Page 1 of 3 123 LastLast
Results 1 to 15 of 43

Thread: Dropbox and GDPR

  1. #1
    Senior Member oneiros's Avatar
    Join Date
    May 2014
    Location
    Worcestershire, UK
    Posts
    465
    Thanks
    342
    Thanked 168 Times in 105 Posts

    Dropbox and GDPR

    Am I right in thinking that we still can't use Dropbox for sharing files because the free account doesn't let you specify that the data remains in the EU?

    I haven't seen an update since this post where they state that they allow Business/Enterprise/Education users (with 250+ seats) to host their data in the EU.

    Thanks.
    Last edited by oneiros; 09-05-2018 at 08:14 AM.

  2. #2
    Senior Member
    Join Date
    Mar 2012
    Posts
    623
    Thanks
    62
    Thanked 229 Times in 148 Posts
    I'm not an expert so would be interested in what others think but Dropbox themselves say they are compliant (I guess they may not be the most unbiased source).

    It would also depend on what data is contained in the files you are storing (GDPR only applies to personal data).

  3. #3
    Senior Member oneiros's Avatar
    Join Date
    May 2014
    Location
    Worcestershire, UK
    Posts
    465
    Thanks
    342
    Thanked 168 Times in 105 Posts
    I think Dropbox's statement that they're compliant is with respect to them holding our personal data, not any data that we might be storing.

    As you say, GDPR only applies to personal/sensitive data, but the Data Protection Act of 1995 presumably still applies?

  4. #4
    Senior Member
    Join Date
    Sep 2009
    Posts
    10,008
    Thanks
    2,675
    Thanked 2,006 Times in 1,268 Posts
    Quote Originally Posted by oneiros View Post
    I think Dropbox's statement that they're compliant is with respect to them holding our personal data, not any data that we might be storing.

    As you say, GDPR only applies to personal/sensitive data, but the Data Protection Act of 1995 presumably still applies?
    DPA1995 only applies to personal data as well. There is no legislation surrounding non-personal data and nor should or would there be.

  5. The Following User Says Thank You to Neil Williams For This Useful Post:

    oneiros (09-05-2018)

  6. #5
    Member
    Join Date
    Apr 2016
    Posts
    32
    Thanks
    0
    Thanked 7 Times in 5 Posts
    This is a sticky one. Dropbox, Google, Yahoo, Microsoft all have servers all over the place. I doubt any provider can categorically say that they can ring fence our data in a specific EU location - in which case all cloud data and all email data is not GDPR compliant. That doesn't of course say it is less safe... I personally don't think EU servers are safer.. just your Group's liability is safer if you have a box ticked.

  7. #6
    Group Scout Leader
    Join Date
    Oct 2007
    Location
    Stanstead Abbotts, Hertfordshire
    Posts
    641
    Thanks
    84
    Thanked 222 Times in 126 Posts
    A lot of providers do now offer specific EU servers. Our Office 365 service states UK / EU located servers. No way for us to prove that of course.

  8. #7
    Senior Member
    Join Date
    Mar 2012
    Posts
    623
    Thanks
    62
    Thanked 229 Times in 148 Posts
    Quote Originally Posted by Paul o View Post
    This is a sticky one. Dropbox, Google, Yahoo, Microsoft all have servers all over the place. I doubt any provider can categorically say that they can ring fence our data in a specific EU location - in which case all cloud data and all email data is not GDPR compliant. That doesn't of course say it is less safe... I personally don't think EU servers are safer.. just your Group's liability is safer if you have a box ticked.
    My understanding was that data can be held outside of the EU where it is in an approved country or if not in an approved country if adequate safeguards have been put in place.

    Am I missing something?

  9. #8
    Senior Member
    Join Date
    Nov 2013
    Posts
    458
    Thanks
    352
    Thanked 310 Times in 155 Posts
    We have stopped using Dropbox as a result of our GDPR review - but not because of the EU issue (although that might still be relevant).

    The main reason we have stopped using Dropbox is because we could not see a sensible mechanism for controlling access to data without paying for enterprise services. If you are just using personal accounts it is not possible to have administrative control to remove access to data when someone leaves (i.e. if the individual that setup the dropbox account leaves). I guess this might not be an issue for many, but we felt that it was important for our governance of data.

    We use Google Apps for Non-Profits. Their Team Drive system provides the control that we think we need. We issue group email accounts to all leaders/adult volunteers and strongly recommend that they use these for all of their scout activity. This means that we can control things and remove access if necessary. It should also make Subject Access Requests a bit more practical (should we every get one).

    GDPR has led us to rationalise our IT systems and it will take a little while convince all of our leaders to use the services that we would like them to.

  10. #9
    Senior Member
    Join Date
    Sep 2009
    Posts
    10,008
    Thanks
    2,675
    Thanked 2,006 Times in 1,268 Posts
    Quote Originally Posted by hippysurfer View Post
    The main reason we have stopped using Dropbox is because we could not see a sensible mechanism for controlling access to data without paying for enterprise services. If you are just using personal accounts it is not possible to have administrative control to remove access to data when someone leaves (i.e. if the individual that setup the dropbox account leaves). I guess this might not be an issue for many, but we felt that it was important for our governance of data.
    You can do that, you just set it up using a Group email address and share it from there with those who need access. Ensure two people have the username and password, and if one leaves the remaining person changes the password, shares it with one other person, and unshares from the person who has left.

    One thing to be aware of with all the "drives" (O365 Sharepoint/Onedrive included if you sync it to the PC) is that if you remove their access it does not remove the data from their PC, and even if it did there is nothing to stop them copying it before you did. So it's impossible to be 100% here. The only way to get near 100% is to use something like Citrix so you aren't accessing it on your own machine, but that has all sorts of other problems and is probably unnecessary anyway.

