruption.Ourhighlyredundantinfrastructurealsohelpscustomers protectthemselvesfromdataloss.Customerscancreateanddeployour cloud-basedresourcesacrossmultipleregionsandzones,allowingthem tobuildresilientandhighlyavailablesystems.Tolearnmore,refertothe lowlatencyandhighlyavailablesolutionintheGooglesecurity whitepaperandtheGoogleCloudSecurityandCompliancewhitepaper.
13
State-of-the-a� data center security
Googledatacentersfeaturelayersofphysicalsecurityprotections.Welimitaccesstothesedata centerstoonlyaverysmallfractionofemployeesandhavemultiplephysicalsecuritycontrolsto protectourdatacenterfloorssuchasbiometricidentification,metaldetection,vehiclebarriers,and custom-designedelectronicaccesscards.Wemonitorourdatacenters24/7/365todetectandtrack intruders.Datacentersareroutinelypatrolledbyexperiencedsecurityguardswhohaveundergone rigorousbackgroundchecksandtraining.Tolearnmore,refertoourDataCenterInnovationpage.
Data encryption
Googleencryptsdataatrestandencryptsdataintransit,bydefault.Thetypeofencryptionused dependsontheOSIlayer,thetypeofservice,andthephysicalinfrastructurecomponent.Bydefault,we encryptandauthenticatealldataintransitatoneormorenetworklayerswhendatamovesoutside physicalboundariesnotcontrolledbyoronbehalfofGoogle.Tolearnmore,refertotheEncryptionin TransitinGoogleCloudwhitepaper.
Cloud-native technology
Wecontinuetoinvestheavilyinsecurity,bothinthedesignofnewfeaturesandthedevelopmentof cutting-edgetoolsforcustomerstomoresecurelymanagetheirenvironments.Someexamplesarethe CloudSecurityCommandCenterforGCPandtheGSuiteSecurityCenterforGSuitethatbring actionableinsightstosecurityteamsbyprovidingsecurityanalyticsandbestpractice recommendationsfromGoogle,andVPCServiceControls,whichhelptoestablishvirtualsecurity perimetersforsensitivedata.Tolearnmoreaboutoursecuritytechnologies,refertooursecurity products&capabilitiespage.
14
The Shared Responsibility Model
UndertheSharedResponsibilityModel,thecloudcustomeranditsCSPsharetheresponsibilitiesof managingtheITenvironment,includingthoserelatedtosecurityandcompliance.Asatrustedpartner, GoogleCloud’sroleinthismodelincludesprovidingservicesonahighlysecureandcontrolledplatform andofferingawidearrayofsecurityfeaturesfromwhichcustomerscanbenefit.Sharedresponsibility enablesourcustomerstoallocateresourcesmoreeffectivelytotheircorecompetenciesand concentrateonwhattheydobest.AlthoughtheSharedResponsibilityModeldoesnotremovethe accountabilityandriskfromcustomersusingGoogleCloudservices,wehelpbyoperatingand controllingsystemcomponentsandphysicallycontrollingfacilities.Moreover,usingourcloudservices isamorecost-effectiveapproachforcustomersbecausewemanageasubstantialportionofthe securityandcomplianceefforts.ThefigurebelowvisuallydemonstratesanexampleoftheShared ResponsibilityIaaS,PaaS,andSaaSofferings.Keepinmindthatresponsibilitieswillvarydependingon thespecificservicesbeingused.
15
Google Cloud and the PDPA
ThePersonalDataProtectionCommission(theCommission)advises organizationsthattheymaybearresponsibilityiftheirserviceproviders violatethePDPA.TheCommissionrecommendsthatanorganization ensurethatthecontractwithaserviceprovidercontainprovisions requiringtheserviceprovidertotakesufficientmeasurestocomplywith thePDPA.Additionally,organizationsshouldestablishstandardoperating proceduresfortheserviceprovider’shandlingofpersonaldataand initiateprocessestomonitortheprovider’scompliancewiththestandard operatingprocedures.
Complianceisbuiltuponoursecurityandprivacyinfrastructure.Weare committedtocomplyingwithapplicabledataprotectionlawsand undergoregularaudits,maintaincertifications,provideindustry-standard contractualprotections,andsharetoolsandinformationwithcustomers. GoogleCloudcontinuestomakesignificantinvestmentsinsecurity, privacy,andcompliancemanagementtosupportcustomersinmeeting theircurrentandemergingregulatorycomplianceandriskmanagement obligations.Ourapproachtosupportingregulatorycomplianceincludes collaboratingwithcustomerstounderstandandaddresstheirspecific complianceobligations,delineatingresponsibilities,conductinginternal andindependentaudits,anddeliveringtransparency.
Google Cloud continues to make signi�cant investments in security, privacy, and compliance management.
Topics
DataintermediarycompliancewiththePDPA
Ourinternalcompliance-focusedteams
GoogleCloud’scertificationsandindependentthird-party attestations
Multi-TierCloudSecuritySingaporeStandard584 ISO27001 ISO/IEC27018
MappingGoogleClouddataprotectioncapabilitiestothePDA &oursharedresponsibilities
Collection,use,anddisclosureofpersonaldata Accountabilityofdatasubjects Careofpersonaldata
16
Data intermediary compliance with the PDPA
Whereanorganizationemploysadataintermediarytoprocesspersonaldata,theCommission recommendsthattheorganizationperformaduediligencereviewofthedataintermediary’sdata protectionandsecuritypolicies,practices,andprocessestoensurethattheintermediaryisableto complywiththePDPA’srequirements.
Asatrustedcloudserviceprovider,GoogleCloudiscommittedtofulfillingourprotectionandretention limitationobligationsunderthePDPA.Moreover,westrivetosupportourcustomersinmeetingtheir legalobligationsunderthePDPA.
