On the eve of GDPR becoming law across Europe, collaboration vendor Box landed in London today for its EMEA customer event and unveiled a new feature that allows customers to manage where users store their files in Box across any of seven global regions.
With concerns about data protection regimes front-of-mind for many, the new multi-region capability in Box Zones means that a single instance of Box can have users storing content in any of seven different regional zones. Each individual user can be assigned their own home storage zone, which can be changed if they relocate to a different region. The entire organization can also have a default zone. The seven zones are spread across north America, Europe and Asia-Pacific, with data centers in Canada, Japan, Singapore, Ireland, US, Australia, Germany and the United Kingdom.
But as Levie conceded in response to media questioning during the morning, the new capability is tangential to GDPR, which is more concerned with who is processing the data and why, rather than where it is stored:
[Box Zones] is much more about the data residency at rest — where is that information going to be stored? Previously customers had to choose one location where they wanted their data to be stored in. Now we can support when they have a multi-country set of compliance requirements that they have to adhere to.
That is not a specific requirement of the GDPR. It's much more enhanced value on top of what our customers are already beginning, in terms of our Binding Corporate Rules and a lot of the processes that we already support.
GDPR compliance - the buck stops with customers
According to Crispen Maung, chief compliance officer, Box is already "GDPR ready," based primarily on its implementation of Binding Corporate Rules, a mechanism developed by the EU to allow multinational organizations to make internal transfers of personal data across borders while still staying in compliance with EU data protection rules. But as he made clear, the buck for compliance still stops with customers:
How the implementation is designed and developed and implemented within your organization really has to be up to the customer because we don't know what data you're putting into Box and how are you using that data and information. You really have to understand that yourselves and overlay your regulatory obligations on top of that.
What we've done is given you the knobs and dials to be able to configure that in a way that makes you comfortable in regards to meeting the specific regulations or obligations you may have.
In the future, Levie added, Box may add functionality that ties data residency to a business process rather than a specific user or organization:
Maybe in a five- or ten-year vision, we'd love to have this system be more intelligent and so be able to adapt to the business process that a company has and be able to ensure data residency that flows with the business process. But that's a little bit farther out right now.
A global version of GDPR?
Answering a question from diginomica, Levie also declared his support for data privacy regulations such as GDPR:
I think that what we've seen with the Facebook scandal of Cambridge Analytica — what we've seen with consumer properties in general — is the way our information is being used, how it's managed and who has access to it, and what advertisers have access to it, is pretty unclear with a lot of these platforms.
The more innocuous use cases were advertising and targeting, but now the more severe use cases are thinking about elections, thinking about what the future of our news and information distribution looks like. So I think it's actually really important that the EU [acted] and the GDPR decision I think was quite timely, if we think about how our platforms have grown and evolved over time and what the various privacy implications are.
Asked whether he agreed with Salesforce CEO Marc Benioff that the US should adopt similar laws on data protection, Levie argued for a global perspective on the issue:
I do think we need to be thinking about this on a global basis, for two reasons. One is to ensure that we don't get lots of conflicting data privacy laws that make it really, really hard for a global Internet to be able to persist. Just as we had the risk of Balkanization of data and systems from a data residency standpoint, you wouldn't want a Balkanization of data privacy requirements that make it really hard for global Internet platforms to be able to actually adhere to the law of any given location. So that's the first thing.
And then the second thing — again, I think this is more and more just becoming a right probably for anyone in using Internet services — is to be able to revoke data, to know exactly how it's being used, to ensure it's not going to parties that you haven't given express permission for. So I think it makes complete sense that the US would adopt something similar — or at least on a global basis, we create more consistent standards for how we should think about privacy online.
Levie is right, GDPR has arrived at a timely moment, when data privacy and protection issues have become front-of-mind due to a confluence of factors. And it's not the first time he and colleagues at Box have argued for global consistency in data protection rules.
Today's event inevitably included a packed session on GDPR implementation and it's to Box's credit that it has already put in the work needed to support customers in their compliance strategies. The new Box Zones capabilities add useful extra control for those organizations with specific residency requirements.