GDPR is the biggest compliance-related regulation to come along in years, replacing the Data Protection Directive 95/46/EC (“Directive”) and substantially increasing data subject rights and privileges. The GDPR was finalized on April 14, 2016, and goes into enforcement on May 25, 2018. It introduces robust requirements that will raise and harmonize standards for data protection, security, and compliance.
In GDPR parlance, the relevant entities are broken down into:
The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information relating to an identified or identifiable natural person.
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. It is intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each member state. Under the GDPR, data subjects have right to access, right to be forgotten, the right to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine-readable format' and have the right to transmit that data to another controller, right to rectify inaccurate or incomplete data. In addition, the Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Although Data Processors have in the past been required usually by some sort of contractual obligation to provide Controllers with sufficient safeguards and assurances that Data Subject data is being properly managed, the GDPR significantly increases the risk of Data Processors. The biggest risk among those lies in the extra-jurisdictional and networked nature of the new GDPR along with Article 82, which puts joint liability on both Controllers and Processors.
Under the Data Protection Directive (the predecessor to the GDPR), it was Data Controller's responsibility to ensure that data regulations are being properly followed throughout their ecosystems. However, under the GDPR, the Data Processor is also liable for damage caused by processing of data where it has not complied with the obligations of the regulation or acted outside of the instructions of the Controller.
ImageKit is responsible for securing the underlying infrastructure that supports the storage, upload, manipulation, and delivery of media files, acting either as data controllers or data processors. We will ensure the security of processing, the ongoing availability of systems and services, the ability to restore data in a timely manner in case of an event, and regular testing to ensure the security of processing. Our architecture is inherently secure and provides security & privacy by design.
ImageKit also provides integration with existing server or storage and those configurations are securely stored. To realize data protection by design and by default principles, we recommend customers protect their ImageKit account credentials.
Access Control: Allow only authorized administrators, users and applications access to ImageKit dashboard and uploaded media files.
Admin API to erase files: We provide admin API which allows customers (data controllers) to remove any uploaded media from their account on ImageKit.
Admin API to get a list of all uploaded files: You as a data controller can get the list of all uploaded media files using this API, thus allowing you to provide the same information to your customer (data subjects).
Purge API to purge data from CDN and our cache servers: You can purge files from CDN and our caching servers using this API.
As an ImageKit customer, you are a Data Controller and ImageKit is acting as your Data Processor for your users. In this respect, you’ll want to take the following steps leading up to May 25th, 2018:
We will assist the customers through appropriate measures to fulfill their obligations to respond to requests for data subjects seeking to exercise their rights under the GDPR. You can contact us to discuss your specific case. Email us at firstname.lastname@example.org