Prepare your organization for the GDPR

What you need to know about the General Data Protection Regulation (GDPR)

As of May 25, 2018, the European Union (EU) began enforcing the General Data Protection Regulation (GDPR), a landmark privacy law. At Okta, we are committed to our customers’ success. We’re here to assist our customers with their efforts to comply with the GDPR through the comprehensive privacy and security protections that the Okta Identity Cloud provides. Please note that the content on this page (including links) is not legal advice and is only provided for informational purposes. For legal advice, you’ll want to consult with your own organization’s legal team.

Okta’s Data Processing Addendum

Okta has published an updated data processing addendum (“DPA”) containing updated and added provisions, in order to help customers with their compliance with the GDPR. The DPA updates our customers’ existing agreements with Okta, and sets forth Okta’s obligations under the GDPR with regards to our provision of the Okta service. Okta’s DPA – which includes self-service instructions for Okta customers on how to execute the document, on page 1 – is available on our website here.

What is the GDPR?

The GDPR arose, in large part, as a holistic way to update existing, disparate, and sometimes-conflicting laws and regulations across the EU and to strengthen the protection of individuals’ personal data, in light of the rapidly-evolving technological landscape, increased interconnectivity and globalization, and more elaborate international transfers of personal data.  The GDPR replaces the legacy mix of national data protection laws that are currently in place with a single, comprehensive law, which is directly enforceable in each EU member countries.

More specifically, the GDPR regulates the “processing,” which includes the collection, storage, use, or transfer of personal data about EU individuals. Any organization (regardless of whether it is located in the EU, has an office in the EU, or has no office in the EU) that processes the personal data of EU individuals needs to comply with the GDPR.  Critically, under the GDPR, the EU defines “personal data” broadly, so that the law generally covers any information relating to an identified or identifiable individual.

What data is regulated by the GDPR?

The GDPR regulates organizations’ collection, processing, and storage of personal data of EU individuals. Personal data includes any information that can be connected back to a particular EU individual. Some of the personal data regulated by the GDPR is fairly obvious, such as email addresses and employee ID numbers. It isn’t all so straightforward, though. The GDPR also regulates information that could be traced back to a specific person, so depending on the circumstances, it may cover geolocation and behavioural data, as well. The law was written to be future-proof, so it doesn’t provide a finite list of personal data types. Generally speaking, any data that identifies a living EU individual counts as personal data.

Who does the GDPR apply to?

The GDPR applies globally to any entity that collects, stores, or processes personal data of EU individuals. It classifies these entities as either data controllers or data processors. Speaking broadly, those categories can be defined as follows:

data controller exercises control over the processing of personal data, and decides which data to collect.

data processor acts at the direction of a data controller to collect, store, retrieve, or delete personal data.

How will all of this impact you?

The biggest potential negative impacts of violating the GDPR are the possibility of fines, and the resulting erosion of an organization’s good standing in the eyes of its employees, business partners, customers, and other entities whose personal data it handles.

87% of CIOs are concerned that their organization’s current information security policies are insufficient to comply with the GDPR’s tough new requirements

– 2016 report by Egress Software Technologies

Third-party data

Includes personal data of EU individuals such as personal data related to an organization’s customers or partners.

Your own organization’s data

Includes personal data of EU individuals such as personal data related to your employees.

How ready are you?

There’s a lot to unpack in the GDPR, and the Article 29 Working Party, which is an EU organization that assists with the regulation’s implementation, is continuing to issue guidance to companies about the law’s enactment and enforcement details. Still, there are several key points that any business can take into account now to help ensure compliance.

Map your organization's data flows

Ensure you’re able to locate, correct, provide copies of, and erase EU individuals’ data that your organization collects, processes, or stores. For example, under the GDPR, EU individuals have broader abilities to request that organizations that store, process, and control their personal data delete that data if:

  • It is no longer needed for its original purpose
  • They withdraw their consent
  • They have objections to how it is being processed

Be able to transfer personal data if requested

Another major GDPR requirement is the right of subject access and data portability.

An EU individual must be able to transfer their personal data from one processing system into another without interference from the data controller. The data controller also must provide this data to the individual in a commonly used open standard electronic format.

Okta’s commitment to GDPR compliance

We view the GDPR both as an important step forward in streamlining and unifying data protection requirements across the EU, and as an opportunity for Okta to strengthen our long-standing commitment to data protection principles and practices.  

Okta complies with the GDPR in the delivery of our service to our customers. We have closely analyzed the GDPR’s requirements, and based on our findings, we have made enhancements to our products and services, our documentation and our contract documents in order to help our customers meet their GDPR compliance requirements.

While Okta can’t solve all the challenges presented by the GDPR, Identity and Access Management using a product such as Okta can provide a strong foundation for GDPR compliance and can help reduce your risk. Be sure to consult with your organization’s legal team to understand how the GDPR may apply to your organization.

In 2016, the average employee actively used 36 cloud services. The average enterprise used over 1,400 cloud services.

– 12 Must-Know Statistics on Cloud Usage in the Enterprise, Skyhigh

Remember that any other entity that handles your organization’s personal data of EU individuals, including vendors, partners, and apps, could add to your organization’s overall risk profile. Okta provides consolidation and visibility into the use of personal data, which can help meet security and compliance needs for both your enterprise and customers.

Our platform helps both individual users and large enterprises ensure they’re complying with GDPR requirements:

IAM for Enterprises

Holistic security and compliance for employees and other partners that organisations work with. For example, Flex deployed Okta to their suppliers and employees.

IAM for Customers

End-to-end security and compliance for identities provided to customers. For example, Adobe’s customer platform is secured through Okta.