Project overview

Summary

Google Workspace unblocked a $15B international highly-regulated market and landed major sales with influential early adopters, known as “lighthouse customers,” by launching a suite of data sovereignty controls, reporting interfaces and configuration guides that helped admins meet compliance requirements for their organization’s most sensitive data.

Problem and context

Before I started on this project, organizations with stringent compliance standards typically couldn’t even consider using Google Workspace because we didn’t offer the required access, data location and retention controls for them to be compliant. These large private enterprises and public sector organizations in the US and EU made up a huge market that our sales team couldn’t access. Our team wanted to unblock this market and win high profile customers to build customer trust and significantly expand Google Cloud’s footprint.

My role

I was fully accountable for leading the UX strategy and design for Privacy, Sovereignty, and Compliance within the Google Workspace Platform team. I owned product direction, information architecture, and design within this domain. I worked closely with senior leadership stakeholders to align on key design decisions and collaborated with a cross-functional team of 15 senior engineers, 3 product managers, 3 UX researchers, and 5 UX designers. I facilitated cross-functional (UX, PM, eng) design sprints, conducted competitive analysis, managed 5 research studies, mentored junior UX professionals, edited public product blog posts and documentation, provided feedback on PRDs, and championed a north star vision to focus team direction in the long term.

Impact

The launch of data location, access, and retention controls was instrumental in Google Workspace being granted certifications in several new compliance frameworks. Notably, we secured authorization to operate (ATO) for FedRAMP High and IL4, which played a pivotal role in the United States Army's decision to purchase 250,000 licenses of our highest-tier SKU: Assured Controls. These product launches also facilitated our successful passage of the Dutch government's Data Protection Impact Assessment (DPIA), and, combined with the introduction of several EU-centric features, opened the door to large, highly-regulated EU firms. Beyond the US military, these efforts paved the way for major sales to lighthouse customers in the US and EU such as state governments, defense contractors, telecom giants, aerospace icons, multinational professional service firms, and top-tier international banks.

— KEEP SCROLLING IF YOU WANT TO GET INTO THE WEEDS —

Problem statement

Motivation

Missing functionality: Most compliance requirements for customer data focus on three key areas: data location, access control, and retention. At the start of this initiative, our customers had little control over where their data was processed, and reporting on data location was unclear and missing key data categories. Additionally, customers had no say in where Google’s support personnel were located, which meant, for example, U.S. customer data could be accessed by EU-based support staff, which could cause compliance infractions. Customers also couldn’t mandate that support personnel have fingerprint records or FBI background checks, creating regulatory concerns. Further, while support access was tied to customer-initiated tickets, many customers wanted more granular control, preferring that data access be granted only with explicit permission for each instance.

Fragmentation and findability: Compliance and data control pages within Admin console are decentralized and often hard to find. Competitive analysis and concept evaluation UXR found participants attributed high value to managing compliance with a “single pane of glass.” A tree jack UXR study found benefits to adding a compliance section to the navigation drawer

Configuration confusion: Conceptual evaluation UXR concluded it would be “spectacular” if we recommended settings based on regulations. Other competitive analysis UXR determined compliance assessment templates to be the most valued part of our competition’s compliance manager.

Data privacy misconceptions: Customers often misunderstand our privacy policies, for example mistakenly thinking we use their Google Workspace data for ads. We needed to make our stance clear.

As a whole these issues were causing compliance headaches for current customers and blocked sales to highly-regulated prospects.

Stakeholders

Key internal stakeholders included the CEO of Google Cloud, the VP of Google Workspace Platform Engineering, the Senior Director of Google Workspace Platform Engineering, the Director of Product Management for Privacy, Sovereignty, and Compliance and several sales leads specializing in highly-regulated markets. Externally, several dozen strategic customers across the U.S. and EU, each with stringent regulatory requirements, played a critical role in providing feedback, shaping the project’s direction to ensure their data sovereignty needs were met.

Goals

The primary objectives of this initiative were to unlock highly-regulated markets in the U.S. and EU, while securing strategic deals with key lighthouse customers to build trust in Google Workspace as a data sovereignty leader. Depending on the product and its launch phase—whether alpha, beta, or general availability (GA)—we had specific targets related to the size and number of customers. For instance, we had a goal of having 10 large enterprise customers actively using the feature during beta. We aimed also to validate with formative UXR concept studies that we were delivering features that met customers' data sovereignty needs. Additionally, Google Workspace Platform has strict UX standards across our organization, requiring usability testing with critical user journeys (CUJs) to achieve success scores of 80% or higher for GA launch approval. Lastly, our goal was to launch without any major usability issues post-release.

