The question is: Does GDPR require you to have your data stored exclusively on premises within the EU? To give you the full answer let's start from the basics terminology.
If you use Google's G Suite, according to the legislative you are the data controller, Google is a data processor. In every case, you are an exclusive owner of your data. However, there are some differences between the free (consumer) version of Gmail and G Suite in how Google can or cannot use your data, but this is a whole other story.
Let's cut to the chase. CHAPTER V of GDPR entitled “Transfers of personal data to third countries or international organisations” in article 45 explains all you need to know regarding data transfers and storing also in G Suite:
“A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.
Other articles of GDPR specify in more detail what the “adequate level of protection” is. It's a long and boring legal jibber-jabber none of us, regular mortals can really understand, but thank Heavens for our lawyers who can decipher it and translate to a normal human language.
To make a long story short, we learn from this chapter that your data can be physically stored anywhere in the world as long as the place has an equivalent level of protection to GDPR standards.
Now let's take a look at how Google as a data processor makes sure that G Suite and Google Cloud are compliant with GDPR requirements. Google GDPR resource site https://cloud.google.com/security/gdpr/ “International Data Transfers” section says the following:
“We contractually commit under our current data processing agreements to maintain a mechanism that facilitates transfers of personal data outside of the EU as required by the GDPR. Google’s certification under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks includes G Suite and Google Cloud Platform. We have also gained confirmation of compliance from European Data Protection Authorities for our model contract clauses, affirming that our contractual commitments for G Suite and Google Cloud Platform fully meet the requirements to legally frame transfers of personal data from the EU to the rest of the world.”
Well said, clear and direct. So the answer to the ultimate question is: YES, G Suite can be GDPR compliant and NO, your data does not have to be physically stored on the servers within the EU to be compliant with the GDPR. So are you covered? This still poses a question. Noticed the phrase “... our model contract clauses ...” in that Google article? Why am I pointing this out? Because you must accept their terms and conditions to be covered. Not sure whether you have already accepted Google's terms and conditions? Just navigate here for instructions: https://support.google.com/a/answer/2888485
So finally YES, as soon as you accept these conditions (you might want to consider reviewing them with your favourite lawyer) your G Suite is GDPR compliant.
If for any other reasons (such as internal company requirements for example) you still want to have data located in a particular geographic region (the United States or Europe) it is still possible to do it. G Suite Business; Enterprise and Drive Enterprise editions include a feature that allows you to choose a location where your data is stored.
If you wish to upgrade your G Suite, we will be more than happy to assist you. Contact us here.
Google Cloud GDPR resources: https://cloud.google.com/security/gdpr/