All data created by users of your G Suite are an exclusive property of your company (see G Suite Terms). The challenge is to make your users keep the data in your G Suite instance and organise it in a way, so that the company has a full control over it.If any of your end users creates a document on Google Drive, it is placed into individual user's “My Drive”. Users usually place such files into a folder related to a specific project or team and share it with other user or groups of users for further collaboration on the document. There might be a few security compliance issues with this approach.
How to deal with the most common situations such as user leaving the company?
Here is a quick solution to the most common issues:
John Doe is leaving the company. What about his documents?
If user is leaving the company, who is going to be the new owner of his documents? You have the option to transfer the entire content of his/her Google Drive to a new user, however this is all or nothing transfer. The new user will receive all files and folders. You cannot transfer just a part of the drive content to one user and another part to someone else.
Jane Doe gets a promotion
If the user is changing to a new position within the company and he/she needs to hand over all the documents to the new user the easiest solution is to use change of ownership function, but this has several limitations. The folders do not inherit changed ownership and you have to change document by document manually or write a script for this.
The danger here is, that if the user moves any data out of the folder (whether intentionally or by an accident), the rest of the team will no longer have access to this document.
Karen accidentally deletes the document! Is it gone forever?
If the user deletes the document and empties the bin, it is gone forever? You are in luck! G Suite has “undelete” feature which allows you to restore such files (https://support.google.com/a/answer/6052340), within 25 days of deleting them. After 25 days however they will be gone forever. If documents or folders are related to already “archived” project for example, there is a risk that no one will notice that there are documents missing. In such case an administrator action is needed. Be careful.
The dangers of sharing data outside your company is real. How to handle documents flow with external employees?
Google Drive is a really convenient real-time collaboration tool. Many companies are using it to cooperate with external people as well. They share documents with them whether using G Suite or free Gmail account. There is one catch which might have a huge impact on your data security and compliance. If a file or folder is shared with your company from a private Gmail account, for instance, email@example.com, you are facing huge risk. First of all, the original creator of the content is also the owner of data and there are differences in the Term of Use (agreement between Google and individual user about privacy, warranty, availability - https://www.google.com/mail/help/terms_of_use.html) applied to private Gmail account as opposed to G Suite owned data. Second of all, the owner can remove your access to this content at any time and there is no way of retrieving it back.
Picture yourself in a situation mentioned above, when you lose access to important agreements, project documentation, you name it. Scary isn't it? You can address this risk by making a copy of each document. The only difference being that the copy doesn't have the history of changes saved. This approach however is extremely ineffective and goes against the philosophy of collaboration on a single document.
Maybe you used to be able to manage your user's Drives even with all these limitations when your company was still small, but as it grows your folder and document structure becomes more and more complex and you need a more reliable solution. Or maybe you company's internal regulations require you to have advanced control over your data on Google Drive for example when you applying for ISO 27001 certification.
Google Team Drive (https://gsuite.google.com/learning-center/products/drive/get-started-team-drive/#!/) is a solution for these problems as long as files and folders belong to teams (Team Drives), not individual users ( “My Drive” part of Google Drive).
Google Team Drive is a product designed for sharing documents within a team / project and group collaboration online. You can create Team Drives for different teams or projects and assign access permission on the level of a single user or a group. It is very simple and you don't need and IT specialist to do that. You can still set up permissions for individual documents just like you are used to doing in “My Drive” and also add other restrictions. For example you can specify that users can create and edit documents but they can not delete them or move them from a fixed structure to another folder; or that only administrator of an individual Team Drive is allowed to add or remove new Team Drive members.
Managing Team Drive vs. personal changes in the company
When user leaves the company or changes work position, just remove this user from the Team Drive and add him/her to a different one. Simple as that, no additional work is needed. Files and folders distributed in multiple Team Drives are completely independent, thus you are not dealing with one large batch of documents and folders.
Restoring deleted files on team drive
If user with an appropriate permission deletes a file, it goes to the Team Drive's trash-can. Any member of the team is able to restore it if needed.
Team Drive vs. external employee
If an external employee with private Gmail based account, for example firstname.lastname@example.org as mentioned before, creates a document or folder on your Google Team Drive, your company becomes the exclusive owner of this data and you have a full control over this content. You can remove the external user from Google Team Drive at any time without losing a single document and without any IT overhead.
Audit Log for extra protection
G Suite Business and Enterprise have a build in feature that provides you with even more protection. With Audit Log you have an overview of all activity of every user across the company's Google drive, not limited to Team Drive only. (https://support.google.com/a/answer/4579696) As an administrator you are able to see actions and operations done with particular documents on company's Google Drive (such as opening file, moving spreadsheet, adding/ editing permission for folder etc.) but never the data itself, so security is not compromised.
Using Google Drive Team Drive ensures that data is always owned by the company and gives you control over who and how can manipulate with your data.Want to learn more about security?
Check out my other blogpost: Is G Suite GDPR Compliant?