Is your online office suite state of the art?

What is the General Data Protection Regulation, or GDPR for short?

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

Well that sounds scary, but what does GDPR really mean for businesses and how they collect and store data? In this quick guide, we will explain what you need to know about GDPR with a focus on how it relates to services such as Office365, Google Docs and Collabora Online.

Under GDPR, if a data ‘controller’ (an organisation that collects any personal data) wants to share personal data with a third-party ‘processor’ (an organization that processes this data, for example Microsoft or Google), they must ensure that the third-party processor provides sufficient guarantees that they will implement appropriate technical and organizational measures to protect the personal data. Even without sharing with third parties, the controller must also show that when “taking into account state of the art” technology, they are incorporating data protection “by design and by default”.

And if all this seems very abstract, it might be worth considering according to German legal firm CMS, there have been over 1,600 fines issued in the last five years, with the average fine a little over €2,400,000. These range from headline grabbing figures for Meta and Amazon, to hundreds and thousands of euros for small and medium businesses, hospitals, government administrations and other companies dotted around the world with European users. After removing the 45 individual fines over 1 million euros for this period, we calculate the average fine comes out at more than €300,000. Got your attention yet?

So what is “state of the art”, and “data protection by design and by default”. At Collabora, we believe the highest level of protection means having the strongest access control requirements, and for this, no-one else does or can do better.

Where is your data?

As technology and the internet has developed, file sharing and collaborative working have become vital for anyone trying to run an efficient business, or even just set a monthly budget or write a letter. We send files in email attachments, in messaging apps, through different file sharing websites, or on a USB stick. We know that there are bad actors ‘out there’, but as long as nothing happens to us, we try not to think about it too much.

 

The internet is a scary place if you’re on your own

But clearly this is not “state of the art”. The internet is a scary place, and if your data is out in the open like this, anyone could access it.

End to end encryption

Most businesses and applications however recognise the issue here, and the current received wisdom is that ‘end-to-end encryption’ will save the day. To offer you a quick refresher – the general idea with end-to-end encryption is that in order to prevent someone reading a letter who shouldn’t have access, the sender puts a padlock on their letter before putting it in the post, which is then unlocked upon arrival by the recipient. Postman Pat and the rest of the delivery company have no idea what was in the letter, everybody is happy. Sounds good right?

Yet there is an obvious issue staring us in the face with this methodology – it is only end-to-end. A well-intentioned attempt to keep corrupt postmen or system administrators away from your letters or stored data perhaps, but in terms of keeping your data safe in the wider scheme of things, utterly useless! As anyone who’s ever misplaced a letter, had someone read over their shoulder, or indeed had their house broken into can attest to. Where either end might be, who or what is going on there is literally anyone’s guess. End to end encryption also means – you can kiss goodbye to any guarantees of having a malware free server, you certainly can’t scan for viruses anymore or respond fully to a lawful freedom of information request. Nevermind the security implications of what happens when you or one of your staff leaves an ‘end’ with confidential data on it in a bar or taxi or train by mistake. The British government alone reported a total of “96 laptops, tablets, smartphones and other devices lost by or stolen from parliamentary staffers between January 2019 and December 2020, with one device disappearing within Downing Street itself”.

End-to-end encryption, then what?

As far as mitigating this issue goes, companies are left up the creek and without a paddle by this approach. Company laptops are issued that must themselves be encrypted to hopefully secure that end if it is ever lost, and personal laptops are banned, or further lengthy BYOD policies enacted with spurious levels of enforcement.

In the same way that welding your front door shut but leaving the window open is hardly safe, it’d be difficult to honestly argue that this is “data protection by design and by default”. In fact this lack of clarity over what happens at the server ‘end’ is precisely why the German and French governments are taking action to ban some public services from using Office 365 or Google Workspace.

Look, but don’t touch!

So must we accept our valuable data can never be truly safe? We don’t think so! The British Crown Jewels are estimated to be worth upwards of £3 billion. They have lived in the Tower of London since 1661, guarded by the British Army, rarely leaving the premises, yet they have been open to public viewing for most of this time. Within the castle grounds they are viewed by 2-3 million visitors every year, and the only attempted theft ended in failure in 1671. Perhaps our modern collaborative working arrangements could learn something from this open, but secure setup. Is there a way to enable users to view documents, without them leaving the safety of the castle? To look, but not touch?

Well, it turns out there is! While it may well be impractical to start your own international parcel delivery company, it turns out there’s very little stopping a company, individual or organisation from hosting their data within their own premises (be it office or castle!), or with a trusted Collabora partner, essentially running the data-delivery company yourself, and crucially with Collabora Online, sending only images of the viewed parts of the document (not the complete file) to the end users, giving as much or as little editing access as they see fit. Operating more like a hyper-efficient remote desktop than a browser-based editor, user activity is processed by the server in real time, meaning the actual file data never leaves the safety of the server, so no amount of malicious malware, technical tomfoolery or pernicious postmen can extract it from a browser or device. Lost your company laptop? Who cares?! There is no company data on it anyway, and before any bad actors even start looking up your mother’s maiden name, your childhood best friend and what street you grew up on, with a click of a mouse, you can make sure your castle server never communicates with it ever again. Remote wipe if you feel like it, but there’s really nothing on the device!

Collaborative data protection by design and by default

You should use the state of the art solution

If that’s not data protection by design and by default, using state of the art technology, then we don’t know what is. It also remains very unclear how any other software provider intends to honestly address the pressing issue of data security or GDPR compliance, as evidenced by weekly reports of leaks and fines. Don’t sweep the problem under someone else’s rug, be state of the art with Collabora Online and take control of your data.