Our internal compliance-focused teams
AtGoogleCloud,weemployanextensiveteamoflawyers,regulatorycomplianceexperts,andpublic policyspecialistswhooverseeprivacyandsecuritycompliance.Theseteamsengagewithcustomers, industrystakeholders,andsupervisoryauthoritiestoshapeourcloudservicesinamannerthathelps customersmeettheircomplianceneeds.Theseteamsworkcloselywithourcustomerstounderstand theiruniquecompliancerequirementsandthencollaborativelydevelopastrategytoaddressthe requirementsidentified.
Inaddition,Googlehasadedicatedteamofinternalauditorsandcompliancespecialiststhatreviews compliancewithsecuritylawsandregulationsaroundtheworld.Asnewauditingstandardsare created,theinternalauditteamdetermineswhatcontrols,processes,andsystemsareneededtomeet them.Thisteamfacilitatesandsupportsindependentauditsandassessmentsbythirdparties.
17
Google Cloud’s ce�i�cations and independent third-pa�y a�estations
GoogleCloudproductsregularlyundergoindependentverificationofsecurity,privacy,andcompliance controls,achievingcertificationsagainstglobalstandardstoearnthetrustofourcustomers.Weare constantlyworkingtoexpandourcoverage.
BelowarecertificationsmostrelevanttotheAsia-Pacificregion.Tolearnmore,refertoourStandards, regulations&certificationspage.
Multi-Tier Cloud Security Singapore Standard 584
TheMulti-TierCloudSecurity(MTCS)SingaporeStandard584isacloudsecurity certificationmanagedbytheSingaporeInfo-communicationsMedia DevelopmentAuthority.Thestandardhasthreetiersdesignedtocertifycloud serviceprovidersatdifferentlevelsofoperationalsecurity,withTier3havingthe moststringentrequirements.InobtainingtheMTCScertification,acloudservice providermustcompleteaself-disclosureformthatdetailsitslevelofsecurity andcovers,amongotherthings,dataretention,dataportability,liability, availability,businesscontinuity,disasterrecovery,aswellasincidentandproblem management.
GCPunderwentassessmentsfortheMTCScertification,whichincludedanaudit byanindependentMTCScertifyingbody.Attheconclusion,114GoogleCloud servicesand20datacentersitesreceivedTierLevel3certification,thehighest level.ThescopeofservicesincludedinthecertificationshighlightsGoogle Cloud'songoingandcontinuouscommitmenttoensuringsoundoperationaland securitycontrolsacrossallthreeservicemodels—IaaS,PaaS,andSaaS. BecauseGoogle’sTierLevel3certificationisappropriateforregulated organizations,suchasthoseinvolvedinfinancialandhealthservices,GCPmeets themostrigoroussecuritystandards.
GCPandGSuitearecertifiedasMTCScompliant.ForafulllistofGoogleCloud productsandservicesthathavereceivedMTCSLevel3certifications,refertoour MTCSpage.
18
ISO 27001
TheInternationalOrganizationforStandardization(ISO)27001isasecurity standardthatoutlinesandprovidestherequirementsforaninformationsecurity managementsystem.The27001standardlaysoutaframeworkandchecklistof controlsthatallowGoogletoensureacomprehensiveandcontinuallyimproving modelforsecuritymanagement.GCPiscertifiedasISO27001compliant.
ISO/IEC 27018
ISO27018isa“codeofpracticeforprotectionofpersonallyidentifiable information(PII)inpubliccloudsactingasPIIprocessors.”Thisstandard primarilyfocusesonsecuritycontrolsforpublic-cloudserviceprovidersactingas PIIprocessors.GCPandGSuitearecertifiedasISO27018compliant.
19
Mapping Google Cloud data protection capabilities to the PDPA & our shared responsibilities
Inthistable,weidentifywhobearstheresponsibilitytomeetthePDPA’s9MainDataProtection Obligations.ThetableindicateseachlegalobligationandwhetherourcustomersorGooglemust satisfytheobligation,aswellaswherewecansupportourcustomersinmeetingtheirlegal requirements.
WhilecustomersareultimatelyresponsibleforcompliancewiththePDPA,ourcommitmentto complyingwithdataprotectionandprivacyprinciplesandregulationsgivescustomerstheconfidence totakeadvantageofGCPandGSuiteservices.
Collection,use,anddisclosureofpersonaldata
Data protection obligations Who has the responsibility
Notificationofpurpose Section20 ●Theorganizationmustnotifyindividuals
ofthepurposesforthecollection,use,or disclosureoftheirpersonaldata.A notificationshouldalsoprovideother information,suchasthebusinesscontact informationofthedataprotectionofficer, howanindividualmaywithdrawconsent, howanindividualmayaccessorcorrect hispersonaldata,andtheorganization’s retentionpolicies,amongothermatters.
Customerresponsibilitytoprovidenotificationofthepurposesforthe collection,use,ordisclosureofindividualpersonaldata. ● Tolearnmore,refertotheCommission’sAdvisoryGuidelineson
theNotificationObligationanditsGuidetoNotification. GoogleCloudSupport ● GooglefeaturessuchastheIdentity-AwareProxycansupport
customersinthisactivity.
Consent Sections13-17
● Theorganizationmustobtainindividuals’ consenttocollect,use,ordisclosetheir personaldata,unlessanexemption applies.Therequestforpersonaldata shouldbereasonableforprovidingthe productorservice.
● Theorganizationmustallowindividuals
towithdrawconsent.Uponwithdrawalof consent,theorganizationmustcease suchcollection,use,ordisclosureofthe personaldata.
