Next May, the long-awaited General Data Protection Regulation (GDPR), which is already in effect, becomes enforceable in the EU. In reality though, its effect will be felt worldwide. Any company holding the personal data of EU individuals will have to ensure they’re compliant. The penalties for breaching the legislation can be high, with fines of up to €20M or up to four percent of a company’s annual revenue, whichever is higher, depending on the circumstances.
We’re excited today to share that we’ll be compliant with the new regulations by the May 2018 enforcement date, and we wanted to offer some perspective on the new regulations. Impacted organizations have a lot to consider to ensure GDPR compliance, and it’s a major cause for concern for CIOs in particular. According to a 2016 survey by UK firm Egress Software Technologies, 87% of CIOs are concerned that their organization’s current information security policies are insufficient to comply with the GDPR’s tough new requirements, and 73.5% of CIOs are committed to tightening up their data sharing practices in response. Additionally, a recent PwC survey of American companies with an EU presence found that 77% of those companies plan to spend $1 million or more on GDPR compliance.
Providing Our Customers with Transparency and Trust
Okta believes in and fully supports the GDPR because it aligns with our core principles of trust and transparency. We’ve done significant work internally to ensure we are compliant with the new legislation ahead of the May enforcement date, and as a result, we’re well-positioned to help our customers meet their own GDPR requirements. We’re here to assist our customers with their efforts to comply with the GDPR, through the comprehensive privacy and security protections that the Okta Identity Cloud provides. Please be aware, though, that this blog post is provided for informational purposes only and does not constitute legal advice -- be sure to talk to your organization’s legal team for guidance.
Additionally, this week, we published an updated data processing addendum (“DPA”) containing updated and added provisions, to confirm for our customers that Okta will comply with the applicable provisions of the GDPR. The DPA updates our customers’ existing agreements with Okta, and sets out our obligations under the GDPR with regards to our provision of the Okta service. Okta’s DPA is available on our website at okta.com/agreements.
What It All Means
So how exactly is GDPR affecting Okta and our customers? Under the legislation, Okta is classified as a ‘data processor.’ This means we act at the direction of the ‘data controller’ (our customers) and our role is to decide what IT systems to use to collect the data, how to store the data, which data centers will be used, how the data will be retrieved and when required, disposed of. Even though Okta and our customers have slightly differing compliance requirements, we are in this together.
While the GDPR is a dense document, we’ve broken it down into three actionable key points that can help guide our customers towards their own compliance:
1. It’s vital to map out personal data flows and implement practices and protocols to ensure you know where the personal data you control is located and which applications have access to it;
2. Be aware of the right to erasure (previously known as the “right to be forgotten”). Under the GDPR, EU individuals can request that data controllers delete their personal data. This means that each organization will benefit significantly from understanding what personal data they have about an EU individual and if required, be able to identify it quickly and wipe it from systems;
3. Remember the right of subject access and data portability. Data subjects can ask controllers for copies of the personal data being processed by them and that data needs to be provided in a structured format.
At Okta, we welcome the arrival of the GDPR. We see it as an important step forward in streamlining and unifying data protection requirements across the EU, and as an opportunity for us to further strengthen our long-standing commitment to data protection principles and practices.
For more information on GDPR and Okta’s role, visit okta.com/gdpr.