Online data privacy has always been a controversial topic. The fact that users store data with third parties has demanded increased transparency on how these platforms actually store and process personal data. Data breaches resulting in compromised personal information have added fuel to the fire, proving that privacy concerns are warranted. These data privacy issues have predictably led to the creation of legislation across the globe that prescribes how data should be stored, secured, processed, shared, and ultimately destroyed. The General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, and deals with data protection and privacy for individuals within the European Union (EU), is undoubtedly one of the most important pieces of legislation to date.
For more information on the GDPR, including how to ensure that your company is compliant, visit the Okta GDPR page.
The most significant change introduced by the GDPR was a sizable extension of jurisdiction. Under the GDPR, all companies processing data belonging to EU citizens are subject to its terms and conditions. The GDPR also instituted stiffer penalties, with fines of up to 4% of worldwide annual revenue for the prior financial year, or 20 million euros (whichever is greater). The conditions for giving consent were also strengthened. Organizations now need to request consent in a clear and easily accessible form that explicitly states the purpose of data collection.
The first two months: how have companies reacted to the GDPR?
The sweeping changes introduced by the GDPR have had a profound effect on all organizations that obtain, process, and store user data, be they resident in the EU or not. Since the GDPR applies to data related to EU citizens, any organization with a site accessible from any global location—and which collects, processes, or stores user data—needs to put measures in place to comply with the GDPR. This far-reaching ramification has resulted in inboxes filled with privacy-policy update notifications, and visitors being presented with permission requests to collect cookies each time they access a website.
When the GDPR came into effect, complaints against global technology giants such as Facebook and Google quickly emerged. Users complained they were being forced to grant consent to continue using these services. Both Facebook and Google also faced lawsuits amounting to $8.8 billion on the first day that the GDPR was enforceable. Other organizations such as the Los Angeles Times took drastic measures by restricting access to their sites, effectively blocking EU readers to avoid risks introduced by the GDPR. The New York Daily News and Chicago Times resorted to a similar approach, while Time and The Washington Post forced European users to accept updated terms and conditions. Indeed, updating terms and conditions has been a priority, since new regulations demand much greater clarity when it comes to how data will be stored, and where it will be used. User consent must also now be clearly given when it comes to data collection. Twitter is a good example of a company that prompted EU users with a new security notification that made it easy to opt out of different data collection scenarios.
Following the implementation of the GDPR, many online users saw a flood emails and notifications announcing updated terms and conditions, but despite these updates, many companies are still not fully compliant. New regulations are so extensive that many companies are struggling to comply, which is highly problematic when you consider that this opens them up to major fines.
To illustrate the substantial penalties organizations who are found to be non-compliant with the GDPR face, consider the following: Yahoo would have had to pay fines of up to $160 million for the breach it suffered in 2014, and Equifax would have had to fork out $124 million for its 2017 security incident. With fear of penalties being the motivating factor, online organizations face two choices: either comply with the GDPR, or put measures in place to restrict EU residents from accessing services.
Securing identity under the GDPR
How do you go about securing identity and ensuring privacy under the GDPR? With the leading cause of data breaches being attacks against identity—where techniques like phishing, password spraying, or credential stuffing are used to compromise systems—organizations need to mitigate the risk of single-password authentication.
By using multiple security layers and deploying a defense-in-depth approach, organizations can improve security and reduce the risks of a data breach and GDPR penalty. Okta Single Sign-On (SSO) can provide a consistent login and reduce identity sprawl, while Adaptive Multi-Factor Authentication (MFA) secures access to apps and provides additional authentication factors based on the context of an authentication event. Thanks to fully encrypted and unified user profiles, Okta’s Universal Directory secures personal data. Lifecycle Management provides visibility into which users have access to which apps and their individual permissions at a glance.
While it can be difficult to ensure that your company is in full compliance with the GDPR, it’s important to start by mapping data flows and making sure that information is secure at all times. Okta can help by simplifying identity management. By making it easier to see exactly where sensitive information is being stored—and who has access to it—it becomes much less daunting to conform to the demands of the GDPR.