Customerresponsibilitytoobtainindividuals’consenttocollect,use ordisclosetheircustomers’personaldata. ● Tolearnmore,werecommendtheCommission’sAdvisory
GuidelinesontheConsentObligation. GoogleCloudSupport ● GooglefeaturessuchastheIdentity-AwareProxycansupport
customersinthisactivity.
20
Data protection obligations Who has the responsibility
Purposelimitation Section 18 ●Anorganizationmaycollect,use,or
disclosepersonaldataaboutan individualonlyforpurposesthata reasonablepersonwouldconsider appropriateinthecircumstancesand,if applicable,onlyafterithasnotifiedthe individualofthosepurposes.
●Theorganizationmustcollect,use,or disclosepersonaldataonlyforthe purposesforwhichtheindividualsgave consent.
Customerresponsibilitytoensurecollection,use,ordisclosureof personaldataislimitedtothepurposesforwhichtheindividualsgave theirconsent.
GoogleCloudsupport ● ThedatayouentrusttoGoogleCloudbelongstoyour
organization.Weprocessyourorganization’sdataaccordingto yourexplicitinstructionsunderourcontractualobligationstoyou. Ourautomatedsystemsprocessyourdatatoprovideyouservices andprotection,suchasperformingspamandmalwaredetection, sortingemailforfeatureslikePriorityInbox,andreturningfast searchresultsforinformationinyouraccounts.Wemayonly accessdatainyouraccountinstrictcompliancewithourprivacy policyandyourcustomeragreement.Weoffercustomersdetailed termsofservicethatdescribeourcommitmenttoprotectingyour data.Toreadmore,pleasevisitSection5.2oftheDataProcessing andSecurityTerms(DPST)forGCPandSection5.2oftheData ProcessingAmendment(DPA)forGSuite.
Accountabilityofdatasubjects
Data protection obligations Who has the responsibility
Openness Sections11and12 ●Theorganizationmustappointadata
protectionofficer(DPO)whois responsiblefortheorganization’s compliancewiththePDPAandmakethe DPO’sbusinesscontactinformation publiclyavailablesothatdatasubjects cancontacttheDPOforPDPA-related queriesorcomplaints.
●Theorganizationmustpublish informationonitsdataprotection policies,practices,and complaint-handlingprocess.
Customerresponsibilitytoappointadataprotectionofficer(DPO)and satisfythisobligation. ● Tolearnmore,werecommendtheCommission’sAdvisory
GuidelinesontheOpennessObligation.
GoogleCloudsupport ● Googlebelievestransparencyisessentialtobuildtrustand
recommendsthatdatausersinformtheirdatasubjectsabout theiruseofGCPandGSuite.
● Googlehasup-to-datesecurityandprivacypoliciesthathavebeen reviewedandapprovedbymanagementandarepublishedand communicatedtoemployeesandvendorswithaccesstothe Googleenvironment.Thesepoliciesdescribeinformation governanceobjectives,provideinformationsecurityguidelines, andemphasizetheimportanceofdataprotectionandprivacyto Google’sbusiness.Policiesarereviewedatleastannuallyand testedaspartoftheSOC2audit.Googlereviewsandupdatesour policiesasneededtocomplywiththelatestregulatory requirementsandinformationgovernancebestpractices.
● Inaddition,customersmaycontactGoogle’sdataprivacyofficer forquestionsorcomments.
21
Requestsforaccesstoandcorrection ofpersonaldata Sections 21-22 ●Uponrequest,anorganizationmust
provideindividualswiththeirpersonal dataandinformthemofthewaysin whichitcollected,used,ordisclosedtheir personaldatawiththepastyear(i.e.,12 months).
●Anorganizationmustcorrectanyerroror omissioninindividuals’personaldata upontheirrequest(unlessanexception applies).
Customerresponsibilitytoprovideaccesstoandcorrectionof personaldatacollected,used,ordisclosedwithinthepastyear. ● Tolearnmore,werecommendtheCommission’sAdvisory
GuidelinesontheAccessandCorrectionObligationsanditsGuide toHandlingAccessRequests.
GoogleCloudsupport ● GCPandGSuiteallowcustomerstoeasilyandsafelyaccessand
correctthepersonaldatastoredinthecloudinordertofulfilltheir datasubjects’requests.
● GoogleCloudiscertifiedtoISO27018,whichdemonstratesthe controlsandguidelinesGoogleimplementstoprotectpersonal dataheldwithinapubliccloudenvironment.Morecontextonthe ISO27018standardandauditcanbefoundatISO/IEC 27018:2014generalinformation.
Data protection obligations Who has the responsibility
Requestsforaccesstoandcorrection ofpersonaldata(continued)
● Fordatasubjectrequestsorenquiriesrelatingtotheirpersonal data,ourprivacyteamwilladviserequesterstosubmittheir requesttotheGoogleCloudcustomer.GoogleCloudcustomers canthentakecontrolforrespondingtotheserequestsaspertheir internalproceduresandrequirements.
● GooglewillassistGCPandGSuitecustomersperourtermsin respondingtothesedatasubjectrequests.
● GCPandGSuiteadministrativeconsolesandservicespossess thefunctionalitytoaccessorrectifyanydatathattheyandtheir usersputintooursystems.Thisfunctionalitywillhelpour customersfulfilltheirobligationstorespondtorequestsfromdata subjectstoexercisetheirrightsunderthePDPA.
● Weencourageyoutoviewsections9.2.1and9.2.2oftheseterms ofserviceformoreinformationaboutdatasubjectrights.
22
Careofpersonaldata
Data protection obligations Who has the responsibility
Accuracy Section23 ●Anorganizationmustmakereasonable
effortstoensurethatanindividual’s personaldatacollectedisaccurateand complete,ifitislikelytousethatdatato makeadecisionthatimpactsthat individualortodisclosethatdatato anotherorganization.
