rvlsoft - Fotolia

Dropbox gears up for new EU data protection rules

Certification on ISO27018 and planned European-based infrastructure put cloud file storage provider in good position for new EU rules

Cloud file storage provider Dropbox is preparing to help organisations comply with the European Union’s General Data Protection Regulation (GDPR), which is expected to come into effect in 2018.

“We have sweated the details already, which means organisations don’t have to worry about compliance,” said Mark Crosbie, head of trust and security for Dropbox in Europe.

Dropbox is one of the first organisations to be certified as compliant with the new ISO27018 code of practice for protection of personally identifiable information (PII) in public clouds.

“The processes we have had to go through to get this certification – which is reassessed annually – has put us in really good place for being ready for the GDPR as well as the Privacy Shield data transfer framework,” he told Computer Weekly.

Although Dropbox is US-based, more than 70% of its claimed 500 million users are outside the US, and so the company has already put a lot of effort into security and privacy in a global context.

“Our annual audit and ISO27018 certification have ensured that the back-end processes, infrastructure and staff awareness needed for GDPR compliance are already in place,” said Crosbie.

Dropbox is also gearing up for the GDPR by launching its European data storage infrastructure in the third quarter of 2016 to provide customers with an alternative to US-based file storage.

“This move is part of plans to invest where our market is and to provide a better, faster service as well as giving customers a choice on where they would like their data to be stored,” said Crosbie.

Dropbox plans to use Amazon Web Services (AWS) datacentres in Frankfurt, Germany, just as it did in the US before moving to its own infrastructure, as it announced it had done in March 2016.

Over the past two and a half years, Dropbox has been winding down its reliance on AWS Simple Storage Service (S3) by ploughing investment into building an in-house storage system of its own.

Although the new EU data protection rules are expected to come into force in just two years’ time, Crosbie said anyone serious about GDPR compliance should be doing something about it now.

In terms of preparation, he said the smallest details can become the biggest challenges, such as ensuring every person in the company has been trained and certified on handling PII.

Read more about Dropbox

One of the biggest changes the GDPR will bring is assigning responsibility to anyone who has access to PII, not just company executives.

“PII certification was a large part of being able to say that everyone understands their obligations internally,” said Crosbie. “Don’t overlook these little details, because they could trip easily trip you up.”

Organisations should also ensure they have a documented data classification policy and data security policy to govern who can access what data under specific circumstances, he said.

“It is about taking care of the seemingly little details, such as training, to ensure you have everything you need in place by the time the GDPR comes into force,” said Crosbie.

“Companies that have figured out how to do security at scale will do well, but companies that lack the necessary people, processes and skills are going to have a tough time.”

According to Crosbie, because Dropbox’s infrastructure is “ruthlessly standardised” and its security model is consistent, it is relatively easy to apply new standards as the business grows.

“The fundamentals of security that we have built in are universal across our infrastructure and processes, whether in the US or in Europe,” he said.

Dropbox stepped up its focus on its business service by introducing the Dropbox Business and Dropbox Enterprise editions.

The strategy is to provide business users with a familiar, user-friendly cloud-based storage service, but with added functionality to enable better controls and security for the enterprise.

“At the back end, the security protections are the same across all versions in terms of encryption, data protection and processes, which are all audited annually for our ISO27001 certification,” said Crosbie.

Read more about the GDPR

Dropbox is positioning itself as a partner to CIOs to take care of file storage, synchronisation and collaboration with an enterprise-ready service that has the data-centric controls that CIOs need.  

“We have a service that works and people like to use which is backed up by enterprise controls and compliance reports, so CIOs should leave that to us so they can focus on other things,” said Crosbie.

He thinks the term ‘shadow IT’ is outdated because the way people work and collaborate with colleagues or partners is changing, so traditional, top-down IT deployments that are centrally controlled no longer fit every business scenario.

“The style and nature of work is much more loosely coupled, with people coming together to work on specific projects or problems and then dispersing, so they need a tool like Dropbox that allows them to do that. It makes more sense to talk about ‘new IT’ because it is a more agile way of deploying IT,” said Crosbie.

CIOs have to choose whether they are going to block the way people want to work, and so risk losing control and being bypassed, or whether they are going to facilitate it in a secure way.

“This is what Dropbox Business and Enterprise enables them to do, ensuring the company remains in control of company data and can set policies around how that data is accessed and shared, and enabling additional security through things like two-factor authentication and roll-back to last known good state in the event of ransomware attacks,” he said.

According to Crosbie, people familiar with the consumer version of Dropbox are willing to switch to the business versions that are under the control of the IT department.

“Because they are familiar with Dropbox and like using it, they are more willing to use it, which leads to a virtuous circle of widespread adoption, but with the guard rails set by the IT departments,” he said.

To make it easier for businesses to integrate Dropbox into their existing IT and IT security enviroments, the company has provided application program interfaces for most big suppliers and established an extensive partnership programme for managed service providers (MSPs), value-added resellers (VARs) and direct market reselllers (DMRs).

Read more on Privacy and data protection