Tuesday 3 November 2020

GDPR and the Googles model contract.

It's a universal truth that a parent on the board of governors of a British school will at some time ask the question;

             "Where does Google store the schools data and is it within the EU."

The first response to this question is that GDPR itself does not require data to remain within the EU. 

The second fact is - GDPR is whatever you decide it is.

To this end the Department for Education  and Google have negotiated what is called a 'model contract' which defines what GDPR compliance means with respect to using Google Cloud as a Data Processor.

So long as Google sticks to the clauses of the model contract and the school agrees to the same clauses both the school and the Google are working within the GDPR framework. Although the model contract does not require Google to hold data exclusively within the EU it's almost certain that the schools data stored on the datacentre in Dublin. However it's likely that recovery copies also exist in other data centres outside the EU.

The more important question is where does the school agree to the model clause?  

It can be found in the admin console under Account Settings - Legal and Compliance.

A school administrator needs to accept the model contract clause and also fill in the details of the local data officer.  If these actions are not completed the school is technically non-compliant if, in the unlikely event, it ever came to an data audit.  This fact is probably more important than worrying about exactly where the data is stored.

Of course if the school has an independent GDPR policy which states that all data MUST remain in the EU then you'll have to migrate it all back to local servers.

Hold on... England's not in the EU either.   Hmmm - USB sticks.