• The 6 Essentials for File Sharing Under GDPR

    on 9 May 2018


    iStock 665923642

    Before we had shared digital filing systems, we were restricted to either paper systems or sharing files via email. Paper systems require large amounts of physical space, which is why digital systems are so attractive. Using a file sharing system specifically designed for organizational use addresses these problems.

    Until this month, personal data contained within these files has been protected under current Data Protection ACT (DPA) definition of data and processing of that data. From May 25th, this will change to be regulated under the General Data Protection Rules (GDPR).

    GDPR builds on the protection given by the current DPA rules but gives greater significance to accountability and governance. Where these were implicit under the current rules, they are now explicit under GDPR. The intention is to increase the protection of an individual’s personal data and to minimize the impact of breaches.

    GDPR applies to ALL personal data about EU citizens, wherever that data is held and wherever the organisation holding it resides. For more details of the explicit data this refers to, please read my previous blog on GDPR.

    Essentially, this means you now need to have relevant and explicit governance in place. If you already follow good practice, then you probably already largely comply with the new regulations, but you should still check this.

    This has implications for how you manage documents both off-line and on-line. Here are some tips to keep in mind for on-line file sharing under GDPR.

    1. Managing shared files

    Most organizations have inconsistencies with the way folders are named and structured. Folders are mislabelled and forgotten when creating new folder structures. With GDPR, it is essential that any files containing personal data, are managed in such a way as to be compliant. Know how much personal data about individuals you hold, where it is and whether it is sensitive as defined under GDPR.

    • Keep files with common compliance or retention rules together – then they are easier to archive or delete as a group
    • Update (or put in place) GDPR compliant procedures for managing consent, storage and breaches
    • Identify your data ‘processors’ and ‘data ‘controllers’ and make sure they understand the new rules
    • Clearly define the responsibilities and accountabilities for processing and controlling data, especially where there is a deadline for responding
    • Keep it simple - then people will remember it
    • Keep a plan that everyone can refer back to
    • Be consistent and don’t allow exceptions

    If you're looking for a file-sharing solution other than Dropbox, one of these three alternatives may serve your business goals better.

    2. Accessibility

    Not everyone will need the same access to all documents all of the time. Think about what you need to share and who needs to have access to your documents. Consider whether you might need to offer levels of permissions to firstly access content and secondly consider whether you need users to edit or only view content. Consider whether users might ever require access to files 'off line' using off line file synchronization.

    Under GDPR, there is a right to a free electronic copy of someone’s personal data, and the right to be forgotten if the personal data is no longer relevant to the original purpose of collection (unless in the public interest to keep it). In practical terms, this means you need your access processes to be flexible enough to make this possible in a timely fashion.


    • Know how much personal data about individuals you hold and how to access it quickly by individual
    • Have a defined process for retrieving personal data, and for changing/deleting it

    3. Data Security

    Your documents are precious, and so is the data content. Now under GDPR, you will need to be certain what personal information is contained within them. This was also true under DPA, but the definition of personal data is much wider. This is often easier if your documents are stored online. Document security is often the main reason organizations move to using online file sharing.


    • Choose a file sharing solution that stores data in the EU and encrypts your data securely
    • Don’t store local copies of documents – it is too easy to lose track and for the documents to fall out of the encryption ‘net’
    • Put in place the means to detect data breaches

    4. Data Encryption

    GDPR requires that you implement measures to ensure the appropriate security and confidentiality of personal data that you hold. Public Sector bodies and other similar large organisations should be looking for the best level of data encryption available, depending on how sensitive their data is under the new GDPR definitions.

    As a certified G Cloud Framework provider for example, Glasscubes stores your data in an ISO27001 certified data centre, based in the heart of London’s financial district. With over 20 data centres across Europe, the London facility is the data centre of choice for trading exchanges and financial platforms, having the highest power uptime reputation in London. All of your data is backed up instantly and access to our service uses a 2048 bit encryption to ensure the transfer of data is secure between you and our servers.

    5. Create an audit trail

    A good audit trail is important both for internal management confidence in your quality system and to comply with GDPR. A good online solution should, if well implemented, automatically create an audit trail for you.

    6. Document Retention

    Keeping documents longer than needed is a common problem on online systems. Documents are retained for a longer period of time, mostly because it is painful to purge the documents (paper or electronic) or simply because most people don’t know how long they are required to keep certain documents. Under GDPR, it is important to know what is in your archived files, and to only keep those you absolutely have to.


    • Systems should be designed so that only essential and necessary data is held and accessible
    • If at all possible, don’t allow offline copies of documents – all official documents should be in the shared folders
    • Delete, or move to an encrypted and managed archive, any documents not needed day to day
    • Your industry may have additional rules and regulations on how long your organisation must maintain a copy of your documents.


    Glasscubes is a UK based provider of online workspaces that support a full range of cloud based solutions. Find out more about how they can help you manage your data safely and effectively by calling +44 (0)20 3274 2310.


    Posted by Kevin Senior