https://cloud.google.com/architecture/framework/security/data-residency-sovereignty#manage_your_operational_sovereignty
To ensure compliance with GDPR and implement data residency and operational sovereignty in the EU, the following steps can be taken:
Limit Physical Location of Resources: Use the Organization Policy Service to enforce the resource locations constraint. This ensures that all new resources are created within the specified regions (EU in this case).
Configure Organization Policy: Set up an organization policy that restricts the locations where new resources can be created. This is done through the Google Cloud Console or via the gcloud command-line tool.
Example:
gcloud resource-manager org-policies allow constraints/gcp.resourceLocations [europe-west1,europe-west2] --organization=YOUR_ORG_ID
Key Access Justifications (KAJ): Use Key Access Justifications to limit Google personnel's access to encryption keys based on attributes like their geographic location or citizenship.
Set Up KAJ: Implement KAJ policies to ensure that only authorized personnel within the EU can access encryption keys.
References
Organization Policy Service
Key Access Justifications
