Data protection at the highest level

At Zoho, we are committed to data privacy and protection. Over the years, we have demonstrated this by consistently meeting the industry standards for ISO 27001 and SOC 2 Type II. 

Here's how Zoho Docs helps you ease your compliance journey:

Consent [Article 7]

The first step towards getting GDPR-ready is to know what personal data you collect, where it's stored, how your organization is processing it, and who has access to it. An easy way to organize all the data you already have is by maintaining an Information Asset Register (IAR). Develop an IAR in Zoho Docs and update it regularly with your team, granting access only to those involved in the process.

As the controller, it's important for you to ensure that each data processing activity is backed by a lawful basis, a contract, or freely given, informed and specific consent. To demonstrate compliance, you should document the purpose of the data processing, and any contracts and consent forms where applicable.

Zoho Docs offers a secure storage platform with granular access controls for all files and folders.This means that you can control user permissions and keep track of who accesses a contract and when.

Security of processing [Article 32]

Once you have audited the data you hold, the next step is to assess its possible exposure to security breaches. Ensure that appropriate technical measures are taken to protect any personal data you hold from possible breaches. All files stored in Zoho Docs are encrypted with 256-bit Advanced Encryption Standard (AES) at rest, and Secure Socket Layer (SSL) and Transport Layer Security (TLS) during transit.

Evaluate all third-party vendors and contractors and make sure they are GDPR compliant. You’ll also need to have the right contract terms in place with them.

Formulate strict data sharing measures to minimize any accidental data breach. Zoho Docs facilitates this by providing password-protected external sharing links that have expiry dates. You can also revoke access to a file at any time.

Note: If a data breach happens despite all your efforts, it's imperative to report it to the national data protection authorities within 72 hours. If the breach poses a high risk to the affected individuals, you must inform them without any undue delay. At Zoho, our internal Privacy Incident Response policy ensures that customers will be notified of a breach. Read more about Zoho's GDPR readiness.

The road to GDPR compliance doesn't end with a one-time data audit and risk assessment. It is also important to periodically review the personal data you hold, and delete any data you do not require any more or haven't used in a long time.

Right to Erasure [Article 17]

Data subjects have the right to ask for their personal data to be deleted. In such cases, all you have to do is use the universal search feature in Zoho Docs to locate the specific subject's personal data and delete it from all the files on the platform. This feature is also helpful when data subjects request rectification of incorrect data or object to further processing.

Anonymization/pseudonymization [Article 4(5)]

If personal data is used in analytics, deleting it would mess with the results. GDPR highly recommends that data controllers anonymize or pseudonymize such data before analyzing it. Use your choice of tool to anonymize or pseudonymize your data, then use Zoho Docs for Desktop to sync it back to your Docs account. You can also upload a new version of the edited file using our versioning feature. If you want to manually anonymize or pseudonymize data stored in Zoho Docs, use our built-in Office Suite: Writer, Sheet, and Show.

Right to Subject Access Requests [Article 15]

The right of data access gives the data subject the right to know whether their personal data is being processed, the source of the data if it wasn't collected from them directly, and how the data is being processed. As the data controller, you should also be able to provide a copy of the data that's undergoing processing. Our detailed activity reports lets you track and export data processing activity logs. With our external sharing feature, you can also give data subjects access to their personal data.

Right to Data Portability [Article 20]

Data subjects have the right to ask for their personal data in a structured, machine-readable format and to transmit it to another controller. They can also have it moved from one controller to another, when technologically feasible. Zoho Docs helps you meet such requests by letting you locate all personal data pertaining to a data subject and provide it in a structured downloadable format.

Administrative capabilities to make GDPR compliance simple

Zoho Docs has features to help you meet all the requests your data subjects may make. For instance, when dealing with the personal files of an employee who's leaving your organization, do you act on the basis of your legitimate interest or the employee's privacy? In such cases, it is necessary to perform a legitimate interest assessment, and choose to protect the employee's privacy if you do not find a legitimate interest. Zoho Docs lets you temporarily revoke an employee's access to their files until a decision is made. You can then either let the employee download the files they require, or exercise your legitimate interest to delete the files or transfer their ownership to another employee.

This is just the beginning!

At Zoho, we believe in continuously improving user experience and exceeding expectations. We are constantly looking for ways to enhance privacy and will be adding more features to help our customers comply not just with GDPR, but also with standards set by data protection authorities around the world. For instance, we will soon be introducing a feature to allow customers to set custom retention policies for trashed files. Stay tuned for more feature updates from us.

Disclaimer: The information discussed here should not be construed as legal advice or be a replacement for legal advice. Zoho does not take responsibility for misinterpretation or misunderstanding of content by the reader. Zoho makes no guarantees, express, implied, or statutory, as to the information presented here. Please seek the guidance of a legal consultant/advisor on the best ways to ensure GDPR compliance.