Google Workspace is the productivity platform of choice for a large number of Indian enterprises, startups, and educational institutions. Under the Digital Personal Data Protection Act 2023, Google is a Data Processor for every piece of personal data your organisation stores or processes in Google Workspace.
Step 1: Accept Google’s Data Processing Amendment
Before any other compliance step, your organisation needs a formal agreement with Google governing how Google processes personal data on your behalf — the Google Workspace Data Processing Amendment (DPA).
Admin path: Google Admin Console → Account → Legal → Data Processing Amendment → Review and accept
This is the single most important compliance step. Without an accepted DPA, your use of Google Workspace is not DPDP-compliant regardless of any other configuration.
Step 2: Configure Data Regions
By default, Google Workspace stores data in Google’s global infrastructure. Google Workspace provides Data Regions — a feature that allows administrators to specify that data at rest is stored in a specific geographic region.
Admin path: Google Admin Console → Account → Data regions → Select preferred region
Important limitation: As of April 2026, Google Workspace does not offer India as a standalone data region option. Cross-border transfers are currently permitted under the DPDP Act, but Indian enterprises should document their data region setting and monitor MeitY notifications for any changes in data localisation requirements.
Step 3: Configure Google Vault for Retention and Deletion
Google Vault is the primary tool for managing data retention and deletion in Google Workspace. Set up retention rules for all Workspace applications:
- Gmail: Set a default retention rule that deletes messages after your defined retention period (typically 3–7 years)
- Drive: Set retention rules by organisational unit or Drive label for documents containing personal data
- Meet recordings: 90 days is appropriate for most meeting recordings
- Google Chat: Enable Chat retention and set a default deletion period
Critical: Enable auto-delete on all Vault retention rules. Vault retention without auto-delete retains data indefinitely — which is not DPDP-compliant for personal data.
Step 4: Configure Data Loss Prevention
Admin path: Google Admin Console → Rules → Data protection
Google Workspace DLP includes pre-built detectors for Indian personal data types including Aadhaar numbers and PAN numbers. Recommended DLP rules:
- Block external sharing of Aadhaar numbers, PAN numbers, and Indian financial account details
- Alert on bulk file downloads from Drive — a potential indicator of data exfiltration
- Restrict sharing of HR documents containing employee personal data
Step 5: Audit External Sharing and Third-Party Apps
Review Google Drive External Sharing Settings
Admin path: Google Admin Console → Apps → Google Workspace → Drive and Docs → Sharing settings
- Set external sharing to “Allowed with warning” or “Not allowed” depending on business requirements
- Disable “Allow users to publish files on the web” — publicly accessible files containing personal data are a DPDP violation
- Set the default link sharing for new files to “Restricted”
Audit Third-Party App Access
Admin path: Google Admin Console → Security → Access and data control → API controls → Manage third-party app access
Review all third-party apps with access to your Google Workspace data. Remove access for apps that are no longer used or that have excessive permissions.
Step 6: Enable Security and Audit Logging
Admin path: Google Admin Console → Reports → Audit and investigation
Enable and regularly review:
- Admin audit log — records all administrator actions
- Drive audit log — records file access, sharing, and download events
- Gmail audit log — records email access and message export events
- Login audit log — records user login attempts and suspicious activity
Google Workspace DPDP Compliance Checklist
Agreements
- Google DPA accepted by authorised administrator
- DPAs reviewed for all third-party Google Workspace Marketplace apps that process personal data
Data Residency
- Current data region setting documented
- Process established to monitor MeitY notifications on data localisation
Retention and Deletion
- Google Vault configured for all Workspace applications
- Auto-delete enabled on all Vault retention rules
- Meet recording retention period set to 90 days or defined standard
- Former employee account deletion process implemented
Access Control
- External Drive sharing set to “Allowed with warning” or restricted
- Public web publishing disabled
- Third-party app access audited and unnecessary apps removed
- Default link sharing set to “Restricted”
Security and Monitoring
- Drive, Gmail, Admin, and Login audit logs enabled
- Alert Centre configured for breach-relevant events
- DLP rules deployed for Indian personal data categories
CloudFirst is an Authorised Google Workspace Reseller for Indian enterprises. Talk to a Google Workspace expert → cloudfirst.in/google-workspace-reseller-mumbai.php
Frequently Asked Questions
Q: Can Google Workspace store data in India?
As of April 2026, India is not a standalone data region option in Google Workspace. Data may be stored in Google’s global infrastructure including US data centres. Cross-border transfers are currently permitted under the DPDP Act, but Indian enterprises should monitor MeitY guidance for any changes.
Q: Is Google Vault included in all Google Workspace plans?
Google Vault is included in Google Workspace Business Plus, Enterprise Standard, Enterprise Plus, and Education plans. It is not included in Business Starter or Business Standard plans. If your organisation is on a plan without Vault, you have a significant compliance gap for retention and deletion obligations.
Q: What about Google Workspace for Education — does DPDP apply?
Yes. Educational institutions that use Google Workspace for Education and process personal data of Indian students are subject to the DPDP Act. Children’s data receives enhanced protection under the Act — organisations processing data of individuals under 18 face stricter obligations and higher penalties.
