rvlsoft - Fotolia
“We have sweated the details already, which means organisations don’t have to worry about compliance,” said Mark Crosbie, head of trust and security for Dropbox in Europe.
“The processes we have had to go through to get this certification – which is reassessed annually – has put us in really good place for being ready for the GDPR as well as the Privacy Shield data transfer framework,” he told Computer Weekly.
Although Dropbox is US-based, more than 70% of its claimed 500 million users are outside the US, and so the company has already put a lot of effort into security and privacy in a global context.
“Our annual audit and ISO27018 certification have ensured that the back-end processes, infrastructure and staff awareness needed for GDPR compliance are already in place,” said Crosbie.
Dropbox is also gearing up for the GDPR by launching its European data storage infrastructure in the third quarter of 2016 to provide customers with an alternative to US-based file storage.
“This move is part of plans to invest where our market is and to provide a better, faster service as well as giving customers a choice on where they would like their data to be stored,” said Crosbie.
Dropbox plans to use Amazon Web Services (AWS) datacentres in Frankfurt, Germany, just as it did in the US before moving to its own infrastructure, as it announced it had done in March 2016.
Over the past two and a half years, Dropbox has been winding down its reliance on AWS Simple Storage Service (S3) by ploughing investment into building an in-house storage system of its own.
Although the new EU data protection rules are expected to come into force in just two years’ time, Crosbie said anyone serious about GDPR compliance should be doing something about it now.
In terms of preparation, he said the smallest details can become the biggest challenges, such as ensuring every person in the company has been trained and certified on handling PII.
Read more about Dropbox
- Dropbox reveals details of its hybrid cloud strategy, which has seen it invest large sums in building its own on-premise infrastructure.
- Dropbox users are petitioning the cloud storage giant to consider open-sourcing its iOS email app Mailbox, after announcing plans to shut it down in 2016.
- Box and Dropbox are in the content and collaboration business, but the two cloud services have taken very different approaches.
One of the biggest changes the GDPR will bring is assigning responsibility to anyone who has access to PII, not just company executives.
“PII certification was a large part of being able to say that everyone understands their obligations internally,” said Crosbie. “Don’t overlook these little details, because they could trip easily trip you up.”
Organisations should also ensure they have a documented data classification policy and data security policy to govern who can access what data under specific circumstances, he said.
“It is about taking care of the seemingly little details, such as training, to ensure you have everything you need in place by the time the GDPR comes into force,” said Crosbie.
“Companies that have figured out how to do security at scale will do well, but companies that lack the necessary people, processes and skills are going to have a tough time.”
According to Crosbie, because Dropbox’s infrastructure is “ruthlessly standardised” and its security model is consistent, it is relatively easy to apply new standards as the business grows.
“The fundamentals of security that we have built in are universal across our infrastructure and processes, whether in the US or in Europe,” he said.
The strategy is to provide business users with a familiar, user-friendly cloud-based storage service, but with added functionality to enable better controls and security for the enterprise.
“At the back end, the security protections are the same across all versions in terms of encryption, data protection and processes, which are all audited annually for our ISO27001 certification,” said Crosbie.
Read more about the GDPR
- EU data protection rules affect everyone, say legal experts.
- More than half of European companies do not know about the legislation planned to unify data protection laws.
- Only half of UK IT decision-makers are aware of the coming EU General Data Protection Regulation, compared with 87% in Germany.
- Most cloud providers remain unprepared to meet the requirements of the EU GDPR.
Dropbox is positioning itself as a partner to CIOs to take care of file storage, synchronisation and collaboration with an enterprise-ready service that has the data-centric controls that CIOs need.
“We have a service that works and people like to use which is backed up by enterprise controls and compliance reports, so CIOs should leave that to us so they can focus on other things,” said Crosbie.
He thinks the term ‘shadow IT’ is outdated because the way people work and collaborate with colleagues or partners is changing, so traditional, top-down IT deployments that are centrally controlled no longer fit every business scenario.
“The style and nature of work is much more loosely coupled, with people coming together to work on specific projects or problems and then dispersing, so they need a tool like Dropbox that allows them to do that. It makes more sense to talk about ‘new IT’ because it is a more agile way of deploying IT,” said Crosbie.
CIOs have to choose whether they are going to block the way people want to work, and so risk losing control and being bypassed, or whether they are going to facilitate it in a secure way.
“This is what Dropbox Business and Enterprise enables them to do, ensuring the company remains in control of company data and can set policies around how that data is accessed and shared, and enabling additional security through things like two-factor authentication and roll-back to last known good state in the event of ransomware attacks,” he said.
According to Crosbie, people familiar with the consumer version of Dropbox are willing to switch to the business versions that are under the control of the IT department.
“Because they are familiar with Dropbox and like using it, they are more willing to use it, which leads to a virtuous circle of widespread adoption, but with the guard rails set by the IT departments,” he said.
To make it easier for businesses to integrate Dropbox into their existing IT and IT security enviroments, the company has provided application program interfaces for most big suppliers and established an extensive partnership programme for managed service providers (MSPs), value-added resellers (VARs) and direct market reselllers (DMRs).