Customerresponsibilitytosatisfythisobligation. ● Tolearnmore,werecommendtheCommission’sAdvisory
GuidelinesontheAccuracyObligation.
GoogleCloudsupport ● GCPandGSuiteadministrativeconsolesandservicespossess
thefunctionalitytomaintaintheaccuracyoftheirdata.
Protection Section24 ●Anorganizationmustimplement
reasonablesecurityprocessestoprotect thepersonaldataagainstunauthorised access,collection,use,disclosure, copying,modification,disposalorsimilar risks.Theorganizationshouldhave:
1)comprehensivepoliciesand procedurestoensureappropriatelevels ofsecurityforpersonaldataofdifferent sensitivities
2)securitymeasuresappropriatetothe natureofthepersonaldataandthe potentialimpacttoindividualsfrom unauthorizeduseordisclosure
3)reliable,well-trainedpersonnel
4)robustsecuritybreachresponseplans, includingadatabreachmanagement programandaproceduretonotifythe Commissionassoonaspossibleofany databreachesthatmightcausepublic concernorwherethereisariskofharm toagroupofaffectedindividuals.
● Withrespecttodataintermediaries,the organizationshouldcontractuallydefine theresponsibilityofreporting, investigating,andtakingremedial actions.
SharedGoogleandcustomerresponsibility. ● Tolearnmore,werecommendtheCommission’sAdvisory
GuidelinesontheProtectionObligation,itsGuidetoSecuring PersonalDatainElectronicMedium,anditsGuidetoBasicData AnonymisationTechniques.
HowGoogleCloudmeetstheDataProtectionObligationIndustry certificationsandthird-partyattestations ● Securityteam:Googleemploysmorethan850securityand
privacyprofessionalswhomaintainthecompany’sdefense systems,developsecurityreviewprocesses,buildsecurity infrastructure,implementGoogle’ssecuritypolicies,andactively scanforsecuritythreats.Wealsotakepartinresearchand outreachactivitiestoprotectthewidercommunityofInternet users,beyondjustGooglecustomers.
● Industrycertificationsandthird-partyattestations:GCPandG Suiteproductsregularlyundergoindependentverificationof security,privacy,andcompliancecontrols,achievingcertifications againstglobalstandardstoearncustomertrust.Weare constantlyworkingtoexpandourcoverage.GCPandGSuiteare bothMulti-TierCloudSecurity(MTCS)andISO/IEO27018 compliant/certified.Tolearnmoreaboutthecertificationswehave achieved,thelawsandregulationswecomplywith,andthe frameworkswealignto,refertoourStandards,regulations& certificationspage.
● Physicalsecurity:GoogleCloudhasadedicatedsecurityteam thatsupportsstate-of-the-artdatacenters.Ourdatacenter physicalsecurityfeaturesalayeredsecuritymodel,including safeguardslikecustom-designedelectronicaccesscards,alarms, vehicleaccessbarriers,perimeterfencing,metaldetectors,and biometrics.Ourdatacenterfloorfeatureslaserbeamintrusion detection.Ourdatacentersaremonitored24/7byhigh-resolution interiorandexteriorcamerasthatcandetectandtrackintruders. Shouldaphysicalsecurityincidentoccur,wewillprovideaccess logs,activityrecords,andcamerafootagetothecustomer’s designatedpersonnelasdefinedintheservicelevelagreement.
23
Data protection obligations Who has the responsibility
Protection(continued) ● Defenseindepth:GoogleCloudbuildsourcloudinfrastructure securitythroughlayerstoprovidedefenseindepth.Thesecurity oftheinfrastructureisdesignedinprogressivelayersstarting fromthephysicalsecurityofdatacenters,continuingontothe securityofthehardwareandsoftwarethatunderliethe infrastructure,andfinally,thetechnicalconstraintsandprocesses inplacetosupportoperationalsecurity.
Ourinfrastructurewasdesignedtobemulti-tenantfromthestart, andmultiplemechanismsareutilizedtoestablishandmaintain trustbetweenservices.
Wedesignandmanufacturepurpose-builtserversandnetwork hardwarewithoutunnecessarycomponents,suchasvideocards, chipsets,orperipheralconnectors,eliminatingvulnerabilities introducedbythird-partymanufacturers.Furthermore,weoperate theinfrastructuresecurelybydefendingagainstthreatstothe infrastructurefrombothinsidersandexternalactors.Weprotect ouremployees’credentialsfromcompromisebyreplacing phishable,one-time-passwordsecondfactorswithmandatoryuse ofU2F-compatiblesecuritykeys.Weaggressivelylimitand activelymonitortheactivitiesofemployeeswhoaregranted administrativeaccesstotheinfrastructure.GoogleCloud continuallyworkstoeliminatetheneedforprivilegedaccessfor particulartasksbyprovidingautomationthatcanaccomplishthe sametasksinasafeandcontrolledway.Thisincludesrequiring two-partyapprovalsforsomeactionsandintroducinglimitedAPIs thatallowdebuggingwithoutexposingsensitiveinformation.
● Dataencryption:Googleencryptsdataatrestandencryptsdatain transit,bydefault.ThetypeofencryptionuseddependsontheOSI layer,thetypeofservice,andthephysicalinfrastructure component.Bydefault,weencryptandauthenticatealldatain transitatoneormorenetworklayerswhendatamovesoutside physicalboundariesnotcontrolledbyoronbehalfofGoogle.To learnmore,refertotheEncryptioninTransitinGoogleCloud whitepaper.
