Get GDPR compliant without disrupting your business

GDPR compliance and requirements are a top Dropbox priority built into all of its services.

A series of Dropbox user profile pictures

The GDPR encourages more rigorous data protection

The General Data Protection Regulation (GDPR) is all about protecting personal data. The GDPR introduced several important principles that previously underpinned data protection law, such as the 'accountability principle' and 'privacy by design', which encourage organisations to take more responsibility for the data they protect.

Discover the Dropbox GDPR journey

What is the GDPR?

The GDPR (General Data Protection Regulation) is a 2018 European Union regulation that establishes a comprehensive framework for handling and protecting personal data.

Controlling and protecting data

It’s essential that people have control and clarity over how their data is used and protected by organisations they interact with, and that organisations are given clear guidelines to protect that data.

Anticipating technological change

One of the goals of the GDPR is to reconcile disparate data privacy laws across Europe, keeping in mind the rapid technological changes within the past two decades.

GDPR compliance begins and ends with trust

Implicit trust

At Dropbox, trust is the foundation of our relationship with millions of people and businesses around the world and we take the continued responsibility of protecting your information seriously. To supplement our GDPR compliance efforts, Dropbox also adheres to the Cloud Security Alliance (CSA) Code of Conduct for GDPR Compliance.

Global excellence

Respect for privacy and security was built into our business and our focus on handling and protecting the data our customers' trust has remained a top priority. Dropbox was one of the first cloud service providers to achieve ISO 27018 – the internationally recognised standard for leading practices in cloud privacy and data protection.

Download our privacy and data protection white paper

Smoothly incorporate GDPR into your business

Every organisation’s journey to GDPR compliance is different. Organisations should consider several factors such as company size, types and amount of data it processes and current security and privacy measures.

Download our top tips

A programmer working on code in an office

Frequently asked questions

What are your organisation’s obligations under the GDPR?

Your obligations under the GDPR depend on whether you are a data controller or data processor. If you are a Dropbox Business customer, please note that you are the data controller, and have specific legal obligations under the GDPR. Dropbox acts as your data processor in these cases. If you are a Dropbox Basic, Plus or Professional user, Dropbox is the data controller of your data. Please also note that there are specific legal obligations in that regard under GDPR. Whether your company is a data controller or a data processor, we cannot provide legal counsel regarding your company's compliance with GDPR, but do encourage you to seek independent legal counsel.

How do I comply with GDPR requirements for my small business?

Complying with GDPR requirements isn’t just a necessity for large, global companies; it applies regardless of the size of your company or the type of personal data you collect. Since the GDPR was enacted in 2018, your business is legally required to comply with GDPR regulations.

If you are a Dropbox Business customer, please note that you are the data controller, and have specific legal obligations under the GDPR. Dropbox acts as your data processor in these cases.

If you are a Dropbox Basic, Plus or Professional user, Dropbox is the data controller of your data. Please also note that there are specific legal obligations in that regard under GDPR. Whether your company is a data controller or a data processor, we cannot provide legal counsel regarding your company's compliance with GDPR, but do encourage you to seek independent legal counsel. For more information about how Dropbox can help you comply with the GDPR, please consult this shared responsibility guide.

What were key changes of the GDPR?

The key changes of the GDPR were the introduction of several principles that previously underpinned data protection law, such as the 'accountability principle' and 'privacy by design', and encourages organisations to take more responsibility for protecting the personal data they handle.

Privacy by design: This means that organisations handling personal data need to think about data protection when designing systems, not just review privacy implications after a product or process is developed.

User rights: The GDPR expands the existing set of user rights and creates several entirely new rights. Companies should review and ensure they have effective systems in place to give effect to these rights.

Tougher breach notification rules: Under the GDPR, organisations are required to have a strong breach notification system in place and understand their specific reporting obligations.

Accountability: Not only must your company adhere to the principles set out in the GDPR, but you must also demonstrate that compliance in line with the principle of accountability. This requires a comprehensive and clear internal privacy governance structure.

Data protection officer: The GDPR requires companies that engage in processing of EU user data to determine if they should appoint a Data Protection Officer. Companies that routinely process large volumes of information or particularly sensitive information should consider appointing a DPO.

What has Dropbox’s GDPR compliance journey been?

At Dropbox, trust is the foundation of our relationship with millions of people and businesses around the world. We value the confidence you’ve had in us and we take the responsibility of protecting your information seriously. Respect for privacy and security was built into our business from the beginning and as we've grown, our focus on handling and protecting the data our customers' trust has remained a top priority. For example, we were one of the first cloud service providers to achieve ISO 27018 – the internationally recognised standard for leading practices in cloud privacy and data protection.

To supplement our GDPR compliance efforts, Dropbox has chosen to adhere to the Cloud Security Alliance (CSA) Code of Conduct for GDPR Compliance. Dropbox describes its data protection practices and compliance with the Code of Conduct in a Privacy Level Agreement that is publicly available on the CSA website. Dropbox takes GDPR very seriously, and we are committed to ensuring our compliance with both the GDPR and  the Code of Conduct. In the event there is a material change in the GDPR that conflicts with the Code of Conduct, Dropbox shall comply with the terms of the GDPR.

Read more about 'Dropbox’s GDPR Compliance Journey' here.