GDPR is a new regulation that deals with the way individuals' private information is handled. This regulation is going to have a deep effect on the entire internet industry. The fact that GDPR is a European regulation doesn't mean it's relevant only for European organizations. It requires protecting the data of any individual whose data is processed or stored in any way within European boundaries. As the reach of many companies is global, the requirement is actually relevant to a lot of companies worldwide.
Over 220,000 customers use Cloudinary to store, manage, and programmatically apply on-the-fly transformations on over 15 billion images and videos uploaded from locations all around the world, so we're definitely impacted by this regulation.
In this blog post, I’ll explain what GDPR is and elaborate on some of the more relevant and interesting areas that are involved in becoming GDPR compliant. I'll also share some of our preparations for becoming GDPR compliant here at Cloudinary as well as how we may help our customers in their GDPR compliance preparations by providing necessary capabilities and support.
GDPR stands for General Data Protection Regulation. It's a regulation that requires companies and organizations to protect the personal data and privacy of individuals in the EU, including when the data is processed outside the EU. The GDPR’s main purpose is to give people more control over the ways their personal data is used in a reality where many companies use personal data for the sheer benefit of their services. It also aims to simplify the regulatory environment for international companies by offering a unified regulation within the EU. The current regulation was enacted before cloud technology was introduced and with it, a plethora of new ways to exploit data. With stronger data protection legislation and tougher measures of enforcement, the EU aims to increase people’s confidence in the digital world we all experience 24/7.
The European Parliament adopted the GDPR in April 2016, replacing an outdated data protection directive from 1995. It will become enforceable on the 25th of May 2018 after a two-year transition period. As a regulation, national governments do not have to pass any legislation to start enforcing it, which means it will automatically be applicable and binding.
The GDPR defines significant fines for non-compliance and breaches, and provides people with more control over the way companies use their personal data. It also unifies the way data protection rules are enforced in the EU. But many companies will find it challenging to make their systems and processes fully compliant. Furthermore, the GDPR leaves much open to interpretation. For example, according to the GDPR, companies must protect personal data at a “reasonable” level, but does not define what “reasonable” is.
In general, the GDPR applies to companies and organizations that store or process personal data about individuals ('data subjects') within the EU, whether they are citizens of EU member states or not.
Specific criteria for companies that must comply with GDPR include:
The organization processes personal data and has a presence in the EU.
The organization processes personal data and is not established in the EU, but rather in a place where EU member state law applies by public international law.
The organization is established in the EU, even if the processing of personal data takes place outside the EU.
The organization is not established in the EU, but processes personal data of data subjects who are in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU (irrespective of whether a payment from the data subject is required) or the monitoring of their behavior, for any behavior that takes place within the EU.
The GDPR defines data
processors. A data controller determines the purposes and ways that personal data is processed, while a data processor is the party actually processing the data and responsible for that processing on behalf of the controller. That means that the controller could be any company or organization. A processor could be a SaaS, IT or other company that is actually processing the data on behalf of the controller.
Cloudinary is a Processor.
Cloudinary customers (who use our service to upload and transform media files or to enable their end users to upload media) are Controllers.
The controller is responsible to make sure that all processors with whom it deals will be GDPR compliant and the processors themselves must keep records of their processing activities. In some cases, the GDPR requires controllers and processors to designate a Data Protection Officer (DPO) or a data protection task force to supervise the company's compliance with the GDPR.
The GDPR makes it clear that any data related to an identified or identifiable person is regarded as personal data. For example, online identifiers such as cookies, IP addresses and location data can all be considered personal data. Other data elements such as basic identity information (name, address and ID numbers), sexual orientation, biometric data, health and genetic data, political opinions, racial and ethnic data and more are also considered personal data and are covered by the GDPR.
Individuals have the right to access any data of theirs that a company stores, the right to know why that data is processed, who can see it and for how long it’s stored. GDPR requires that controllers and processors are transparent about that information. People may ask to access it and controllers should respond within one month. Where possible, controllers should provide secure, direct access for individuals to review stored data related to them.
Individuals have additional rights under the GDPR, including the right of erasure (the 'right to be forgotten'), the right to withdraw consent and object to processing, the right to object to automated decision making, the right to data portability, the right to receive appropriate notice about the processing of the individual's data and the right to rectify inaccurate or incomplete data. The controller must assist the individual and the processor must assist the controller in exercising these rights.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed ('processing' personal data means any type of access or other type of data processing, including mere storage). The controller must notify the competent EU supervisory authority about personal data breach without undue delay and no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk the data subjects. The controller must also send a notice about the breach to the data subjects, unless the controller has taken measures to prevent any risk involved in the breach to the data subjects, for example, by encrypting the data. The processor must notify the controller about the breach without undue delay.
At Cloudinary, we take data security and privacy very seriously. Our service is inherently secure and its architecture and implementation protect data by design, meeting strict security demands. This principle is well kept on a daily basis as we add more and more features and enhance our service.
Privacy and security compliance have always been key for us. We implemented procedures and controls pursuant to the ISO 27001 standard and we continue to invest in data security on an ongoing basis.
Keeping every customer’s data privacy is a leading principle among all the company’s employees as well and every employee has to meet codes of conduct that are clearly defined and involve a variety of action items, starting with an on-boarding data protection training for any new employee joining the company.
Cloudinary is making a considerable effort and is investing a great deal of resources to make sure we'll be ready to comply with the GDPR requirements by May 2018.
You'll find additional information about some of our main preparations below. There are additional GDPR issues that we handle that may help your company become compliant and you are more than welcome to contact us for further exploration of your specific case.
The sense of urgency came from the top management and GDPR compliance readiness was prioritized as a key element in the company’s roadmap. Different stakeholders throughout the company have formed a dedicated data protection task force to make sure that all relevant information is shared and all the technical and procedural changes are well defined and then precisely implemented.
Compliance, data protection and security experts have been accompanying the task force to make sure the compliance process is complete and meets all the regulation’s instructions.
- The personal data protection management plan that was already in place was reviewed and updated to ensure that it aligns with GDPR requirements.
- Cloudinary already offers a Data Protection Addendum (DPA) to its customers.
- A data protection team was appointed to ensure the data protection.
- ISO 27001 security training involving all employees has taken place.
- A risk assessment and mapping process was done to make sure any data that may be stored or processed relating to people located in the EU is processed and managed according to the GDPR instructions.
- A data collection and data deletion policy was defined. Data collected is only what is required to perform the services procured by Cloudinary’s customers and for legitimate purposes specified explicitly in Cloudinary’s terms of service. In case personal data is processed, it will be processed lawfully and transparently. Once the purpose for which the data was collected is fulfilled and the data is no longer required, it will be deleted.
- A policy for assisting Cloudinary customers to fulfill their obligations regarding requests for data subjects seeking to exercise their rights under the GDPR.
All processing done by Cloudinary on behalf of its customers will be kept according to the company’s policy and will be available to customers upon request.
Any third party that Cloudinary works with that may be processing personal data as a part of Cloudinary’s default service offering will be GDPR compliant. For optional third party features that are available, but are not a part of Cloudinary’s core service, it will be the customer's sole responsibility to decide whether to engage with that service provider. Cloudinary will not be a side in the agreement between the third party (the processor) and the customer (the controller) in such cases.
If we encounter or suspect a data breach, our improved response plan will be used. This plan involves the company’s IT, legal, marketing, and customer support, as well as all other members who are a part of the task force.
Cloudinary offers a set of tools and features that can help you analyze the content within media assets including:
Assets uploaded to Cloudinary’s servers are not checked for PII. If any customer discovers that PII has been uploaded to Cloudinary, we will provide the controller with any help needed to destroy it.
Cloudinary is setting up a process for ongoing assessment and is making sure to remain in compliance. We are also updating the company’s code of conduct accordingly.
Cloudinary will assist its customers through appropriate measures, insofar as possible, to fulfill their obligations to respond to requests for data subjects seeking to exercise their rights under the GDPR. If such a request requires a special setup to meet a special need, including requirements that are not explicitly required by GDPR (for example, custom CDN-zones that limit data caching to EU, storage of all data within an EU data center, getting more detailed logs, etc.), Cloudinary may charge an additional fee. You can contact us to discuss your specific case.
Protecting personal data and privacy is becoming more and more important in the world we live in, with technology and devices accompanying us around the clock. For companies with an international reach, becoming compliant with a comprehensive and demanding regulation like the GDPR requires many cross-organizational preparations and efforts, including all related data processors and controllers. Failing to achieve full compliance on time may have severe effects that can be destructive for any company.
At Cloudinary, in addition to helping you provide optimized global performance for your end users, it is a top priority for us to be fully compliant. Equally important is helping all of our customers with their compliance efforts. As a part of handling both of these priorities in the best way, Cloudinary plans to further expand its service to additional data centers and will soon offer its service from a European-based data center to enable our customers have their data processed and stored in the EU as well, even though the GDPR does not require this.
As the needs of each company may be different, it's important to make sure your company is prepared. We are here to help with your specific needs and serve you in the best possible way, as always!
We would be happy to get your feedback or questions related to GDPR and the preparations for becoming GDPR compliant. Contact us anytime!