Cut the Clutter: Test Ignore Files Feature - sign up to become a beta tester here.
Forum Discussion
Solved
GDPR Compliance for Personal / Free Accounts
Hi,
I work with various charities in the UK who often use free Dropbox accounts to share files for boards of trustees, teams etc.
There is some confusion as to whether the GDPR compliance steps that Dropbox have made apply to these accounts or only to those on Dropbox Business.
Could this be clarified please?
I work with various charities in the UK who often use free Dropbox accounts to share files for boards of trustees, teams etc.
There is some confusion as to whether the GDPR compliance steps that Dropbox have made apply to these accounts or only to those on Dropbox Business.
Could this be clarified please?
- Hi Tom
As somebody in the UK the biggest thing you need to make sure is that the end users whos data is being stored is aware of it being stored AND that it is stored outside of the EU. Same goes if they email things in they need to know where those email servers are (e.g. Office365 = USA etc.).
71 Replies
NorahDropbox Staff
- Mark
Super User II
Hi Tom
As somebody in the UK the biggest thing you need to make sure is that the end users whos data is being stored is aware of it being stored AND that it is stored outside of the EU. Same goes if they email things in they need to know where those email servers are (e.g. Office365 = USA etc.). Hi Norah,
The information given here confuses me. Your product support told me I need to upgrade from a personal account to a business account to comply with the GDPR and have the proper agreement in place. Can you please clarify if this is indeed necessary? We share sensitive data with hundreds partners, most of whom are very small (one person) businesses. I need to know if their free or personal accounts will be compliant to the GDPR.
Kind regards,
Auke
- MarkHave you read the links supplied Aukevn?
It depends who you need Dropbox to be doing in order for you to decide if it is compliant or not. Dropbox on its own IS compliant because of how the data is stored etc. But, if you deem you need additional controls (maybe access logs etc.) then you will need a higher package than a Free or Personal account. Yes, and I found out your statement about the Personal and Free accounts is WRONG!!!
In order to comply with the regulations, you need to sign a Data Protection Agreement with all your business partners who process customer data. Dropbox only offers this to Business Accounts. So eventhough you may store the data of the Personal and Free accounts in compliance with the law, by not allowing your customers with these accounts to sign an agreement they can't comply and can't use Dropbox to store business data that contains personal data of customers.
For large organizations, your Business account is a solution, but we have over 100 business customers who are independent contractors. They can't affort to pay the 3 accounts you require as a minimum for the Business account (they would need only 1), so they can't use Dropbox anymore.
Kind regards,
Auke
- MarkIt is not incorrect at all.
I'm in the UK and it is acceptable to use things like Safe Harbour to do so as the requirements are based upon the specifics of individuals things may be different (I deal with parents of children in a swim school, not holding massive amounts of personal data etc.).
So, I have informed all my staff and customers that I use Dropbox (and Office365 incidentally), what I store on it, how I store it and how we have risk assessed its safe (e.g. the Safe Harbour compliance etc.) and I'm leaving it at that. First of all a correction, I refered to the statement of Norah, not yours Mark, sorry.
Your situation is different than ours. We share sensitive information with our partners. We have a Business account but most of them can't affort it. Our lawyers states that our customers must also have a Data Processing Agreement with Dropbox, but with their Personal and Free accounts they can't unfortunately.
Cheers,
Auke
- MarkI'm afraid you are stuck then - and I doubt you'll get this with any organisation without paying massive amounts (because to do so is very labour intense).
If they are stating this make sure you are also investigating things like your email providers etc. As far as I can see, Dropbox could either provide a single person business account, or just make the agreement applicable to their other types of accounts. Maybe it is good business for them :sunglasses:
Hi
I currently store client information I work on via my Dropbox Plus account. Please would you confirm that Dropbox Plus meets the GDPR criteria that everyone is rushing to comply with at the moment? I understand that Dropbox Business is, but it is not expressly stated that my files in the Plus account would be treated in the same secure way. I do not need a Business account as the Plus account serves my needs.
Please would you confirm that the data storage services you offer on Dropbox Plus comply with the EU/US Privacy Shield?
