Help Guide for Cloud File Storage Rules for UK GDPR Compliance

The Cloud Storage Challenge

Cloud storage has transformed how small businesses work. No more emailing documents back and forth, no more "which version is the latest?" confusion, no more panicking when a laptop dies.

But there's a catch. When you store files in the cloud, you're still responsible for protecting any personal data in them. GDPR doesn't care whether your data is on a server in your office or in Microsoft's data centre—the rules apply either way.

This guide helps you get the benefits of cloud storage while keeping the ICO happy.

GDPR Basics for Cloud Storage

Under UK GDPR, you're the **data controller**—you decide why and how personal data is processed. Your cloud storage provider (Microsoft, Google, Dropbox) is a **data processor**—they process data on your behalf.

This means:

- **You're responsible** for what data you store and who can access it

- **They're responsible** for keeping their infrastructure secure

- **You need a contract** (called a Data Processing Agreement) with your provider

Good news: major cloud providers have standard DPAs built into their terms of service. You don't need to negotiate anything—just make sure you've accepted the relevant terms.

Choosing Where Your Data Lives

GDPR requires adequate protection for personal data transferred outside the UK. Since Brexit, this has become more complicated:

Safe Destinations

- **UK data centres**: No issues

- **EU/EEA data centres**: Covered by adequacy decision

- **US providers with Data Privacy Framework**: Microsoft, Google, and Dropbox are all certified

What to Check

Most major providers let you choose your data region:

| Provider | UK/EU Data Centre Option | How to Enable |

|----------|-------------------------|---------------|

| Microsoft 365 | Yes | Set during tenant creation, or migrate later |

| Google Workspace | Yes | Admin Console → Account → Data region |

| Dropbox Business | Yes (EU) | Contact support for team migration |

| Box | Yes | Admin Console → Enterprise Settings |

If you're handling particularly sensitive data (medical, legal, financial), explicitly choosing UK or EU storage removes any transfer concerns.

Access Control: Who Can See What

The most common GDPR failures with cloud storage aren't sophisticated hacks—they're permissions mistakes. Someone shares a folder too broadly, and suddenly confidential data is accessible to the wrong people.

The Principle of Least Privilege

Only give people access to what they need for their job. Sounds obvious, but it's easy to get wrong:

**Bad**: Everyone has access to everything "in case they need it"

**Better**: Team folders with appropriate access levels

**Best**: Role-based access that's reviewed regularly

Practical Folder Structure

```

📁 Company Files

├── 📁 Public (All staff)

│ ├── Templates

│ ├── Brand assets

│ └── Policies

├── 📁 Teams

│ ├── 📁 Sales (Sales team only)

│ ├── 📁 Finance (Finance team only)

│ └── 📁 Operations (Ops team only)

├── 📁 Projects (Project-specific access)

├── 📁 HR (HR only - personal data)

├── 📁 Management (Directors only)

└── 📁 Client Files (Per-client access)

```

Access Levels Explained

| Level | Can View | Can Edit | Can Share | Can Delete | Use For |

|-------|----------|----------|-----------|------------|--------|

| Viewer | ✓ | ✗ | ✗ | ✗ | Reference materials |

| Commenter | ✓ | Comments only | ✗ | ✗ | Review processes |

| Editor | ✓ | ✓ | ✗ | ✗ | Active collaboration |

| Admin | ✓ | ✓ | ✓ | ✓ | Folder owners |

Sharing Files Safely

Sharing is where things get risky. A "share with anyone who has the link" setting turns a private document into a public one.

Sharing Rules to Live By

**Rule 1: Named sharing over link sharing**

Share directly with specific people's email addresses rather than creating open links. This creates an audit trail and ensures only intended recipients can access.

**Rule 2: Set expiry dates**

If you must use link sharing, set links to expire. Most providers support this:

- OneDrive: Set expiry when creating link

- Google Drive: Requires Google Workspace, set in Admin Console

- Dropbox: Set expiry when creating link

**Rule 3: Disable downloading when possible**

For sensitive documents, share as "view only" with downloads disabled. Recipients can see but not keep a copy.

**Rule 4: Use password protection for external sharing**

If sending to people outside your organisation, add password protection and send the password via a different channel (text, phone call).

**Rule 5: No "anyone with the link" for personal data**

Never use anonymous link sharing for documents containing personal information. Always require sign-in.

A Safer Sharing Workflow

1. Is this document suitable for sharing externally? (Check classification)

2. Share with specific named recipients

3. Set "view only" unless editing is needed

4. Add expiry date (7-30 days depending on purpose)

5. Enable link password if external

6. Notify recipients through a separate channel

Retention: How Long to Keep Files

GDPR says you shouldn't keep personal data longer than necessary. But what does "necessary" mean for cloud storage?

Practical Retention Periods

| Document Type | Suggested Retention | Reason |

|--------------|--------------------|---------|

| Active project files | Duration of project + 1 year | Reference for follow-up work |

| Completed projects | 6 years | Limitation period for contract claims |

| Employee records | 6 years after leaving | Employment law requirements |

| Financial records | 7 years | HMRC requirements |

| Client contracts | 6 years after end | Limitation period |

| Marketing lists | Until consent withdrawn | GDPR consent rules |

| Job applications (rejected) | 6-12 months | Discrimination claim period |

Setting Up Automated Retention

Most business cloud storage plans support retention policies:

**Microsoft 365 (Compliance Centre)**

- Create retention labels for different document types

- Apply automatically based on folder or keyword

- Set review triggers before deletion

**Google Workspace (Vault)**

- Create retention rules by organisational unit or keyword

- Set retention periods with automatic deletion

- Place legal holds when needed

**Dropbox Business (Admin Console)**

- Set team-wide retention policies

- Configure permanent delete vs recoverable delete

- Legal hold for specific folders

The "Just Delete It" Trap

Manual deletion doesn't work at scale. Staff forget, files get missed, and you end up with a mess. Invest time setting up automated policies—it pays off.