● Threatandvulnerabilitymanagement:GoogleCloud’sdedicated securityteamactivelyscansanddetectssecuritythreatstoour infrastructurefrombothinsidersandexternalactors,24/7/365. Weuseacombinationofcommerciallyavailableandin-house tools,automatedandmanualpenetrationtesting,quality assuranceprocesses,softwaresecurityreviews,andexternal auditstosupportthevulnerabilitymanagementprocess.
24
Data protection obligations Who has the responsibility
Protection(continued) ● Unauthorizedaccessprevention:Topreventunauthorizedaccess byothertenantssharingthesamephysicalserver,welogically isolateourcustomers’data.Wealsohaveavarietyofisolation andsandboxingtechniquesforprotectingaservicefromother servicesrunningonthesamemachine.Thesetechniquesinclude normalLinuxuserseparation,languageandkernel-based sandboxes,andhardwarevirtualization.Furthermore,weperform encryptionattheapplicationlayer,whichallowsourinfrastructure toisolateitselffrompotentialthreatsatthelowerlevelsof storagesuchasmaliciousdiskfirmware.
Topreventunauthorizedaccesstoyourdatafromexternalthreat actors,weemployadefense-in-depthapproachstartingwith state-of-the-artphysicalsecurityatourdatacenters.Wehavealso designedourentireinfrastructurestackforsecurity,using cryptographicsignaturestoensurenounauthorizedchangescan bemadewithoutdetection.Thisstartsfromlow-level components,suchastheBIOS,andincludesallkeycomponents ofthebootprocess,suchasthebootloader,kernel,andthebase operatingsystem.Allofthesearecontrolled,built,andhardened byus.Inaddition,ouroperationsteamsdetectandrespondto threatstotheinfrastructurefrombothinsidersandexternal actors,24/7/365.
Topreventunintendeddisclosureorunauthorizedaccesstoyour datafromGoogleinsiders,wetightlyrestrictandmonitorany internalaccesstouserdata.Thesmallsetofemployeeswith accesstoyourdataissubjecttorigorousauthentication measures,detailedlogging,andactivityscanningtodetect inappropriateaccessvialoganalysis.Googleemployees’access rightsandlevelsarebasedontheirjobfunctionsandroles. Technicalcontrolsareappliedtoenforcetheconceptsof least-privilegeandneed-to-knowtomatchaccessprivilegesto definedresponsibilities.Requestsforadditionalaccessfollowa formalprocessthatinvolvesarequestandanapprovalfroma dataorsystemowner,manager,orotherexecutives,asdictatedby Google’ssecuritypolicies.Approvalsaremanagedbyworkflow toolsthatmaintainauditrecordsofallchanges.Furthermore, Google’ssecurityteamactivelymonitorsGoogleemployees’ accesspatternsandinvestigatesunusualevents.Finally,Google employeesarerequiredtosignaconfidentialityagreementand completemandatorytrainingonourCodeofConduct,data protection,dataconfidentiality,anddataprivacy.Google’sCodeof Conductspecificallyaddressesresponsibilitiesandexpected behaviorwithrespecttotheprotectionofinformation.
25
Data protection obligations Who has the responsibility
Protection(continued) ● Incidentresponseplananddatabreachnotification:Wehavea rigorousincidentmanagementprocessforsecurityeventsthat mayaffecttheconfidentiality,integrity,oravailabilityofsystemsor data.Weassignthehighestprioritytoeventsthatdirectlyimpact ourcustomers.Ourprocessspecifiescoursesofaction, proceduresfornotification,escalation,mitigation,and documentation.Keystaffaretrainedinforensicsandhandling evidenceinpreparationforanevent.Wetestincidentresponse plansforkeyareas,suchassystemsthatstoresensitivecustomer information.TheGooglesecurityteamoperates24/7.
Additionally,wewillpromptlynotifycustomersifwedetecta securitybreachleadingtotheaccidentalorunlawfuldestruction, loss,alteration,unauthorizeddisclosureof,oraccesstotheirdata onsystemswemanage.Moreover,wewillassistwith investigativeeffortsviaoursupportteam.Tolearnmore,referto ourDataincidentresponseprocesswhitepaper.
● Businesscontinuityanddisasterrecovery:AtGoogleCloud,we planonourservicesbeingalwaysavailable,evenwhenweare upgradingourservicesormaintainingoursystems.Theservice levelagreements(SLAs)forGoogleCloud’sserviceofferingsmeet orexceedsystemavailabilityrequirementsforenterprisesacross variousindustries.Wehavedatacentersgeographically distributedacrosstheAmericas,Europe,andAsiatominimizethe effectsofdisruptionscausedbylocalandregionalincidents.Our applicationandnetworkarchitecturedesignmaximizesreliability anduptime.Weutilizerobustsoftwarefailoverwithinourcloud computingplatformtominimizetheimpactofunlikelyhardware disruptions.AllsystemswithintheGoogleinfrastructurethat supportGoogleCloudservicesareredundantbydesign,andeach subsystemisnotdependentonanyparticularphysicalorlogical serverforongoingoperation.Dataisreplicatedmultipletimes acrossactiveserverssointhecaseofamachinefailure,datawill stillbeaccessiblethroughanothersystem.Dataisalsoreplicated acrosssecondarydatacenterstoensureprotectionfromdata centerfailures.FormoreinformationregardingourSLAs,please seeourGCPSLAsandGSuiteSLA.
Furthermore,wehaveabusinesscontinuityplanforourdata centersandproductionoperationstoaccountformajordisasters suchasearthquakesorotherincidentslikehealthcrises.This planallowsustocontinuedeliveryofourservicestoour customers.Likewise,ourDRprogramenablescontinuousand automateddisasterreadiness,response,andrecoveryofour business,systems,anddata.
