Data Privacy Automation for Google Drive

 

 

Executive Summary

The key in meeting the requirements of today's privacy regulations and protecting personal information (PI) from unauthorized use and disclosure lies in understanding and managing the use of personal information within an organization's data environment. Spread across a multitude of repositories and application data sets, PI use can be difficult to manage through written policy alone.

We at LightBeam.ai believe the best way to implement policy across an organization is to supplement written policy with technical controls designed for specific applications and functions. By working with our clients we have developed several application and function-specific controls focusing on discovering, analyzing, and enforcing control over the use of personal information within popular applications.

Google Drive, or Gdrive, is short for a popular data storage repository that is part of the Google suite of business products. Gdrive offers many data features, including creating, storing, processing, and sharing information within work teams. The google suite of products like GDocs, Sheets, Slides, Forms, and more are all centrally located and designed to store files and documents in an easy to use information sharing platform. In addition to ease of use, the ability to create, copy and distribute files can also create new risks of sensitive data leakage across an organization. Similar to more traditional network share drives, the unchecked creation and duplication of files in large repositories has long been an issue with Privacy Teams trying to understand and control the use of PI in their organizations

Our AI driven platform engine, Spectra, can easily be configured to monitor files in Gdrive and automatically discover, analyze, and enforce privacy policies regarding the use of sensitive information stored in Gdrive. By finding and either raising alerts, redacting, or deleting files that inappropriately contain PI, organizations can reduce privacy risk and meet retention requirements for data that is no longer needed. By then automating the execution of these control policies, Privacy Officers can develop custom rule sets that continually scan, monitor, and control how PI is used and controlled within Gdrive. The details for how this happens are discussed below.

 

Audience

This document is intended for organizations who have implemented Google Drive and whose processing uses personal information. It is meant for both technical and non-technical audiences. Privacy Officers, CISOs/Security Architects, and Support leaders within organizations overseeing the use of PI and Google Drive will find this reference architecture useful in automating data privacy.