Somewhere in your business, a file containing customer data, financial records, or confidential contracts is sitting in a cloud folder that three former employees can still access. This isn’t a hypothetical — it’s the most common cloud storage security problem UK small businesses face, and it requires no hacking whatsoever to exploit. It requires only an ex-employee who remembers their password.
Cloud storage is one of the most useful tools available to small businesses. It’s also one of the easiest to misconfigure. Here’s what actually keeps your data safe in the cloud, how Google Drive, OneDrive, and Dropbox compare, and what you should never put in any of them.
The shared responsibility model (and why it matters to you)
Every major cloud provider operates under a shared responsibility model. In plain terms: they’re responsible for the security of the cloud infrastructure. You’re responsible for everything you put in it — who has access, how it’s configured, and whether sensitive data is handled correctly.
The provider won’t prevent you from sharing a folder containing your customers’ financial details with the wrong person. They won’t stop a departing employee from downloading your entire client database before their last day. That sits with you.
Understanding this removes a common false assumption: that choosing a reputable cloud provider means your data is automatically safe. It means the storage infrastructure is reliable and encrypted. The human and configuration layer is yours to manage. Under UK GDPR, you’re also the data controller — so if something goes wrong, the ICO will be looking at what controls you had in place.
Platform comparison
Google Drive (via Google Workspace)
Google Workspace is the most widely used platform among UK small businesses, and for good reason. Storage starts at 30 GB per user on the Business Starter plan and scales to pooled storage on higher tiers.
Encryption: Google encrypts data at rest (AES-256) and in transit (TLS 1.2+). Encryption keys are managed by Google by default, with customer-managed keys available on Enterprise tiers.
Admin controls: Google Admin Console covers most things an admin needs. Admins can restrict sharing to within the organisation, prevent downloads of specific files, require re-authentication for sensitive documents, and review sharing activity. Data Loss Prevention rules can scan for patterns like credit card numbers and automatically block or quarantine matching files.
Compliance: Google Workspace holds ISO 27001, SOC 2 Type II, and GDPR compliance certifications. A Data Processing Agreement is available and should be signed — it’s a UK GDPR requirement.
Worth watching: Google Drive’s default behaviour is permissive. New Workspace tenants should immediately audit sharing settings — the defaults allow external sharing and public links unless an administrator turns them off.
Microsoft OneDrive (via Microsoft 365)
Microsoft 365 Business Basic starts at around £4.50–6/user/month with 1 TB OneDrive storage per user. Business Standard adds the full desktop Office suite.
Encryption: OneDrive encrypts files at rest (AES-256, per-file unique keys) and in transit (TLS). Microsoft Purview Customer Key allows enterprise customers to supply their own encryption keys, though this isn’t available on SMB plans.
Admin controls: The Microsoft 365 Admin Centre and SharePoint Admin Centre give administrators deep control over sharing policies. Microsoft Purview Information Protection (available on Business Premium) adds document classification, sensitivity labels, and DLP policies that persist with the file even when downloaded.
Compliance: Microsoft 365 holds SOC 1/2/3, ISO 27001, and GDPR compliance across all business plans.
Standout feature: Sensitivity labels that travel with files are a significant differentiator. A document marked “Confidential” retains its classification — and the access restrictions that come with it — even if someone downloads it locally or emails it.
Dropbox Business
Dropbox Business starts at around £12–15/user/month (minimum 3 users).
Encryption: AES-256 at rest, TLS in transit. Extended Version History (up to 365 days on higher plans) is a useful ransomware recovery feature — deleted or overwritten files can be restored up to a year later.
Admin controls: Sharing permissions, view-only link settings, and team folder access can all be managed centrally. DLP is available via third-party integrations (Nightfall AI, Gamma) rather than natively — this is a meaningful gap compared to Google and Microsoft.
Compliance: SOC 2 Type II, ISO 27001, and GDPR compliance supported through Data Processing Agreements.
Worth watching: Dropbox’s strength is usability, not security depth. The lack of native DLP means you’re relying more on user behaviour to prevent sensitive data leaving incorrectly.
Quick comparison table
| Feature | Google Workspace | Microsoft 365 | Dropbox Business |
|---|---|---|---|
| Encryption at rest | AES-256 | AES-256 | AES-256 |
| Native DLP | Yes (Business Plus+) | Yes (Business Premium+) | No (third-party) |
| Sensitivity labels | Via Google labels | Yes (strong) | No |
| UK GDPR DPA available | Yes | Yes | Yes |
| SOC 2 Type II | Yes | Yes | Yes |
| Version history | 30 days (standard) | 30–180 days | 30–365 days |
Walking through DLP settings
In Google Workspace Admin Console: Navigate to Security → Data Protection → Manage Rules. Create a rule with a condition (e.g. “contains credit card number”) and an action (“block external sharing” or “alert admin”). Google’s built-in detectors cover card numbers, bank accounts, and national ID formats.
In Microsoft 365 Compliance Centre: Go to Data Loss Prevention → Policies → Create Policy. Select a template (Financial Data, GDPR, etc.) or build a custom policy. Assign it to OneDrive and SharePoint locations. Test in simulation mode before enforcing — this is worth doing rather than jumping straight to blocking.
Access review checklist
Run this quarterly and immediately when any employee or contractor leaves. Start with users: pull a list of everyone with access to shared drives and team folders, then remove any accounts not currently in use — former staff, contractors, and vendors are the most common sources of stale access.
Then work through link and log hygiene:
- Review externally shared links and revoke any that are no longer needed
- Check for folders or files shared with “anyone with the link” and restrict to specific users
- Confirm all admin accounts have MFA enabled
- Review audit logs for bulk downloads in the past 30 days
What to never store in cloud storage
Cloud storage isn’t appropriate for every category of sensitive data, regardless of how well it’s configured:
Unencrypted passwords or authentication credentials belong in a dedicated password manager. Private encryption keys belong in a proper key management system. Payment card numbers in plaintext are a PCI-DSS violation — they need dedicated encryption tools, not a spreadsheet in Google Drive. Raw biometric data is subject to strict regulations under UK GDPR and the Data Protection Act 2018.
The rule of thumb: if the data would cause serious harm to your business or customers if exposed, default cloud storage isn’t enough. At minimum, encrypt the file before uploading it.
Cloud storage, configured properly, is genuinely secure for the vast majority of business data. Spend 90 minutes with your admin console, run the access review checklist, and enable whatever DLP rules your plan supports. That setup will do more for your data security than almost anything else you can do this year.