Data protection at the highest level 

At Zoho, we're committed to data privacy and protection. Over the years, we've consistently met the industry standards for ISO 27001 and SOC 2 Type II.

Here's how Zoho WorkDrive helps you stay GDPR compliant:

Consent [Article 7]

The first step towards getting GDPR-ready is to know what personal data you collect, where it's stored, how your organization is processing it, and who has access to it. An easy way to organize the data you already have is by maintaining an Information Asset Register (IAR). Develop an IAR in Zoho WorkDrive and update it regularly with your team, granting appropriate roles to everyone involved in the process. Every team in your organization can maintain their own IAR, while you oversee them as the admin.

As the controller, it's important for you to ensure that every data processing activity is backed by law, a contract, or freely given, informed, and specific consent. To demonstrate compliance, you should document the purpose of the data processing, and any contracts and consent forms that are applicable.

Zoho WorkDrive offers a secure team content collaboration platform with granular access controls for all files and folders. This means that you can control user permissions and keep track of who accesses a contract and when. With sub-folder level sharing, you can also give team members higher access permissions to specific files or folders within a Team Folder they're part of. For instance, if you need a team member to contribute to only one file within a Team Folder, you can add them to the Team Folder as a viewer and give editor permission only for the file you want them to edit. 

Security of processing [Article 32]

Once you've audited the data you're holding, the next step is to assess its possible exposure to security breaches. Ensure that appropriate technical measures are taken to protect any personal data you hold from breaches. All files stored in Zoho WorkDrive are encrypted with 256-bit Advanced Encryption Standard (AES) at rest, and Secure Socket Layer (SSL) and Transport Layer Security (TLS) during transit.

You'll then need to evaluate all third-party vendors and contractors to ensure they're also GDPR compliant. It's integral to have the right contract terms in place with them and to formulate strict data sharing measures to minimize any accidental data breaches. Our advanced external sharing feature facilitates this by letting you create different external sharing links to files and folders, apply link properties like password and expiry dates, and make name and email fields mandatory. You can label them for easy reference and track these links separately. You can also disable external sharing for particular Team Folders or even your entire team. 

To further enhance the security of the data you hold, Zoho Directory helps you:

  • Enforce two-factor authentication and password policies across your team.
  • Connect your Microsoft Active Directory with Zoho Directory to sync users, groups, and policies.
  • Verify your domain and only let users from the same domain join your account.
  • Ensure all users from your domain join your enterprise account instead of creating a new one, so you can oversee all the data processing activities in your organization

Note: If a data breach does occur, despite all your efforts, it's imperative to report it to the national data protection authorities within 72 hours. If the breach poses a high risk to the affected individuals, you must inform them without any delay. At Zoho, our internal Privacy Incident Response policy ensures that customers will be notified of a breach. Read more about Zoho's GDPR readiness.

The road to GDPR compliance doesn't end with a one-time data audit and risk assessment. It's important to periodically review the personal data you hold, and delete any data you no longer require or haven't used in a long time. 

Right to Erasure [Article 17]

Data subjects have the right to ask for their personal data to be deleted. In such cases, all you have to do is use the universal search feature in Zoho WorkDrive to locate the specific subject's personal data and delete it from all the files on the platform. This feature is also helpful when data subjects request rectification of incorrect data or object to further processing. 

Anonymization/Pseudonymization [Article 4(5)]

If personal data is used in analytics, deleting it would change the results. GDPR highly recommends that data controllers anonymize or pseudonymize such data before analyzing it. Use a tool to anonymize or pseudonymize your data, then use the Zoho WorkDrive desktop app to sync it back to your Zoho WorkDrive account. You can also upload a new version of the file using our versioning feature. If you want to manually anonymize or pseudonymize data stored in Zoho WorkDrive, use our built-in Office Suite: Writer, Sheet, and Show.

Right to Subject Access Requests [Article 15]

The right to data access gives the subject the right to know whether their personal data is being processed, the source of the data if it wasn't collected from them directly, and how the data is being processed. As the data controller, you should also be able to provide a copy of the data that's undergoing processing. Our detailed activity reports let you track and export data processing activity logs. With our external sharing feature, you can also give data subjects access to their personal data, while still maintaining security. 

Right to Data Portability [Article 20]

Data subjects have the right to ask for their personal data in a structured, machine-readable format. They can also have it moved from one controller to another, when technologically feasible. Zoho WorkDrive helps you meet these requests by letting you locate all personal data pertaining to a data subject and provide it in a structured, downloadable format. 

Administrative capabilities to make GDPR compliance simple

Zoho WorkDrive has features to help you meet all the requests your data subjects might make. For instance, when dealing with the personal files of an employee who's leaving your organization, do you act on the basis of your legitimate interest or the employee's privacy? In such cases, it's necessary to perform a legitimate interest assessment, and choose to protect the employee's privacy if you do not find a legitimate interest. Zoho WorkDrive lets you temporarily revoke an employee's access to their files until a decision is made and then either let the employee download the files they require, or exercise your legitimate interest to delete the files or transfer their ownership to another employee.

It's also important to ensure you don't lose any data accidentally. Deleted files are always available in the trash list of the Team Folder until the organizer or admin either restores them or deletes them. Files deleted from the Team Folder trash list will be available in the team trash list, where the team admin can restore them or delete them permanently. 

This is just the beginning!

At Zoho, we believe in continuously improving your user experience and exceeding your expectations. We're constantly looking for ways to enhance privacy and will be adding more features to help our customers comply not just with GDPR but also with standards set by data protection authorities around the world. For instance, we'll soon be introducing a feature to allow customers to set custom retention policies for trashed files. We're also working on custom member roles, so you can have more control over everything happening in your Team Folders. Stay tuned for more feature updates to WorkDrive!

Disclaimer: The information discussed here should not be construed as legal advice or be a replacement for legal advice. Zoho does not take responsibility for misinterpretation or misunderstanding of content by the reader. Zoho makes no guarantees, express, implied, or statutory, as to the information presented here. Please seek the guidance of a legal consultant/advisor on the best ways to ensure GDPR compliance.