Who is the real owner of your company's documents?

All data created by users of your G Suite are an exclusive property of your company (see G Suite Terms). The challenge is to make your users keep the data in your G Suite instance and organise it in a way, so that the company has a full control over it.

If any of your end users creates a document on Google Drive, it is placed into individual user’s “My Drive”. Users usually place such files into a folder related to a specific project or team and share it with other user or groups of users for further collaboration on the document. There might be a few security compliance issues with this approach.

To mitigate these security and compliance risks, Revolgy offers comprehensive Google Workspace implementation and management services to help you establish clear data governance policies and streamline file management practices.

How to deal with the most common situations such as user leaving the company?
Here is a quick solution to the most common issues:

John Doe is leaving the company. What about his documents?

If user is leaving the company, who is going to be the new owner of his documents? You have the option to transfer the entire content of his/her Google Drive to a new user, however this is all or nothing transfer. The new user will receive all files and folders. You cannot transfer just a part of the drive content to one user and another part to someone else.

Jane Doe gets a promotion

If the user is changing to a new position within the company and he/she  needs to hand over all the documents to the new user the easiest solution is to  use change of ownership function, but this has several limitations. The folders do not inherit changed ownership and you have to change document by document manually or write a script for this.

The danger here is, that if the user moves any data out of the folder (whether intentionally or by an accident), the rest of the team will no longer have access to this document.

Karen accidentally deletes the document! Is it gone forever?

If the user deletes the document and empties the bin, it is gone forever? You are in luck! G Suite has “undelete” feature which allows you to restore such files  (https://support.google.com/a/answer/6052340), within 25 days of deleting them. After 25 days however they will be gone forever. If documents or folders are related to already “archived” project for example, there is a risk that no one will notice that there are documents missing. In such case an administrator action is needed. Be careful.

The dangers of sharing data outside your company is real. How to handle documents flow with external employees?

Google Drive is a really convenient real-time collaboration tool. Many companies are using it to cooperate with external people as well. They share documents with them whether using G Suite or free Gmail account. There is one catch which might have a huge impact on your data security and compliance. If a file or folder is shared with your company from a private Gmail account, for instance, john.doe@gmail.com, you are facing huge risk. First of all, the original creator of the content is also the owner of data and there are differences in the Term of Use (agreement between Google and individual user about privacy, warranty, availability: https://www.google.com/mail/help/terms_of_use.html) applied to private Gmail account as opposed to G Suite owned data. Second of all, the owner can remove your access to this content at any time and there is no way of retrieving it back.

Picture yourself in a situation mentioned above, when you lose access to important agreements, project documentation, you name it. Scary isn’t it? You can address this risk by making a copy of each document. The only difference being that the copy doesn’t have the history of changes saved. This approach however is extremely ineffective and goes against the philosophy of collaboration on a single document.

Maybe you used to be able to manage your user’s Drives even with all these limitations when your company was still small, but as it grows  your folder and document structure becomes more and more complex and you need a more reliable solution. Or maybe you company’s internal regulations require you to have advanced control over your data on Google Drive for example when you applying for ISO 27001 certification.

Google Team Drive (https://gsuite.google.com/learning-center/products/drive/get-started-team-drive/#!/) is a solution for these problems as long as files and folders belong to teams (Team Drives), not individual users ( “My Drive” part of Google Drive).

Google Team Drive is a product designed for sharing documents within a team / project and group collaboration online. You can create Team Drives for different teams or projects and assign access permission on the level of a single user or a group. It is very simple and you don’t need and IT specialist to do that. You can still set up permissions for individual documents just like you are used to doing in “My Drive” and also add other restrictions. For example you can specify that users can create and edit documents but they can not delete them or move them from a fixed structure to another folder; or that only administrator of an individual Team Drive is allowed to add or remove new Team Drive members.

Managing Team Drive vs. personal changes in the company

When user leaves the company or changes work position, just remove this user from the Team Drive and add him/her to a different one. Simple as that, no additional work is needed. Files and folders distributed in multiple Team Drives are completely independent, thus you are not dealing with one large batch of documents and folders.

Restoring deleted files on team drive

If user with an appropriate permission deletes a file, it goes to the Team Drive’s trash-can. Any member of the team is able to restore it if needed.

Team Drive vs. external employee

If an external employee with private Gmail based account, for example john.doe@gmail.com as mentioned before, creates a document or folder on your Google Team Drive, your company becomes the exclusive owner of this data and you have a full control over this content. You can remove the external user from Google Team Drive at any time without losing a single document and without any IT overhead.

Audit Log for extra protection

G Suite Business and Enterprise have a build in feature that provides you with even more protection. With Audit Log you have an overview of all activity of every user across the company’s Google drive, not limited to Team Drive only.  (https://support.google.com/a/answer/4579696) As an administrator you are able to see actions and operations done with particular documents on company’s Google Drive (such as opening file, moving spreadsheet, adding/ editing permission for folder etc.) but never the data itself, so security is not compromised.

Using Google Drive Team Drive ensures that data is always owned by the company and gives you control over who and how can manipulate with your data.

FAQs

Q1: According to G Suite terms, who owns the data created by users within a company’s G Suite account?

All data created by G Suite users is the exclusive property of the company that holds the G Suite account.

Q2: What is the main challenge for companies regarding user-created data in G Suite?

The challenge lies in ensuring users keep their work-related data within the company’s G Suite system and organize it in a way that gives the company full control.

Q3: Where are files typically stored by default when a user creates them in Google Drive?

They are placed into the individual user’s “My Drive” section.

Q4: What issues can arise when company data resides primarily in individual users’ “My Drive” folders?

Potential issues include difficulties transferring data when users leave (it’s an all-or-nothing transfer), cumbersome ownership changes for internal position moves, limited recovery time (25 days) for accidentally deleted files, and lack of company ownership/control over files shared by external collaborators using personal accounts.

Q5: How is data handled if a user leaves the company and their files are in “My Drive”?

An administrator can transfer the entire contents of the departing user’s Drive to another user, but it’s not possible to split the content among multiple recipients.

Q6: What are the limitations when trying to change ownership of files and folders in “My Drive” (e.g., when an employee changes roles)?

Folders do not automatically inherit changed ownership, meaning documents must be transferred individually or via a script. There’s also a risk that if the original owner moves files out of a shared structure, collaborators lose access.

Q7: Can files deleted from “My Drive” be recovered?

Yes, G Suite administrators can use an “undelete” feature to restore files within 25 days of deletion. After this period, the files are permanently lost.  

Q8: What is the primary risk associated with collaborating on documents shared by external users with private Gmail accounts?

The external creator retains ownership of the data, different terms of use apply compared to G Suite data, and the external owner can revoke the company’s access at any time, making the data potentially unrecoverable.

Q9: What G Suite feature is recommended as a solution to these ownership and control challenges?

Google Team Drive is presented as the solution.

Q10: What is the fundamental difference between “My Drive” and "Team Drive” regarding data ownership?

In Team Drive, files and folders belong collectively to the team (represented by the Team Drive itself), rather than to individual users.  

Want to learn more about security? 
Check out my other blog post: Is G Suite GDPR Compliant?