The General Data Protection Regulation came into force on May 25, 2018. Six years later, enforcement is more aggressive than ever. The Irish Data Protection Commission alone has issued over €4 billion in fines since 2018, with several cases directly involving collaboration and productivity platforms and their data handling practices.
Yet most collaboration tools treat GDPR compliance as a checkbox exercise. They publish a privacy policy, offer a Data Processing Agreement on request, and point to their encryption page. The underlying architecture remains unchanged: the provider holds your encryption keys and can access your workspace content at will.
Server-side encryption is not enough
GDPR Article 32 requires "appropriate technical measures" to protect personal data. Most platforms interpret this as server-side AES encryption and TLS in transit. Technically accurate. Practically insufficient.
Server-side encryption protects against one specific threat: an attacker who steals hard drives from the data centre. It does not protect against a compromised admin account, an insider threat, or a government request to the provider. In all three scenarios, the provider decrypts the data and hands it over, because the provider has the keys.
Article 25 goes further, requiring "data protection by design and by default." A collaboration platform where the provider can read customer documents at any time is hard to square with that requirement. The Bavarian DPA made this argument explicitly in a 2023 advisory opinion on cloud services used by public sector bodies.
The data residency question
After the Schrems II ruling invalidated the EU-US Privacy Shield in 2020, data residency became a board-level concern for European organisations. Where are the servers? Which jurisdiction controls them?
Several major platforms now offer "EU data residency" options, but the details matter. If the provider is a US-headquartered company, it may still be subject to FISA Section 702 or CLOUD Act requests, regardless of where the servers physically sit. The EU-US Data Privacy Framework, adopted in July 2023, addresses some of these concerns but has already drawn legal challenges.
For organisations handling sensitive projects (medical records, legal work, financial documents), the safest position is to use a platform that is both EU-based and built on security-first architecture. The first condition removes the jurisdictional risk. The second makes the jurisdiction question moot, because even if someone compels the provider to hand over data, there is nothing readable to hand over.
What a compliant architecture looks like
A collaboration platform that takes GDPR seriously should meet four criteria:
- Client-side encryption with keys the provider cannot access
- Data stored exclusively within the EU (or the customer's chosen jurisdiction)
- A signed DPA that specifies sub-processors, retention periods, and breach notification timelines
- Regular third-party audits (SOC 2 or ISO 27001) covering both the application and the infrastructure
We built Fileson to meet all four from day one, not because the market demanded it in 2019, but because the regulation required it. Six years later, the market is catching up. The fines are getting larger, the enforcement actions more frequent, and the questions from procurement teams more pointed.
If your current collaboration platform holds your encryption keys, you have a compliance risk. It may be an acceptable one for your organisation. But you should know it exists, and you should make that choice deliberately rather than by default.