The GDPR, Identity, and Your Organization

The General Data Protection Regulation (“GDPR”) ‘go-live’ date is just around the corner and, if I were a betting man, I’d say that odds are you aren’t adequately prepared. You might be thinking, “But hey, Joe, I have until May 2018 to get my house in order.” Truth is, that isn’t much time to audit the services, data and controls you have in place to effectively meet GDPR at scale. The good news? You aren’t alone. Many organizations are going to face the same challenges around impending GDPR guidelines, and we here at Okta are committed to assisting our customers as they finalize their GDPR readiness plans.

Please be aware that even though we’re talking about legal concepts here, this blog post is provided for informational purposes only and doesn’t constitute legal advice - be sure to talk to your organization’s legal team for guidance.

What is the GDPR?

The GDPR is a comprehensive, European Union data protection law designed to strengthen data protection and privacy for individuals within the European Union.

The gist: covered organizations and service-providers alike will be held accountable for the safeguarding and portability of personal data.

How can we help?

1. Centralized identity for employees, partners and contractors: Under the GDPR, organizations that control personal data of EU individuals need to be aware of which applications have access to that data. Okta’s products can greatly simplify the process of maintaining a centralized identity store for all your users, across all applications—both in the cloud and on-premises.
2. Breach notification: The GDPR requires that organizations that control personal data of EU individuals will have to notify impacted individuals in the event of a data breach within 72 hours, in certain cases. Okta provides complete visibility into all authentication events, and can provide you with the forensics needed to identify the personal data that may have been exposed because of a breach.
3. Strong authentication: Okta’s platform was designed from the ground up to help hybrid environments connect and manage services while maintaining a concerted pulse on security risks. People are known for having weak and recycled passwords, and IT is far too overwhelmed to ensure that they only have access to the services and data needed to do their jobs. This keeps the attack surface large, and makes it increasingly difficult to respond to account compromise. Okta greatly reduces these risks by providing identity assurance through its Adaptive Multi-Factor Authentication product.
4. Complete visibility: The GDPR has highlights the importance of having a complete understanding of which users have access to which applications, and with what permission types. Not only does Okta help you to understand your potential risk exposure, but it also provides the reporting needed to identify data that a user has access to.
5. Reduce PII Exposure: Too often, when employees change roles within a company, they retain access to data they no longer have a business requirement to view. Under the GDPR, this unnecessary exposure to PII may result in huge fines. Okta Lifecycle Management enables organizations to build an end-to-end map of who has access to which services and understand how frequently they’re being used, and automatically remove access to applications containing PII based on group membership, role, and business need.
6. Privacy by design: There are several steps Okta takes to create and manage as little personal data as possible, while ensuring that end users maintain a semblance of control over their own personal data in corporate-provided services.

• When we provision a user account for a service, we only populate the fields necessitated by that application.
• We believe in data transparency, so users can see what information has been made available to any offering.
• Policies keep information up-to-date and synchronized between critical systems such as Active Directory and HR systems (e.g. Workday). This also provides a means for automated deprovisioning, which greatly simplifies supporting an individual’s ‘right to be forgotten’.

7. Security ecosystem integration: Okta strongly believes in providing tight integration with your critical infrastructure and cybersecurity investments. This includes integrations to Splunk, Palo Alto Networks, F5 Networks and more. This enables an organization to quickly identify a compromised user to prevent an attack from becoming a successful breach.

Through securing access to applications and critical infrastructure, Okta can help you in your daily battle to stay ahead of threat actors and the ever-changing regulatory landscape. The GDPR is a complex regulation that can require significant changes in how customers and vendors gather and manage data. When it comes to Identity & Access Management and preparing for the GDPR, Okta has your back.