  11. #10
    Senior Member
    Join Date
    Aug 2009
    Location
    Herts, UK
    Posts
    716
    Thanks
    1
    Thanked 131 Times in 99 Posts
    Quote Originally Posted by hippysurfer View Post
    The main reason we have stopped using Dropbox is because we could not see a sensible mechanism for controlling access to data without paying for enterprise services. If you are just using personal accounts it is not possible to have administrative control to remove access to data when someone leaves (i.e. if the individual that setup the dropbox account leaves).
    This is what would bother me (for personal information). As Neil Williams says, you're not removing the data from someone's PC when you withdraw access. And the fact that it's getting copied to all sorts of devices (my Dropbox is copied to PC, tablet and phone, for example) means it's completely uncontrolled. I think there's a lot to be said for leaving the data in OSM, and not even printing it if you can help it. Obviously lists for camp need a bit more thought, although there's a lot to be said for OSM Anywhere (which allows offline access, so doesn't need a phone signal, and keeps the data encrypted).

    For non-personal information, no problem. We've got various files in there, including risk assessments and Executive records.
    SL, 11th Hitchin

  12. #11
    Senior Member
    Join Date
    Sep 2009
    Posts
    10,008
    Thanks
    2,675
    Thanked 2,006 Times in 1,268 Posts
    The way I plan camps there's always *some* personal data on our Sharepoint, but personal data to the extent of X being an attendee on the camp is so low-risk that I think that is somewhat de-minimis. It getting out would be so inconsequential that it would barely justify a report to the ICO. (Not all breaches need to be reported, just ones that may be consequential).

    What I identified I probably should do is to delete notes about allergies on those spreadsheets once the camp is over, as those are technically sensitive personal data (though to be honest that's only technically the case, as I can't see how knowing that Neil Williams is gluten intolerant is of any consequence whatsoever - look, I just posted it on the Internet... )
    Last edited by Neil Williams; 09-05-2018 at 10:23 PM.

  13. #12
    Senior Member
    Join Date
    May 2009
    Location
    Lisburn
    Posts
    674
    Thanks
    20
    Thanked 132 Times in 90 Posts
    Quote Originally Posted by Simon.md View Post
    My understanding was that data can be held outside of the EU where it is in an approved country or if not in an approved country if adequate safeguards have been put in place.

    Am I missing something?
    There was a "Safe Harbour" agreement but that was struck down after the EU court ruled it was not compatible with EU data protection regulations - mostly to do with how the Americans treated data. It was replaced by "Privacy Shield" which supposedly gives the required level of protection but this is also being referred to the Eu Court and most people believe it will also be ruled as not compatible. At the moment if a company has signed up to privacy shield it is ok but don't expect that to last.

    Additionally the US has recently passed a law which allows US law enforcement to demand access to any data held by a US company (possibly also any company with a US presence) anywhere in the world. How that is going to play out against GDPR is going to be "interesting".

    Not sure how it affects other countries such as India were significant data processing is done on UK based people.

    For scouting this may seem low risk but it will only take one parent complaining for it all to go pear shaped.

    Personally I'm aiming to stay as far away from storing personal data on cloud based systems as possible. Any files which do have to passed or stored will be password protected.

  14. #13
    Member
    Join Date
    Apr 2016
    Posts
    32
    Thanks
    0
    Thanked 7 Times in 5 Posts
    Quote Originally Posted by Neil Williams View Post
    ...

    What I identified I probably should do is to delete notes about allergies on those spreadsheets once the camp is over, as those are technically sensitive personal data (though to be honest that's only technically the case, as I can't see how knowing that Neil Williams is gluten intolerant is of any consequence whatsoever - look, I just posted it on the Internet... )
    There is a justification for keeping all those camp declarations. We live in a climate of litigation - and if a parent retrospectively says their child was not protected because of his special requirements - but the Leaders' defence is they were not informed of any special requirements, then those notes will be valuable.

    It does worry me that GDPR is motivated by risk reduction - not reducing risk of damage to an individual, but reduction of risk of fines because of a lack of adherence to GDPR. I can foresee wholesale shredding of data - or dumping it in a skip!. One day, many decades hence there could be a retrospective lawsuit against a leader or Group - maybe based on an unsubstantiated claim of impropriety at a camp say, and then the Group will possibly have no evidence to defend themselves even to the point of having no record of attendance of the alleged perpetrator, or the alleged victim. I do wonder if GDPR is addressing the risks that don't really justify the hoo-ha, when there are much bigger risks out there and GDPR could make them worse.

  15. #14
    Senior Member
    Join Date
    Sep 2009
    Posts
    10,008
    Thanks
    2,675
    Thanked 2,006 Times in 1,268 Posts
    TBH you’d get the vast majority of benefits of GDPR by doing two things - completely banning unsolicited direct marketing to individuals (I would be wholly in favour of this and always opt out and refuse to speak to any marketeer on the phone; their case is not helped by most being abject liars by saying it isn’t a sales call when you ask them directly if it is) and introducing a penalty for large data breaches (which are the real issue).

    But the EU does seem to like disadvantaging small organisations by throwing bureaucracy at them. Which is odd, because most other EU countries are much more small business type places than the UK is.

  16. #15
    CSL (In training)
    Join Date
    Jun 2014
    Posts
    2,557
    Thanks
    2,059
    Thanked 584 Times in 431 Posts
    To be fair, the GDPR does include the second of your options....

Similar Threads

  1. Gdpr
    By abram_akela in forum Scouting Talk
    Replies: 178
    Last Post: 11-07-2018, 03:13 PM
  2. dropbox and scout records
    By tomahawk in forum Scout Websites & Computers
    Replies: 52
    Last Post: 15-03-2012, 10:24 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •