Cloudinary Blog

GDPR: The what, the when, the why... and how Cloudinary is preparing for Day 0

GDPR: Cloudinary's take on the What, When, Why, and How

GDPR is a new regulation that deals with the way individuals' private information is handled. This regulation is going to have a deep effect on the entire internet industry. The fact that GDPR is a European regulation doesn't mean it's relevant only for European organizations. It requires protecting the data of any individual whose data is processed or stored in any way within European boundaries. As the reach of many companies is global, the requirement is actually relevant to a lot of companies worldwide.

Over 220,000 customers use Cloudinary to store, manage, and programmatically apply on-the-fly transformations on over 15 billion images and videos uploaded from locations all around the world, so we're definitely impacted by this regulation.

In this blog post, I’ll explain what GDPR is and elaborate on some of the more relevant and interesting areas that are involved in becoming GDPR compliant. I'll also share some of our preparations for becoming GDPR compliant here at Cloudinary as well as how we may help our customers in their GDPR compliance preparations by providing necessary capabilities and support.

What is the GDPR and why it was drafted?

GDPR stands for General Data Protection Regulation. It's a regulation that requires companies and organizations to protect the personal data and privacy of individuals in the EU, including when the data is processed outside the EU. The GDPR’s main purpose is to give people more control over the ways their personal data is used in a reality where many companies use personal data for the sheer benefit of their services. It also aims to simplify the regulatory environment for international companies by offering a unified regulation within the EU. The current regulation was enacted before cloud technology was introduced and with it, a plethora of new ways to exploit data. With stronger data protection legislation and tougher measures of enforcement, the EU aims to increase people’s confidence in the digital world we all experience 24/7.

The European Parliament adopted the GDPR in April 2016, replacing an outdated data protection directive from 1995. It will become enforceable on the 25th of May 2018 after a two-year transition period. As a regulation, national governments do not have to pass any legislation to start enforcing it, which means it will automatically be applicable and binding.

The GDPR defines significant fines for non-compliance and breaches, and provides people with more control over the way companies use their personal data. It also unifies the way data protection rules are enforced in the EU. But many companies will find it challenging to make their systems and processes fully compliant. Furthermore, the GDPR leaves much open to interpretation. For example, according to the GDPR, companies must protect personal data at a “reasonable” level, but does not define what “reasonable” is.

Which companies are affected by the GDPR?

In general, the GDPR applies to companies and organizations that store or process personal data about individuals ('data subjects') within the EU, whether they are citizens of EU member states or not.

GDPR has a worldwide impact

Specific criteria for companies that must comply with GDPR include:

  • The organization processes personal data and has a presence in the EU.

  • The organization processes personal data and is not established in the EU, but rather in a place where EU member state law applies by public international law.

  • The organization is established in the EU, even if the processing of personal data takes place outside the EU.

  • The organization is not established in the EU, but processes personal data of data subjects who are in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU (irrespective of whether a payment from the data subject is required) or the monitoring of their behavior, for any behavior that takes place within the EU.

Controllers and Processors

The GDPR defines data controllers and processors. A data controller determines the purposes and ways that personal data is processed, while a data processor is the party actually processing the data and responsible for that processing on behalf of the controller. That means that the controller could be any company or organization. A processor could be a SaaS, IT or other company that is actually processing the data on behalf of the controller.

Cloudinary is a Processor.
Cloudinary customers (who use our service to upload and transform media files or to enable their end users to upload media) are Controllers.

The controller is responsible to make sure that all processors with whom it deals will be GDPR compliant and the processors themselves must keep records of their processing activities. In some cases, the GDPR requires controllers and processors to designate a Data Protection Officer (DPO) or a data protection task force to supervise the company's compliance with the GDPR.

GDPR controller and processor infographic

What types of privacy data does the GDPR protect?

The GDPR makes it clear that any data related to an identified or identifiable person is regarded as personal data. For example, online identifiers such as cookies, IP addresses and location data can all be considered personal data. Other data elements such as basic identity information (name, address and ID numbers), sexual orientation, biometric data, health and genetic data, political opinions, racial and ethnic data and more are also considered personal data and are covered by the GDPR.