26
Data protection obligations Who has the responsibility
Protection(continued) WeconductDRtestingonaregularbasistoprovideacoordinated venueforinfrastructureandapplicationteamstotest communicationplans,failoverscenarios,operationaltransition, andotheremergencyresponses.Allteamsthatparticipateinthe DRexercisedeveloptestingplansandpostmortemswhich documenttheresults,lessonslearned,andremediationplans(if applicable).
Finally,GCPprovidesmanyofthefacilitiescustomersneedto implementabusinesscontinuityplanordisasterrecoveryplan, suchasredundancy,scalability,compliance,andsecurity.The DisasterRecoveryCookbookprovidessomescenariostoshow howGCPcanhelp.
● Identityandsecurityproductsandservices:GCPoffers capabilitiesthatincludecloudidentityandaccessmanagement, clouddatalossprevention,cloudsecurityscanner,stackdriver logging,andcloudkeymanagementservicethathelpmeetyour policy,regulatory,andbusinessobjectives.Moreover,GSuite’s centralizedadministratorconsoleprovidesuniquesecurity capabilitiesincludingtwo-stepverification,singlesign-on,usage monitoring,mobileappmanagement,andauditlogging.
● Subcontractors:Googlereviewstheinformationgovernance practicesandsecuritypostureofthird-partyvendorsandservices thatGooglesharesconfidentialorsensitiveinformationwith.We ensurethattheyprovidealevelofsecurityandprivacyappropriate totheiraccesstodataandthescopeoftheservicestheyare engagedtoprovide.Googleincludesaninformationprotection addendum(IPA)tocontractswithitssub-processorswhohave accesstocustomerdata.Alistofsub-processorsandthe servicestheyprovideisavailableforbothGCPandGSuite.The IPAdefinesthesecurityandprivacyobligationssub-processors mustmeettosatisfyGoogle’srequirementsregardingcustomer data.
Data protection obligations Who has the responsibility
Retentionlimitation Section25
● Anorganizationmustceasetoretain personaldataorremovethemeansby whichthepersonaldatacanbe associatedwithparticularindividuals whenthedataisnolongernecessaryfor anybusinessorlegalpurposes.
SharedGoogleandcustomerresponsibility. ● Tolearnmore,werecommendtheCommission’sAdvisory
GuidelinesontheRetentionLimitationObligation,Advisory GuidelinesonAnonymization,andGuidetoBasicData AnonymisationTechniques.
27
● Ceasingtoretainpersonaldatameans safelydisposingofpersonaldataor anonymizingit.
● Theorganizationshouldsetaretention periodforvarioustypesofpersonaldata.
HowGoogleCloudsatisfiestheDataRetentionLimitationObligation ● Googlewillretain,return,destroy,ordeletethepersonaldatain
accordancewiththecontractorservicelevelagreements.GCP andGSuiteadministrativeconsolesandservicespossessthe functionalitytodeleteanydatathattheyandtheirusersputinto oursystems.Ifcustomersdeletetheirdata,wecommitto deletingitfromoursystemswithin180days.Wealsoprovide toolsthatmakeiteasyforcustomerstotaketheirdatawiththem iftheychoosetostopusingourservices,withoutpenaltyor additionalcost.TolearnmoreaboutdatadeletionatGoogle,refer toourDatadeletiononGoogleCloudPlatformwhitepaper.
● AllGoogledatacentersadheretoastrictpolicyforequipment
disposalandreuse.Whenaharddriveisretired,authorized individualsverifythatthediskiserasedbywritingzerostothe driveandperformingamultiple-stepverificationprocessto ensurethedrivecontainsnodata.Ifthedrivecannotbeerased foranyreason,itisstoredsecurelyuntilitcanbephysically destroyed.Physicaldestructionofdisksisamultistageprocess thatincludesacrusherandshredderfollowedbyrecyclingata securefacility.
Transferlimitation Section26 ●Whentransferringpersonaldata
overseas,anorganizationmust1)take stepstoensurethatitprotectsthedatain compliancewiththePDPAwhilethedata isstillinitspossessionorcontrol;and2) ensurethatthestandardofprotection affordedtothatdatainaseparate jurisdictionorregioniscomparabletothe PDPA.
Customerresponsibilitytosatisfythisobligation. ● Tolearnmore,werecommendtheCommission’sAdvisory
GuidelinesontheTransferLimitationObligation.
GoogleCloudsupport ● GCPservicesareavailableinvariousgeographicalregionsand
zonesacrossNorthAmerica,SouthAmerica,Europe,Asia,and Australia.Withrespecttocloudlocations,GCPhas18regions,55 zones,over100pointsofpresenceacross35countries,anda well-provisionedglobalnetworkwith100,000sofmilesoffiber opticcable.
● GSuite’sdatacentersarelocatedintheU.S.,Europe,Chile, Singapore,andTaiwan.Customersmayverifythedataprotection standardsinthesecountriesandregionspriortoanytransfer.
● Googleoffersarangeofinternationaldata-transfermechanisms andiscommittedtohavingalawfulbasisfordatatransfersin compliancewithapplicabledataprotectionlawsworldwide. Indeed,Googlefollowsthehigheststandardsforcross-border datatransferprotectionsasrequiredbytheEU’sGeneralData ProtectionRegulation:wecontractuallycommitunderourcurrent dataprocessingagreementstomaintainamechanismthat facilitatestransfersofpersonaldataoutsideoftheEU.Moreover, theEuropeandataprotectionauthoritieshaveconfirmedthe complianceofourmodelcontractclauses,affirmingthatour contractualcommitmentsforGSuiteandGCPfullymeetthe requirementstolegallytransferpersonaldatafromtheEUtothe restoftheworld.
● Googleinformsitscustomersofthestoragelocationsandlegal jurisdictionsofthepersonaldata.FormanyGCPandGSuite services,customerscanchoosewheretheirdataisstored.