Process and approach

1. Discovery and research

Stakeholder alignment: I worked with the Senior Director of Product Management for Privacy, Sovereignty and Compliance to understand business goals, market sizing and compliance requirements and to jointly define product vision. Together we aligned the leadership steering committee on market positioning, target customers, and key differentiators.

User research and competitive analysis: I conducted a competitive analysis to evaluate the data sovereignty tools offered by other productivity suites. Additionally, I guided the UXR team in executing a formal, in-depth competitive analysis aimed at better understanding the compliance needs of large, highly regulated enterprises. The study provided key insights that highlighted our potential to stand out. One major finding revealed that, while competitors offered more features, their data sovereignty tools were complex and difficult to manage. This emphasized simplicity as a crucial differentiator for our solution, which was tremendously helpful knowledge for us because as the underdog in this space, we weren’t going to win a bells and whistles competition.

2. Strategy and planning

UX strategy: I collaborated closely with product managers to define user journeys, personas, success metrics, and design principles that would guide us in delivering an exceptional product tailored to the needs of our lighthouse customers. We also jointly planned which functionality would be available in the various SKU levels.

Cross-functional collaboration: I facilitated brainstorming sessions with cross-functional teams, including PM, engineering, and UX, structuring them into phases of divergent and convergent thinking to generate a wide range of feature ideas. Afterward, we mapped these ideas on a difficulty-importance matrix to identify the most impactful and achievable features. I collaborated closely with the PM on the PRD, providing user-centric feedback, and worked alongside the engineering team to ensure that the planned solutions were both practical and technically feasible.

3. Design and prototyping

Information architecture: For each product launch, extensive analysis was conducted to determine the most effective information architecture. The Google Workspace Admin console, which manages over 13,000 settings for the productivity suite, is a highly constrained platform with a robust established design system, making custom solutions inefficient to implement. This required detailed evaluation of which pre-existing systems should be integrated and how they should interact, such as the notification manager, email push notifications, auditing/logging interface, admin privileges, and Google Support ticket management UI. We also considered which tech stack to use for settings scoping—whether assigned to users via groups or built with rules and conditional statements involving users and labels. Additionally, we had to carefully assess how settings should be organized in the left navigation menu. A key decision was whether to centralize data region controls in one location or decentralize them under each app's settings page for easier app-specific management.

Prototyping and user testing: I designed interactive prototypes in Figma for configuring settings across four key products: Access Management, Access Approvals, Data Regions, and Google Vault. Additionally, I developed reporting dashboards and auditing tools for Data Regions and Access Transparency. Lastly I designed hub pages for data privacy and compliance. These interfaces were thoroughly vetted through internal design critiques with UX teams, feasibility assessments with engineering, and concept evaluations and usability testing with customers.

4. Collaboration and iteration

Design reviews and feedback: I regularly conducted design reviews with leadership to keep them informed of our progress and secure approvals, ensuring that stakeholder needs were met. I collaborated closely with UX researchers on study screeners, interview guides, and testing materials, providing feedback on their reports. Utilizing insights from leadership and findings from UX research, I iterated on the designs and worked with the engineering team to implement necessary changes to the user experience.

Cross-functional collaboration: I collaborated with technical writers to ensure that the documentation accurately described the user interface and was easy to understand. I also worked closely with UX writers to ensure that key elements such as clarity, consistency, and tone in the interface were effectively addressed, enhancing the overall user experience. Additionally, I partnered with the product's legal counsel to ensure that the UI made appropriate claims, especially those relating to compliance, to address concerns related to liability and user privacy.

5. Launch and post-launch

Launch execution: I worked closely with product marketing to develop product names and pitches that aligned with our brand while making it easy for customers to understand each product’s purpose purpose. Additionally, I partnered with product management to edit internal product announcement emails and external blog posts. Furthermore, I created videos for product leadership to showcase at Google I/O and other compliance/security conferences, where the products were demonstrated to strategic customers.

Post-launch monitoring: I ensured that instrumentation was integrated into the UI elements to observe and analyze how customers interacted with the launched interfaces. We monitored whether customers could successfully complete critical user journeys (CUJs) and maintained close communication with strategic customers to assess if the product met their needs and to identify any usability concerns. As of this writing, no major issues have been reported to us.