Data access by the individuals

Individuals have the right to access any data of theirs that a company stores, the right to know why that data is processed, who can see it and for how long it’s stored. GDPR requires that controllers and processors are transparent about that information. People may ask to access it and controllers should respond within one month. Where possible, controllers should provide secure, direct access for individuals to review stored data related to them.

Other Individuals Rights

Individuals have additional rights under the GDPR, including the right of erasure (the 'right to be forgotten'), the right to withdraw consent and object to processing, the right to object to automated decision making, the right to data portability, the right to receive appropriate notice about the processing of the individual's data and the right to rectify inaccurate or incomplete data. The controller must assist the individual and the processor must assist the controller in exercising these rights.

What about data breaches?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed ('processing' personal data means any type of access or other type of data processing, including mere storage). The controller must notify the competent EU supervisory authority about personal data breach without undue delay and no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk the data subjects. The controller must also send a notice about the breach to the data subjects, unless the controller has taken measures to prevent any risk involved in the breach to the data subjects, for example, by encrypting the data. The processor must notify the controller about the breach without undue delay.

GDPR compliance preparations at Cloudinary

At Cloudinary, we take data security and privacy very seriously. Our service is inherently secure and its architecture and implementation protect data by design, meeting strict security demands. This principle is well kept on a daily basis as we add more and more features and enhance our service.

Privacy and security compliance have always been key for us. We implemented procedures and controls pursuant to the ISO 27001 standard and we continue to invest in data security on an ongoing basis.

Keeping every customer’s data privacy is a leading principle among all the company’s employees as well and every employee has to meet codes of conduct that are clearly defined and involve a variety of action items, starting with an on-boarding data protection training for any new employee joining the company.

Cloudinary is making a considerable effort and is investing a great deal of resources to make sure we'll be ready to comply with the GDPR requirements by May 2018.

You'll find additional information about some of our main preparations below. There are additional GDPR issues that we handle that may help your company become compliant and you are more than welcome to contact us for further exploration of your specific case.

Who is involved in the Cloudinary preparations?

The sense of urgency came from the top management and GDPR compliance readiness was prioritized as a key element in the company’s roadmap. Different stakeholders throughout the company have formed a dedicated data protection task force to make sure that all relevant information is shared and all the technical and procedural changes are well defined and then precisely implemented.

Compliance, data protection and security experts have been accompanying the task force to make sure the compliance process is complete and meets all the regulation’s instructions.

What we have already handled

GDPR checklist

  • The personal data protection management plan that was already in place was reviewed and updated to ensure that it aligns with GDPR requirements.
    • Cloudinary already offers a Data Protection Addendum (DPA) to its customers.
    • A data protection team was appointed to ensure the data protection.
    • ISO 27001 security training involving all employees has taken place.
  • A risk assessment and mapping process was done to make sure any data that may be stored or processed relating to people located in the EU is processed and managed according to the GDPR instructions.
  • A data collection and data deletion policy was defined. Data collected is only what is required to perform the services procured by Cloudinary’s customers and for legitimate purposes specified explicitly in Cloudinary’s terms of service. In case personal data is processed, it will be processed lawfully and transparently. Once the purpose for which the data was collected is fulfilled and the data is no longer required, it will be deleted.
  • A policy for assisting Cloudinary customers to fulfill their obligations regarding requests for data subjects seeking to exercise their rights under the GDPR.

May 25, 2018 and later and how we can help you

GDPR D-day: May 25, 2018

  • All processing done by Cloudinary on behalf of its customers will be kept according to the company’s policy and will be available to customers upon request.

  • Any third party that Cloudinary works with that may be processing personal data as a part of Cloudinary’s default service offering will be GDPR compliant. For optional third party features that are available, but are not a part of Cloudinary’s core service, it will be the customer's sole responsibility to decide whether to engage with that service provider. Cloudinary will not be a side in the agreement between the third party (the processor) and the customer (the controller) in such cases.

  • If we encounter or suspect a data breach, our improved response plan will be used. This plan involves the company’s IT, legal, marketing, and customer support, as well as all other members who are a part of the task force.

  • Cloudinary offers a set of tools and features that can help you analyze the content within media assets including:

  • Assets uploaded to Cloudinary’s servers are not checked for PII. If any customer discovers that PII has been uploaded to Cloudinary, we will provide the controller with any help needed to destroy it.