28
Frequently asked questions ThePDPAsetsforthrigorousdataprotectionrequirementsbutleavessomeissuesunaddressed.In additiontothePDPA,severalindustriesmayfacesector-specificprivacyorsecurityrequirements.In thissection,weidentifyseveralpotentialquestionsregardingcompliancerisksandbrieflydescribehowwecansupportourcustomersinassessingandmitigatingthem.Customersultimatelybearthe responsibilityforcomplyingwiththePDPAandshouldseeklegalcounseltounderstandtheirspecific complianceobligations. Does the PDPA impose data breach noti�cation requirements?
ThePDPAdoesnotexplicitlyrequireorganizationstohaveincidentresponseplansortoreportdata breaches.Nevertheless,thePDPA’sProtectionObligationrequiresorganizationsanddata intermediariestosafeguardpersonaldatawithreasonablesecurityarrangements.Tomeetthis obligation,theCommissionencouragesorganizationstoestablishdatabreachmanagementand responseplansandtonotifyitpromptlyofanydatabreachesthatmightcausepublicconcernorpose arisktoagroupofindividuals.SuchmeasuresmayserveasmitigatingfactorsintheCommission’s determinationofafinancialpenaltyforaviolationoftheProtectionObligationcausedbyadatabreach. Tolearnmore,readtheCommission’sGuidetoManagingDataBreaches.
What’smore,theCommissionintendstoamendthePDPAtoincludeexplicitdatabreachnotification requirementsthatwillprescribethecriteriafornotification,thetimeperiodforgivingnotice,and exceptionstotherequirement.Uponincorporatingthemintothelaw,theCommissionwillissue guidelinestohelporganizationscomplywiththenewobligations.
Google’ssecurityteamworks24/7toquicklydetectandresolvepotentialsecurityorprivacyincidents. Oursecurityincidentmanagementprogramisstructuredaroundindustrybestpracticesandtailored intoour“IncidentManagementatGoogle”program,whichisbuiltaroundtheuniqueaspectsofGoogle anditsinfrastructure.Intheeventofabreachthatleadstotheaccidentalorunlawfuldestruction,loss, alteration,unauthorizeddisclosureof,oraccessto,customerdataonsystemsmanagedbyor otherwisecontrolledbyGoogle,ourexpertteamofincidentrespondersworkstoprotectcustomers’ data,restorenormalserviceasquicklyaspossible,andmeetbothregulatoryandcontractual compliancerequirements.
GoogleCloudmaintainsandcontinuestoinvestinadvancedthreatdetectionandavoidance technologies,frommachinelearningtodataanalytics.Wealsotestourincidentresponseplans regularly,sothatwearealwaysready.GoogleCloudpromptlyinformsourcustomersofincidents involvingtheircustomerdatainlinewiththedataincidenttermsinourcurrentandanyupdated agreements.TolearnaboutGoogle’sprincipledapproachtomanagingandrespondingtodataincidents forGoogleCloud,refertotheDataincidentresponseprocesswhitepaper.
29
Does the PDPA permit cross-border transfers of personal data?
ThePDPA’sTransferLimitationObligationlaysouttheparametersforcross-bordertransfersof personaldata.AnorganizationmaytransferpersonaldataoutsideofSingaporeifittakesappropriate measurestoguaranteeitscompliancewiththedataprotectionrequirements.Furthermore,ifthe organizationintendstotransferpersonaldatatoanoverseasrecipient,itmusttakeappropriatesteps toascertainandensurethatthedatarecipient,suchasthedataintermediary,willaffordthepersonal data“astandardofprotectionthatisatleastcomparableto”thePDPApursuantto“legallyenforceable obligations,”includingthoseimposedbylaw,contract,bindingcorporaterules,oranyotherlegally bindinginstrument.
Inshort,thePDPArequiresthattheorganizationcarryoutappropriateduediligenceofthedata protectionandprivacylaworrulesinplaceintheforeigncountry.Tolearnmore,refertothe Commission’sGuidetoPreventingAccidentalDisclosurewhenProcessingandSendingPersonalData, andGuidetoDataSharing.
GoogleCloudoffersarangeofinternationaldata-transfermechanismsandcontinuestomonitorthe evolutionofinternationaldata-transfermechanisms.Wearecommittedtohavingalawfulbasisfor datatransfersincompliancewithapplicabledataprotectionlawsworldwide.Weinformourcustomers ofthestoragelocationsandlegaljurisdictionsofthepersonaldata.GoogleCloudPlatformservicesare availableinlocationsacrossNorthAmerica,Europe,andAsia.GoogleCloudcustomerscantransfer datatobestmeettheirlatency,availability,durability,andsecurityrequirements.
30
What terms and conditions do we provide our customers regarding data protection?
GoogleCloudcontractuallyagreestoarangeoftermswithitscustomers,includingthatitwillcomply withtheapplicablelegalandregulatoryrequirementsdependingonthejurisdiction.TheGCPData ProcessingandSecurityTermsandGSuiteDataProcessingAmendmentsupplementthelicensing agreementanddescribeourcommitmenttoprotectingcustomerdata.Intheterms,weandour customersagreetovarioustermsgoverningtheprocessing,deletion,andsecurityofcustomerdata. Similarly,weagreetoassistcustomersinrespectofdataprotectionimpactassessments,datasubject requestassistance,andinternationaldatatransfers.ServiceLevelAgreementsapplytomanyofour serviceofferingsinwhichweagreewithourcustomersonvariousaspectsoftheservice(e.g.,uptime, downtime,errorrates)dependingontheofferingused.
31
What is the Cybersecurity Act of 2018 and what does it require for cloud service providers (CSPs)?