Collaboration

Team composition and contributions

This initiative encompassed four sub-projects—support access, data location, data retention and Compliance Hub—each led by its own product manager and engineering team. I collaborated closely with legal counsel, product marketing, documentation writers, UX researchers, designers, and writers. As the lead UX practitioner in this area of Google Workspace, I worked hands-on while partnering with the Senior Director of Product Management for Privacy, Sovereignty, and Compliance. Together, we prepared leadership review decks for senior Google Cloud leadership, including the CEO. My responsibilities included helping define and communicate project timelines, milestones, go-to-market strategies, product-market fit, and overall mission narrative. I also led the information architecture efforts, authoring proposals and collaborating with PMs and engineers to weigh the pros and cons of different approaches. Additionally, I provided feedback on PRDs, engineering design documents, product announcements, and technical documentation.

Leadership impact

In this role, I influenced not only the design direction but also the strategic decisions of the project. I mentored cross-functional collaborators, including a junior UX researcher stepping in for a senior UXR on parental leave, guiding her on improving interview structures and organizing research reports. My leadership extended to collaborating with product managers and the sales team on infographics that highlighted the advantages of Google Workspace’s security architecture compared to competitors.

Surmounting challenges

This project encountered significant challenges that required strong leadership to ensure the successful delivery of the product suite. Most notably, we faced high-profile departures from key PM and UXR collaborators.

Permanent PM departures: The lead PM for Support Access Controls and Compliance Hub left to take on a VP role at a growth-stage startup, and the PM for Data Location was promoted internally, leaving a leadership vacuum. In response, I took the initiative to drive all three projects forward, establishing weekly meetings with engineering teams to define requirements, monitor implementation progress, and keep the leadership committee appraised of our advancements. It took about six months for new PMs to be hired and several months beyond that for them to get ramped up. All the while I kept the projects moving forward.

Temporary UXR departure: When our lead senior UX researcher went on parental leave for six months, we faced the critical task of conducting multiple concept evaluations and usability studies in her absence. Although a UXR contractor was hired, her lack of experience posed a challenge. I stepped in to be a mentor and provide guidance, helping her develop screeners, interview guides, and reports. Throughout this period, I effectively became the primary contributor from a UXR perspective, ensuring that our research efforts continued to progress until our senior UXR lead returned.

Visuals

Here are some of the mocks control, notification and reporting interfaces I designed for this initiative:

Outcome & impact

Every product launch I contributed to as part of this initiative consistently met or surpassed internal KPIs across all phases—alpha, beta, and GA. Our efforts unlocked a $15B market for sales, securing critical deals with dozens of large enterprise-level lighthouse customers. The user experience underwent rigorous scrutiny by government auditors, leading to Google Workspace earning key ATOs for FedRAMP High, IL4, CJIS and IRS 1075, as well as passing the Dutch government’s DPIA. We are also on track to achieve several new regulatory certifications. Lastly, for the first time provided compliance configuration recommendations and made it easier for customers to get their accounts set up appropriately. From a UX standpoint, these launches were exceptionally successful, with no significant usability issues reported by customers.

The launch of these GA controls was announced in July of 2024 on the Google Workspace blog. Several cybersecurity news organizations (e.g. Techzine, 01netit, ITdigitalsecurity, Ciberseguridadtic) positively covered the launch.

Customer quotes

Personal growth and learnings

Key learnings: This project was a pivotal experience in my growth as a mentor and leader. I was placed in a position where I couldn’t take on every task myself, which pushed me to teach others how to be more self-sufficient. By mentoring and empowering team members, I helped them grow into more confident practitioners, capable of handling challenges independently. Additionally, I learned the importance of persistence and perspective. Even when situations seemed on the verge of falling apart, maintaining focus and tackling tasks one step at a time helped us steadily improve the project’s trajectory. In the end, despite the hurdles, we successfully delivered what the customers needed. Thinking back on this experience will give me hope when I face future struggles.

Next steps: This initiative is still ongoing, with exciting future directions. We're currently exploring ways to provide customers with more advanced auditing tools, as well as AI-driven insights that make intelligent recommendations based on the organization's holistic policy configuration. Additionally, we’re investigating ways to refine and implement sovereignty policies more precisely, reducing the trade-offs associated with activating certain features and ensuring that customers maintain the highest level of control without sacrificing flexibility.

Let’s connect

Want to discuss data sovereignty or how this project relates to yours? Reach out!