  • Cloudinary is setting up a process for ongoing assessment and is making sure to remain in compliance. We are also updating the company’s code of conduct accordingly.

  • Cloudinary will assist its customers through appropriate measures, insofar as possible, to fulfill their obligations to respond to requests for data subjects seeking to exercise their rights under the GDPR. If such a request requires a special setup to meet a special need, including requirements that are not explicitly required by GDPR (for example, custom CDN-zones that limit data caching to EU, storage of all data within an EU data center, getting more detailed logs, etc.), Cloudinary may charge an additional fee. You can contact us to discuss your specific case.

In Summary

Protecting personal data and privacy is becoming more and more important in the world we live in, with technology and devices accompanying us around the clock. For companies with an international reach, becoming compliant with a comprehensive and demanding regulation like the GDPR requires many cross-organizational preparations and efforts, including all related data processors and controllers. Failing to achieve full compliance on time may have severe effects that can be destructive for any company.

At Cloudinary, in addition to helping you provide optimized global performance for your end users, it is a top priority for us to be fully compliant. Equally important is helping all of our customers with their compliance efforts. As a part of handling both of these priorities in the best way, Cloudinary plans to further expand its service to additional data centers and will soon offer its service from a European-based data center to enable our customers have their data processed and stored in the EU as well, even though the GDPR does not require this.

As the needs of each company may be different, it's important to make sure your company is prepared. We are here to help with your specific needs and serve you in the best possible way, as always!

We would be happy to get your feedback or questions related to GDPR and the preparations for becoming GDPR compliant. Contact us anytime!

Recent Blog Posts

Build a WhatsApp Clone with Automatic Image Optimization

In the previous post, we showed how to upload images to a Cloudinary server. In this part, we will play with some of the features we see on the WhatsApp technology. After you or your users have uploaded image assets to Cloudinary, you can deliver them via dynamic URLs. You can include instructions in your dynamic URLs that tell Cloudinary to manipulate your assets using a set of transformation parameters. All image manipulations and image optimizations are performed automatically in the cloud and your transformed assets are automatically optimized before they are routed through a fast CDN to the end user for an optimal user experience. For example, you can resize and crop, add overlays, blur or pixelate faces, apply a variety of special effects and filters, and apply settings to optimize your images and to deliver them responsively.

Read more
With automatic video subtitles, silence speaks volumes

The last time you scrolled through the feed on your favorite social site, chances are that some videos caught your attention, and chances are, they were playing silently.

On the other hand, what was your reaction the last time you opened a web page and a video unexpectedly began playing with sound? If you are anything like me, the first thing you did was to quickly hunt for the fastest way to pause the video, mute the sound, or close the page entirely, especially if you were in a public place at the time.

Read more
Impressed by WhatsApp Tech? Build WhatsApp Clone with Media Upload

With more than one billion people using WhatsApp, the platform is becoming a go-to for reliable and secure instant messaging. Having so many users means that data transfer processes must be optimized and scalable across all platforms. WhatsApp is touted for its ability to achieve significant media quality preservation when traversing the network from sender to receiver, and this is no easy feat to achieve.

Read more
New Google-powered add-on for auto video categories and tags

Due to significant growth of the web and improvements in network bandwidth, video is now a major source of information and entertainment shared over the internet. As a developer or asset manager, making corporate videos available for viewing, not to mention user-uploaded videos, means you also need a way to categorize them according to their content and make your video library searchable. Most systems end up organizing their video by metadata like the filename, or with user-generated tags (e.g., youtube). This sort of indexing method is subjective, inconsistent, time-consuming, incomplete and superficial.

Read more

iOS Developer Camp: The Dog House

By Shantini Vyas
iOS Developer Camp: The Dog House

Confession: I’m kind of addicted to hackathons. Ever since graduating from Coding Dojo earlier this year, I’ve been on the hunt for new places to expand my skills and meet new people in the tech space. iOS Developer Camp’s 10th Anniversary event bowled me over. Initially, because of its length. 48 hours? Yeesh. I had no idea that those 48 hours would change my life. But let’s first get a little backstory on my favorite topic: dogs.

Read more