Are you GDPR ready?

Box Logo

Box’s GDPR Commitment

Box is committed to being GDPR-ready by the time GDPR comes into effect on May 25, 2018, so that all customers can be GDPR- compliant in the cloud.


BCRs enable the commitment to be GDPR-compliant.  Box has BCRs, or Binding Corporate Rules, which is generally considered the gold standard around the world for personal data protection.  In August 2016, Box received Binding Corporate Rules as both a controller and a processor, and can legally transfer data between the EU and the US.


The GDPR recognizes those with BCRs as able to legally transfer data across borders. With BCRs, Box is well-positioned to address GDPR when it comes into effect.


BCRs are acknowledged by several countries worldwide. Box BCRs have been approved by the UK, Polish, and Spanish Data Protection Authorities.  The Japanese Data Protection Authority also acknowledges the value of the GDPR.

Watch Video

GDPR Overview

What is the GDPR?

The General Data Protection Regulation, or better known as "GDPR", is the latest data protection regulation that was approved by the EU Parliament on 14 April 2016 and will replace the current Data Protective Directive 95/46/EC when it comes into effect in May of 2018. 


What is the purpose of the GDPR?

The purpose of the GDPR is three-folds: to harmonize data privacy laws and regulations across the EU, to protect EU citizens in the area of data privacy and to reshape the way organizations across the region (and beyond) approach data privacy.


Why is it different from past data protection directives?

There will be many key changes in the GDPR compared to the current Directive 95/46/EC. Some of the key changes include more individual rights, the appointment of a “Data Protection Officer” position, mandatory data breach notifications and higher requirements for lawful processing of personal data. 


Who does the GDPR affect?

The scope of the GDPR will be expansive.  The GDPR covers all EU citizens' personal data and provides comprehensive rights to data subjects.


What happens with non-compliance?

Failure to meet GDPR requirements can result in fines up to EUR 20 million (around $22.3 Million) or 4% of the company’s total global revenue for the preceding fiscal year, whichever is higher.

View Webinar

How Box Addresses Key Requirements of the GDPR

With the General Data Protection Regulation (GDPR) just around the corner, Box is investing heavily to develop new policies/service processes, as well as to improve on existing ones, to help you to continue to meet (and surpass) your data privacy obligations. 

Here are some ways Box is already enabling customers to become GDPR ready.

Transparency into information use.
The GDPR will likely require organizations provide more information about how individuals’ information is used.

How Box enables transparency.
Here at Box, transparency is an important part of our business process. Our product is designed to provide customers with full control of their contents and ways to access it. 

Clear Privacy Policy and BCRs.
Box’s Privacy Policy and BCRs are clearly communicated in reader-friendly languages. These documents describe how Box process around data collection and processing, in addition to your rights around such data. Under Box’s Privacy Policy, we also offer ways for our customers to communicate with our privacy team directly regarding their data and other privacy-related issues.  

Access controls.
Box is designed in a way that customer administrators have the ability to grant or rescind access to their Box account through the Admin Console. This means customers are the ones that control who can access the content. 

Product release communication.
Feature changes and product releases are communicated to customers through release notes on the Box Admin Console. Our customers will receive the most up-to-date information in a clear and easily accessible way. 

Visibility into processing.
Under the GDPR, individuals can access a copy of their data and know where their data is being processed.

How Box enables processing visibility.
Here at Box, our customers can easily exercise these rights with the following product features: 

Accessible usage logs. Customers can export logs through the customer’s Admin. Console or APIs.

Effortless downloads. Every file can be easily downloaded for local access.

Third-party integration management. Customers can quick view and manage all of their third-party integrations all in one place. 

Right to be forgotten. Individuals can ask to delete their personal data.

How Box enables the right to be forgotten.
Here at Box, our customers are in control around content retention and deletion.

Trash retrieval.
Customers can enable the “Trash” function, which allows users to have their own Trash folder and enable them to retrieve items they may have deleted. 

Content retention.
Customers can also set the parameters around how long files will be kept in Trashed files before actual deletion process starts. The deletion process will begin at the expiration of this time period.  

Trash permissions. Customers can also designate who has the ability to permanently delete content in the Trash folder. Options can be set at Everybody, Admin Only, Admins and Co-Admins Only, or Nobody.  If this parameter is set to allow a user to empty their trash, the deletion process will begin.

Beyond the GDPR

Box enables our customers to enhance their compliance posture comprehensively, beyond data privacy and GDPR, by enabling customers to address data residency requirements, select from key encryption options, and meet retention and legal hold needs.


To learn more, check out Box’s Security and Compliance page or read Box’s Data Privacy Radar, our blog series on how Box helps customers meet data privacy and data security regulations.