Okta GDPR Call today (888) 959-2825
What you need to know for GDPR
In 2016, the European Union (“EU”) enacted the General Data Protection Regulation (“GDPR”), a far-ranging piece of legislation that regulates how organisations collect, store, and process the personal data of EU individuals. The goal of the GDPR is to strengthen data protection, simplify international business regulations, and return control of private information to the average person.
GDPR stands for General Data Protection Regulation.
It is a law intended to strengthen electronic privacy for all individuals in the EU while creating uniform regulations for member countries
The GDPR protects the privacy of all individuals in the European Union (“EU”) by creating uniform regulations for member countries relating to the free movement of personal data. The GDPR applies to personal data created by citizens of the EU, but also puts new requirements on businesses globally that collect, store, and process the personal data of EU individuals, namely:
- Being able to quickly comply with erasure requests
- Making data more portable upon request
While the GDPR was adopted by the EU last year, EU Data Protection Authorities have stated that they won’t begin enforcing the regulation until May 25, 2018. As the leader in Cloud Identity, Okta has followed the development of this regulation closely, and developed this guide to outline the key points and offer solutions to help your organisation get ready for the GDPR.
What data is regulated by the GDPR?
Some of the personal data regulated by the GDPR is fairly obvious, such as email addresses and employee ID numbers. It isn’t all so straightforward, though. The GDPR also regulates information that could be traced back to a specific person, so it covers geolocation and behavioural data that can be traced back to an individual, as well. The law was written to be future-proof, so it doesn’t provide a finite list of personal data types. Generally speaking, any data that identifies a living EU individual counts as personal data. The GDPR goes further than past privacy regulations such as Safe Harbour and Privacy Shield by classifying an IP address as personal data, if it can be used with other data to identify an EU individual. This change in particular is a significant departure from previous privacy laws.
The history of the GDPR
The EU has been at the forefront of privacy law for a long time. In 1995, it adopted the Data Protection Directive, which broadly defined personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
The GDPR applies to any global entity that collects, stores, or processes personal data of EU individuals. It classifies these entities as either data controllers or data processors. Speaking broadly, those categories can be defined as follows:
- A data controller exercises control over the processing of personal data, and decides which data to collect.
- A data processor acts at the direction of a data controller to collect, store, retrieve, or delete personal data.
In the vendor-customer context, Okta is considered a data processor under the GDPR, while our customers are data controllers. We will all be affected by the GDPR—we’re in this together.
As of today, there is not yet a way for a third party to certify that your business is GDPRcompliant. Your legal team is the best source for advice on how compliance will affect your specific organisation. However, this guide can help you understand the key points of the requirements and some of the steps you’ll need to take. The first step is to understand what data the GDPR now regulates. The most obvious part is third-party data that includes personal data of EU individuals— for example, personal data related to an organisation’s customers or partners. The GDPR also requires protecting your own organisation’s data that includes personal data of EU individuals—for example, personal data related to your employees. Essentially, any personal data of EU individuals that an organisation stores, collects, or processes for any reason falls under the purview of the GDPR.
Most companies just aren’t prepared to handle that data in the way the GDPR requires. Some other information that could be regulated by the GDPR, depending on the facts of your use case, may include:
- Employee email addresses
- Information shared with wellness programme providers
- Business card printing records
- Organisation chart tools hosted by third party cloud providers
- Benefit tools
While the scope of the GDPR can seem daunting, using an identity-as-a-service solution such as Okta can help companies better understand how they, and the third party services they use, handle, store and process personal data of EU individuals.