How Do You Answer a Supplier Data Protection Questionnaire About Google Workspace?
Imagine this: you have spent months chasing a massive new client. The pitch went perfectly, the commercial terms are agreed, and the contract is practically sitting on your desk. Then, out of nowhere, procurement drops a lengthy supplier data protection questionnaire into your inbox. They want to know exactly how your business stores, protects, retains, and deletes their sensitive data. If you cannot answer it convincingly, the deal stalls—or worse, goes to a competitor with tighter compliance.
According to the UK government's Cyber Security Breaches Survey 2025/2026, while only 15% of smaller firms review supplier risks, that figure jumps to 48% for large businesses. As you scale up and chase bigger contracts, these security audits are going to become a regular fixture in your inbox.
The Hidden Advantage Already Inside Your Account
Here is the good news: you do not need to panic, and you certainly do not need to purchase expensive, specialised compliance software. If your business runs on Google Workspace by Kimbley IT, the exact tools required to ace this questionnaire are already sitting inside your subscription.
Features like Google Vault, retention rules, shared drives, sharing controls, and the alert centre cover almost every single security question on that form. You just need to know how to map their questions to your existing tools.
Why Most IT Providers Drop the Ball Here
The company looking after your IT support probably cannot help you answer these questions. We learned this firsthand from an external Data Protection Officer (DPO) who joined a project we were managing. Assessing IT providers is a daily part of her job, and in her experience, most have never even heard of a Data Processing Agreement.
When we handed over our Master Service Agreement and DPA for review, her written feedback showed how rare that is:
““I would love to know which law firm you’re working with - the documents are about some of the best I’ve seen, and by a country mile, the best I’ve seen from any MSP!””
She went on to describe our DPA as "open enough to not be restrictive, but tight enough to ensure the controller is in control."
A Data Processing Agreement (DPA) is a legally binding contract that defines exactly how a supplier handles data on your behalf. UK GDPR strictly requires one whenever another company processes your personal data. If your current IT provider looks blank when you ask about a DPA, they lack the compliance background needed to help you describe retention, deletion, or access controls on a client's form.
Your Google Workspace Questionnaire Cheat Sheet
Every standard question on a supplier security form maps directly onto a feature you are already paying for. Use this quick reference table to fill out your form:
| What the questionnaire asks | What it actually does | The tool |
|---|---|---|
| How long do you retain data? | Google Vault retention rules keep Gmail, Drive, and Chat data for a defined period, then delete it automatically. | Google Vault |
| Can you preserve data for legal or regulatory reasons? | Google Vault legal holds freeze data for specific individuals so nothing can be deleted, even by them. | Legal holds |
| Who owns and controls company files? | Shared drives ensure your business owns the files, even after the creator leaves the company. | Shared drives |
| How do you prevent data from leaving the business? | Sharing controls and Google Takeout restrictions block external sharing and prevent team members downloading company data to personal devices. | Sharing controls |
| How do you detect suspicious activity? | The Alert centre flags phishing, malware, account compromises, and unauthorised data exports. | Alert centre |
| Can you produce specific data on request? | Vault search and the Data Export tool find and export specific messages or files with a complete audit trail. | Vault search |
Enforcing Data Retention with Google Vault
Google Vault is the retention and eDiscovery tool built into Google Workspace Business Plus, which is included in our IT Support and Assistance package.
When a form asks, "What is your data retention policy?" they don't just want a written document; they want proof of an enforcement mechanism. With Vault, you can set a rule that automatically deletes emails after seven years to satisfy HMRC record-keeping expectations, or clears out temporary project files after six months. Vault provides both the policy definition and automated enforcement.
Legal holds matter just as much. If a legal dispute or formal complaint arises, you must preserve all relevant data. A hold in Vault silently locks down everything for the involved team members, ensuring nothing is deleted or altered. We once used this exact feature to protect a client from a £250,000 legal liability.
Keeping File Ownership via Shared Drives
In standard personal folders (My Drive), files belong to the individual who created them. If a team member leaves and you delete their account, those files can vanish or become incredibly difficult to rescue. Questionnaires look for this vulnerability by asking: "How do you manage data access when team members leave?"