Audit Trails: Knowing Who Did What

If the ICO comes calling after a data breach, one of the first questions will be: "Who accessed this data?"

Cloud storage audit logs are your friend here.

What Gets Logged

| Action | Microsoft 365 | Google Workspace | Dropbox Business |

|--------|---------------|-----------------|------------------|

| File views | ✓ (SharePoint) | ✓ | ✓ |

| Downloads | ✓ | ✓ | ✓ |

| Edits | ✓ | ✓ | ✓ |

| Sharing changes | ✓ | ✓ | ✓ |

| Deletions | ✓ | ✓ | ✓ |

| Permission changes | ✓ | ✓ | ✓ |

| External sharing | ✓ | ✓ | ✓ |

Accessing Audit Logs

**Microsoft 365**: Security & Compliance Centre → Search → Audit log search

**Google Workspace**: Admin Console → Reports → Audit → Drive

**Dropbox Business**: Admin Console → Activity

How Long to Keep Logs

Audit logs themselves may contain personal data (who accessed what, when). Balance thoroughness with proportionality:

- **Minimum**: 90 days (enough to investigate most incidents)

- **Recommended**: 1 year (covers audit requirements)

- **Maximum practical**: 2 years (beyond this, value diminishes)

Responding to Data Subject Requests

Under GDPR, individuals can request copies of their personal data (Subject Access Request) or ask you to delete it. Cloud storage makes both easier and harder.

Subject Access Requests

Search features help you find data across cloud storage:

1. **Search by name/email**: Find documents mentioning the individual

2. **Check shared folders**: Look for files shared with their email

3. **Review collaboration history**: Check comments and edit history

4. **Don't forget versions**: Previous versions may contain relevant data

**Tip**: Microsoft 365 has built-in eDiscovery tools. Google Workspace has Vault. Use them.

Deletion Requests (Right to Erasure)

When you need to delete someone's data:

1. **Search comprehensively**: Use admin tools to find all instances

2. **Check backups**: You may need to exclude from restores or note for future deletion

3. **Document the deletion**: Keep a record of what you deleted and when

4. **Empty the bin**: Deleted files often sit in recycle bins for 30-90 days

Exemptions to Remember

You don't have to delete data if you have a legal obligation to keep it (tax records, contracts with ongoing obligations, legal disputes).

Common Cloud Storage GDPR Mistakes

Mistake 1: Using Personal Accounts for Business

Staff using personal Dropbox or Google accounts for work files means you've lost control. Data could sit in their personal cloud forever after they leave.

**Fix**: Provide business accounts and block personal cloud storage on work devices.

Mistake 2: Sync Everything Everywhere

Syncing all company files to all devices means personal data spreads to laptops, phones, and home computers—all potential breach points.

**Fix**: Use selective sync. Only sync what's needed on each device.

Mistake 3: Forgetting Deleted Files Aren't Gone

Most cloud services keep deleted files recoverable for 30-90 days. If you think you've deleted sensitive data, it's probably still there.

**Fix**: Understand your provider's deletion timeline. Use admin tools to purge immediately when needed.

Mistake 4: Not Offboarding Properly

When staff leave, their cloud access should end immediately. Shared folders they owned need new owners. Their files need review.

**Fix**: Include cloud access in your offboarding checklist. Transfer ownership before disabling accounts.

Mistake 5: Ignoring External Sharing Reports

Most admin consoles can show you what's been shared externally. If you never check, you'll never know about inappropriate sharing.

**Fix**: Review external sharing reports monthly. Question anything that looks odd.

Quick Compliance Checklist

**Contract Basics**

- [ ] Data Processing Agreement in place with provider

- [ ] Understand where your data is stored geographically

- [ ] Using business (not personal) cloud accounts

**Access Control**

- [ ] Folder structure with appropriate permissions

- [ ] Regular access reviews (quarterly minimum)

- [ ] Offboarding process includes cloud access revocation

**Sharing**

- [ ] Default sharing is internal-only

- [ ] External sharing requires expiry dates

- [ ] No "anyone with link" for personal data

- [ ] External sharing reviewed monthly

**Retention**

- [ ] Retention policy defined and documented

- [ ] Automated retention where possible

- [ ] Regular cleanup of expired data

**Audit & Response**

- [ ] Know how to access audit logs

- [ ] Process for handling subject access requests

- [ ] Process for handling deletion requests

Getting Started Today

**This week**: Audit who has access to what. You'll probably find surprises.

**This month**: Implement a sensible folder structure with appropriate permissions.

**This quarter**: Set up automated retention policies and external sharing reviews.

**Ongoing**: Monthly external sharing review, quarterly access review, annual policy review.

Cloud storage and GDPR compliance aren't enemies—they just require a bit of thought. Get the basics right, and you'll enjoy the benefits of cloud collaboration without the regulatory headaches.