Beginning on May 25, 2018, the General Data Protection Regulation (GDPR) became officially enforceable. This new regulation is now top of mind for any organisation storing and processing EU citizen data. Consumer-facing apps and sites are of particular sensitivity. The challenge is that while the GDPR provides guidelines for compliance, it is not prescriptive as to how organizations meet their requirements. What Okta has found in working across our Consumer Identity and Access Management (CIAM) customer base is that this has lead to a widening variety of approaches to meeting the GDPR guidelines. Worse yet, the result is often significant uncertainty as to whether the chosen approach will meet the requirements. The basics of GDPR and consent The GDPR requires that consent data be collected, periodically reviewed by consumers, and provided for a specific processing purpose. Legal agreements, privacy policies, and marketing are all types of consent. Processing purposes are.