Are you GDPR ready?

Box Logo

Box’s GDPR Commitment

Our philosophy is to evaluate and meet the highest bars for data privacy globally, and help put organizations in a position toward meeting different data privacy obligations across jurisdictions.  Box is committed to being GDPR-ready by the time GDPR comes into effect on May 25, 2018, so that all customers can be GDPR- compliant in the cloud.


BCRs enable the commitment to be GDPR-compliant.  Box has BCRs, or Binding Corporate Rules, which is generally considered the gold standard around the world for personal data protection.  In August 2016, Box received Binding Corporate Rules as both a controller and a processor, and can legally transfer data between the EU and the US.  The GDPR recognizes those with BCRs as able to legally transfer data across borders.


Virgin Trains choose Box with Box Zones and Box Governance for data residency and compliance to meet data privacy obligations, including GDPR.

Watch Video

GDPR Overview

GDPR harmonizes data privacy laws and regulations across the EU, protects EU citizens in the area of data privacy and reshapes the way organizations across the region (and beyond) approach data privacy.


Why is it different from past data protection directives?


Some of the key changes include more individual rights, the appointment of a “Data Protection Officer” position, mandatory data breach notifications and higher requirements for lawful processing of personal data.


Who does the GDPR affect?


The GDPR covers all EU citizens' personal data and provides comprehensive rights to data subjects.


What happens with non-compliance?


Failure to meet GDPR requirements can result in fines up to EUR 20 million (around $22.3 Million) or 4% of the company’s total global revenue for the preceding fiscal year, whichever is higher.


Download this ebook to learn more about the GDPR and this infographic on the practical steps to take for developing a GDPR strategy.  Check out read Box’s Data Privacy Radar, our blog series on how Box helps customers meet data privacy and data security regulations. 

View Webinar

How Box Addresses Key Requirements of the GDPR

With the General Data Protection Regulation (GDPR) just around the corner, Box is investing heavily to develop new policies/service processes, as well as to improve on existing ones, to help you to continue to meet (and surpass) your data privacy obligations. Here are some ways Box is already enabling customers to become GDPR ready.


Box enables transparency.


Transparency is an important part of our business process. Our product is designed to provide customers with full control of their contents and with access controls.


Box enables processing visibility.


Our customers can easily exercise processing visibility rights with the following product features: accessible usage logs, effortless downloads, and management of third-party integrations.


Box enables the right to be forgotten.


Our customers are in control around content retention and deletion with trash retrieval functionality, trash permissions, and retention enhancements. 

How Box is enabling customers to become GDPR ready

Transparency into information use.
The GDPR will likely require organizations provide more information about how individuals’ information is used.

How Box enables transparency.
Here at Box, transparency is an important part of our business process. Our product is designed to provide customers with full control of their contents and ways to access it. 

Clear Privacy Policy and BCRs.
Box’s Privacy Policy and BCRs are clearly communicated in reader-friendly languages. These documents describe how Box process around data collection and processing, in addition to your rights around such data. Under Box’s Privacy Policy, we also offer ways for our customers to communicate with our privacy team directly regarding their data and other privacy-related issues.  

Access controls.
Box is designed in a way that customer administrators have the ability to grant or rescind access to their Box account through the Admin Console. This means customers are the ones that control who can access the content. 

Product release communication.
Feature changes and product releases are communicated to customers through release notes on the Box Admin Console. Our customers will receive the most up-to-date information in a clear and easily accessible way. 

Visibility into processing.
Under the GDPR, individuals can access a copy of their data and know where their data is being processed.

How Box enables processing visibility.
Here at Box, our customers can easily exercise these rights with the following product features: 

Accessible usage logs. Customers can export logs through the customer’s Admin. Console or APIs.

Effortless downloads. Every file can be easily downloaded for local access.

Third-party integration management. Customers can quick view and manage all of their third-party integrations all in one place. 

Right to be forgotten. Individuals can ask to delete their personal data.

How Box enables the right to be forgotten.
Here at Box, our customers are in control around content retention and deletion.

Trash retrieval.
Customers can enable the “Trash” function, which allows users to have their own Trash folder and enable them to retrieve items they may have deleted. 

Content retention.
Customers can also set the parameters around how long files will be kept in Trashed files before actual deletion process starts. The deletion process will begin at the expiration of this time period.  

Trash permissions. Customers can also designate who has the ability to permanently delete content in the Trash folder. Options can be set at Everybody, Admin Only, Admins and Co-Admins Only, or Nobody.  If this parameter is set to allow a user to empty their trash, the deletion process will begin.