Asoneofthemostdigitallyconnectednations,Singaporerecognizestheimportanceofbuildinga cyber-resilientdigitalinfrastructure.TheCybersecurityActof2018(theAct)establishesaregulatory frameworktoprevent,manage,andrespondtocybersecuritythreatsandincidentsinSingapore.The Actregulatescomputersorcomputersystemsexplicitlydesignatedascriticalinformation infrastructure(CII)inSingapore,whichcurrentlyincludeessentialservicesrelatedtoenergy, info-communications,water,healthcare,bankingandfinance,securityandemergencyservices, aviation,landtransport,maritime,governmentfunctions,andmedia.
The Cybersecurity Act of 2018
Ingeneral,criticalinformationinfrastructureownersneedto
● Complywithcodesofpracticeandperformancestandards ● Performcybersecurityauditsandriskassessments ● Participateincybersecurityexercises ● NotifythecommissioneroftheCyberSecurityAgencyofSingaporeofprescribed
cybersecurityincidentsthatoccurintheCIIorsystemsundertheircontrol
TheActempowersthecommissionertopreventandinvestigatecybersecurityincidents,amongother relatedmatters.BecausetheActdoesnotclassifythecomputersystemsinthesupplychainthat supportaCII’soperationsasCII,third-partyvendorssuchascloudserviceproviderscurrentlyfall outsidetheAct’sscope.
32
Does Singapore have industry-speci�c privacy laws or regulations?
AlthoughthePDPAestablishesanindustry-widedataprotectionframework,certainorganizations mightalsoneedtocomplywithapplicablesector-specificlawsandregulationsorcommonlaw.Here, wehighlighttwosectorsthatmustcomplywiththePDPAandsector-specificrules.
Financial services
TheMonetaryAuthorityofSingapore(MAS)approvesoffinancialinstitutions’useofcloudservicesin itsGuidelinesonOutsourcing.Formoreinformation,refertoGoogleCloud’sGuidelinesforFinancial InstitutionsinSingaporeUsingCloudServiceswhitepaper.Inadditiontotheoutsourcingguidelines, financialinstitutionsshouldreviewotherapplicablelawsandguidancetodeterminetheir responsibilitieswhenusingaCSP.
Inaddition,theMASrequiresfinancialinstitutionstonotifytheMASofdataincidentsthathaveasevere andwidespreadimpactontheinstitution’soperationsormateriallyaffectsitsservicetocustomers. BanksseekingfurtherguidanceoncomplyingwiththePDPAshouldconsulttheAssociationofBanksin Singapore’sCodeofBankingPractices-PDPA.
Healthcare services
Singaporeauthoritiespromotecloudusewithinthehealthcaresector.Althoughadoptionofthe Multi-TieredCloudComputingSecurity(MTCS)SingaporeStandard(SS584)isvoluntary,CSPsmustbe MTCS-certifiedtoprovidecloudservicestothegovernment,suchaspublichealthcareinstitutions.
Toadvanceclouduseintheprivatehealthcaresector,theInfo-communicationsMediaDevelopment AuthorityandtheMinistryofHealthmappedtheMTCStotheHealthcareITSecurityPolicy&Standards (HITSecP).ThemappingaimstohelpMTCS-certifiedCSPsunderstandtheHITSecP’sexpectations. HealthcareserviceprovidersthatseektohosttheirapplicationsonsuchCSPsmustperformdue diligenceanddeployadditionalsecurityandriskcontrolsthatareappropriatebasedontheirown securitypoliciesandriskassessments.Tolearnmore,refertotheAlignmentofMTCStoHealthcareIT SecurityPolicy&StandardsGapAnalysisReport.
Finally,tobetterunderstandtheirobligationsunderthePDPA,weencouragehealthcareservice providerstoreviewtheCommission’sAdvisoryGuidelinesfortheHealthcareSector.
33
Conclusion Wehavedescribedhowinformationissecurelystored,processed,maintained,andaccessedinGoogle Cloud.WhetherthecustomerprocessespersonaldatawithinSingaporeorprocessespersonaldataof individualsinSingaporebutoutsidethecity-state,thisinformationcanhelpthemdeterminewhether theGoogleCloudPlatformandGSuiteproductsorservicesaresuitablefortheminlightofthePDPA.
34
Additional resources
AsyoucontinueonyourjourneytobuildSingaporePDPAcompliantapplicationsorenvironments,we inviteyoutotakeadvantageoftheresourceslistedbelow.
Learn more
GCP GSuite
Learnwhyotherorganizations arechoosingGoogleCloud
WhyGoogleCloud? WhyGSuite
Learnmoreaboutourservices GoogleCloudsolutions GSuiteLearningCenter
Learnmoreaboutourpricing GoogleCloudpricing GSuitesolution
Learnhowwerespondto governmentrequests
TransparencyReport(GoogleCloud) GovernmentRequestsforCloudCustomer Data(GoogleCloud)
Engage
GCP GSuite
TryGoogleCloudforfree GCPFreeTier GSuiteFreeTrial
CallourKnowledgeCenter 844-613-7589 855-312-7191
Havequestionsregarding security,privacy,orcompliance?
Contactyourtechnicalaccountmanagerorsalesrepresentative
Act
GCP GSuite
GetGoogleonyourteam Filloutthisformorcall844-613-7589 Filloutthisformorcall855-312-7191
Trainyourteam GoogleCloudtraining GSuitetraining
Quickstarts-Deployyourfirst solutionin10minutesorless
GettingstartedwithGCP GSuitequickstartguide
Get suppo�
GCP GSuite
Frequentlyaskedquestions GCPFAQs GSuiteFAQs
Customertechnicalsupport ContactourGoogleCloudsupportcenter