Box: GDPR With Data Processing Addendum

Box, Inc. announced a simple self-serve solution for global data privacy preparedness ahead of the European Union’s (EU) General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, as well as new services from Box Consulting to help enterprises understand and meet key regulations around data protection.

Click to enlarge

The company has pioneered cloud content management and led the industry on several critical compliance standards and regulations over the past several years, including HIPAA (for patient data), GxP (for life sciences regulated content), FedRAMP (for U.S. government data), and now GDPR.

“Business today is more connected and global than ever. Customer expectations have never been higher, and there is immense pressure to move faster, work across the extended enterprise, and deliver new experiences,” said Stephanie Carullo, COO, Box. “In the digital workplace landscape, traditional approaches to data protection are obsolete. Businesses need modern cloud platforms that can power the future of work and meet tomorrow’s security, compliance and regulatory needs. Box is laser-focused on this challenge and GDPR is a huge opportunity to extend next-generation data protection to the cloud.“

GDPR readiness – Self-serve data processing addendum
GDPR is a data protection development in years, and was created to give European citizens more control over their personal data – ranging from mailing addresses to IP information. It covers the personal data for every EU citizen and provides comprehensive rights to data subjects. All companies that work with European employees, customers and partners will need to comply with the regulation – including being able to produce signed verification that any data stored or processed with third parties meets standards of data protection.

To help its customers meet verification needs, the company announced a Data Processing Addendum (DPA). The DPA, which is available for all current firm’s business customers, is a self-serve and easy-to-execute document that only requires an electronic signature from customers. Once signed, customers can provide the DPA to auditors to show that they use the company’s service in a way that lets them demonstrate their data is being processed in a way that meets their GDPR compliance obligation.

“Box works with tens of thousands of companies around the world to enable collaboration and management of their business critical information. Now, with just a couple of clicks, businesses can quickly verify their use of Box’s GDPR compliant offerings and focus on what’s most important to their business,” said Pete McGoff, chief legal officer, Box. “We’ve invested significant resources toward GDPR compliance and we are committed to practicing transparency in how Box handles personal data. No one has made global data compliance in the cloud easier.“

The company offers a set of EU third-party certifications and uses Global Binding Corporate Rules (BCRs) both as a processor and data controller, enabling companies across Europe to deploy a validated cloud environment in accordance with a high data protection standards. In addition to Privacy Shield, the firm obtained two German certifications: Cloud Computing Compliance Controls Catalog (C5) certification and TCDP 1.0 (Trusted Cloud-Datenschutzprofil für Cloud Anbieter). With Binding Corporate Rules, C5 and the TCDP, the firm has been independently reviewed for its privacy and cloud data protection practices and is suited to help customers prepare for the GDPR.

Box Consulting: Global data protection services
The company continues to raise the bar for privacy and security in the cloud, driving industry with advanced enterprise capabilities. It has proactively implemented independently verified security and privacy practices to provide customers with transparency. It also works directly with customers to help them understand what safeguards are needed for data protection in the cloud in order to establish a foundation for companies to meet the domestic and international requirements.

As part of its global data protection services, Box Consulting is rolling out a compliance-focused consulting engagement aimed at assisting customers prepare for, understand and address evolving compliance requirements such as GDPR, PCI DSS, FedRAMP, and HIPAA from a cloud content management perspective. The engagement team comprises the company’s technology and compliance professionals who work in conjunction with a customers’ team in establishing a workable governance framework that leverages the firm’s application.

Data protection service includes following:

• Assisting customers in developing a strategy for categorizing their data and running the corresponding risk profile analysis

• Assisting customers to develop a data protection framework that is based on the customers own unique data protection risk profile

• Providing implementation services to assist customers with implementing Box in accordance with their own derived implementation framework

• Cross-industry perspectives on compliance/data protection obligations

“With offices in more than 19 countries, and millions of customers it’s critically important that we obtain GDPR compliance to ensure the data of our customers and employees is protected,” said Stijn Stabel, head, architecture and innovation, Alcopa. “Being able to engage with Box’s consulting team, and utilize their compliance expertise, provides another layer of reassurance that we are taking the correct steps.“

The company’s global data protection offerings also include Box Zones, which provides customers with in-region storage; Box KeySafe, which allows administrators to have control and visibility over data; and Box Governance, which enables customers to comply with data retention policies, satisfy e-discovery requests, and effectively manage sensitive information.

The firm is also a provider in compliance standards, enabling customers to maintain adherence to industry regulations including HIPAA, FINRA, FedRAMP, and PCI DSS.

Resources:
Data protection addendum    
Box Consulting for data protection