Welcome to Dropbox's GDPR guidance centre

This guidance centre hopes to offer some helpful insights and practical steps for organisations as they prepare for compliance with the General Data Protection Regulation, otherwise known as the GDPR, by May 25, 2018.

Of course, every organisation’s journey to GDPR compliance is different. It depends on, among other factors, company size, the types and amount of data it processes, and its current security and privacy measures.

Getting ready for the GDPR

Organisations established in the EU and processing personal data of EU-based individuals will, in almost all cases, be required to comply with the GDPR by May 25, 2018. The GDPR updates and harmonises the framework for processing personal data in the European Union, and brings with it new obligations for organisations and new rights for individuals. Many organisations, large and small, are now preparing for the new regulation. 

Dropbox has many years of experience earning our users’ trust. Dropbox Business is certified as being compliant with the most widely accepted security and privacy standards and regulations in the world, such as ISO 27001/2, ISO27018/17 and SOC 2. Our cross-functional team of data protection specialists has put together a series of insights and resources to help you on your path to GDPR compliance.


What is the GDPR?

The GDPR is a European Union regulation that establishes a new framework for handling and protecting the personal data of EU-based residents. It comes into effect on May 25, 2018. 

Personal data plays a huge part in society and the economy. It is essential that people have—and know they have—control and clarity over how their data is used and protected by any organisation they interact with, and that organisations are given clear guidelines to protect their personal data.

One of the aims of the GDPR is to harmonise and bring data privacy laws across Europe up to speed with the rapid technological change in the past two decades. It builds upon the current legal framework in the European Union, including the EU Data Protection Directive in existence since 1995. 

GDPR: The basics

Dropbox will meet the requirements of the GDPR by May 25, 2018. However, you should also be working to assess your readiness for the GDPR well in advance of that date.

How will Dropbox comply with the GDPR?

  • Trust is the foundation of our relationship with millions of people and businesses around the world. We value the confidence you've put in us and take the responsibility of protecting your information seriously.
  • ​​Dropbox places the utmost importance on data protection and has a track record of staying ahead of the compliance curve - for example, we were one of the first cloud service providers to achieve ISO 27018 — the internationally recognised standard for leading practices in cloud privacy and data protection. ​​
  • Dropbox’s Legal, Trust, and Privacy teams have carefully analysed the GDPR and are undertaking the necessary steps to ensure that we comply.
  • ​​We will meet the requirements of the GDPR by 25 May 2018.
What are your obligations under the GDPR? ​​
  • It is important to remember that you, as the business customer and the data controller, have specific legal obligations under the GDPR.
  • ​​You should be confident that any providers (data processors) which you work with have a highly robust approach to data protection, understand the obligations of the GDPR, and are well prepared to meet them.
  • ​​Remember, however, that no provider can offer to “solve” GDPR compliance for you. ​​
  • Dropbox’s shared responsibility guide sets out our approach to working together to keep your data secure and helps make clear Dropbox’s responsibilities and our customers’ responsibilities.

GDPR: Key changes

The GDPR brings with it a shift in mindset. It expressly introduces several principles that previously underpinned data protection law, such as the "accountability principle" and "privacy by design," and encourages organisations to take more responsibility for protecting the personal data they handle.

Privacy by design: This means that organisations handling personal data need to think about data protection when designing systems, not just review privacy implications after a product or process is developed. If you process a lot of data or deal with sensitive information, in many cases you'll also need to conduct data protection impact assessments to meet the privacy by design principle.

User rights: The GDPR expands the existing set of user rights and creates several entirely new rights. Companies should review and ensure they have effective systems in place to give effect to these rights.

Tougher breach notification rules: Under the GDPR, organisations are required to have a strong breach notification system in place and understand their specific reporting obligations.

Accountability: Not only must your company adhere to the principles set out in the GDPR, but you must also demonstrate that compliance in line with the principle of accountability. This requires a comprehensive and clear internal privacy governance structure.

Data protection officer: The GDPR requires companies that engage in processing of EU user data to determine if they should appoint a Data Protection Officer. Companies that routinely process large volumes of information or particularly sensitive information should consider appointing a DPO.

Dropbox’s GDPR compliance journey

Like many of our customers, at Dropbox we're actively preparing for the GDPR.

At Dropbox, trust is the foundation of our relationship with millions of people and businesses around the world. Respect for privacy and security was built into our business from the beginning. As we've grown, our focus on handling and protecting the data our customers entrust to us has remained a top priority.

The GDPR is consistent with how we think and operate. Our security practices already comply with the most widely accepted standards and regulations and we were one of the first cloud service providers to achieve ISO 27018—the internationally recognised standard for leading practices in cloud privacy and data protection.

Our Legal, Trust, and Security teams have carefully scrutinized the GDPR, and we're taking the necessary steps to identify where we need to comply and where any changes need to be made. We're on the way to full compliance before May 2018, and are committed to helping our customers prepare for their obligations.

Read more about “Dropbox’s GDPR Compliance Journey” here.

Working with your suppliers towards GDPR compliance

Learn why suppliers should be an important partner on your road to GDPR compliance.

GDPR: Understanding your data

Read about the GDPR basics and learn steps that you should consider to help prepare for the GDPR.

An opportunity to rethink your approach to data security

At its heart, the GDPR is about understanding your data and designing your approach to security around it.

Disclaimer: This site is intended to provide helpful guidance to customers on the GDPR and not as a comprehensive solution or legal advice. Each organisation should undertake their own steps to ensure compliance.