Shared drives solve this entirely. Files belong to the business, not the individual. When a team member moves on, their work stays exactly where it belongs, with folder structures and permissions intact. You can also lock down sharing on a per-drive basis, keeping client data strictly internal while allowing your marketing drive to collaborate freely with external agencies.
Stopping Data Leaks Before They Happen
You can secure your company perimeter using three straight-to-the-point controls:
External Sharing Restrictions: Control exactly who can send files outside your domain. You can whitelist specific trusted partner domains or require warnings before anything leaves.
Google Takeout Restrictions: Google Takeout allows account holders to download their entire data history. While fair for personal accounts, it is a massive corporate risk. A departing team member could easily download your entire client database before resigning. You can turn this off for your team in minutes. When you partner with Kimbley IT, we ensure these settings that are on by default are turned off.
The Alert Centre: Included with every Workspace edition, this dashboard monitors threats such as phishing campaigns, suspicious logins, and compromised devices. It will also sound the alarm if someone triggers a mass domain data export, stopping large-scale copies before they happen quietly.
If a massive contract demands even tighter security, Google Workspace by Kimbley IT editions include Data Loss Prevention (DLP). DLP automatically scans emails and files for sensitive strings, such as credit card numbers or passport details, and blocks them from being sent.
Proving You Can Produce Data on Request
When a client issues a Subject Access Request (SAR) or an auditor requests an audit trail, you need to move fast. Vault's search and export function allows you to pinpoint specific correspondence by date, person, or keyword, generating a clean export file alongside a comprehensive audit log showing who accessed it.
Five Practical Steps to Ace Your Questionnaire
Batch Your Questions: Group the form's questions into four clear buckets: retention, access control, data leakage, and incident response. They line up perfectly with the Workspace tools listed above.
Verify Your Workspace Plan: Vault is included in Google Workspace by Kimbley IT. If you are on Starter or Standard, upgrade your plan or purchase the add-on licences before claiming you have a retention policy you cannot actually enforce.
Formalise Your Retention Rules: Set clear timelines for your data, put them in writing, and then match them exactly in Google Vault. The written decision becomes your official policy, and Vault acts as the enforcer.
Lock Down Sharing and Exports: Audit your external sharing settings, move scattered personal files into Shared Drives, and disable Google Takeout across the business.
Prepare your own DPA: Having your own standard DPA ready to hand over, alongside the completed questionnaire, completely changes the dynamic—it shows their compliance team that you are entirely on top of your responsibilities.
Frequently Asked Questions
-
Google Workspace provides all the necessary technical infrastructure—encryption, audit logging, and access control—to meet UK GDPR standards. However, software isn't compliant out of the box; you must configure the settings deliberately and document your operational decisions.
-
A DPA is a mandatory contract under UK GDPR that governs how a third-party vendor handles personal data on your behalf. You need one with every single data processor you use, including Google, your own IT support provider, and the clients you process data for.
-
Vault is bundled with Business Plus, Enterprise Standard, and Enterprise Plus. If you are on Business Starter or Standard, you can purchase it as an individual add-on licence, though upgrading to Business Plus is usually the most straightforward route for scaling firms.
-
No. Vault is built for compliance, legal holds, and data retention. It keeps data accessible for legal discoveries, but it cannot restore a clean snapshot of your files following a ransomware attack or accidental corruption. You still need a dedicated backup system alongside it.
-
A competent IT partner can easily handle the technical implementation and provide the configuration evidence. However, you must decide the core policies—such as exact data retention periods—because your business remains the data controller.
Get the Form Answered and the Deal Signed
Passing a supplier security check is a fantastic opportunity to look significantly more professional than your competitors, most of whom will completely fumble the paperwork. The answers are already sitting right inside your Google Workspace dashboard.
If you want your next compliance form to take an afternoon instead of a stressful month, the next step is to book a video call with us using the form below, and we will get your Vault, retention policies, and sharing controls properly configured.
