What GDPR Means for Secure Identity Worldwide

No matter your organization’s location, it will need to be prepared to comply with the EU’s General Data Protection Regulation by May.

rawpixel com 323215

As you dove into the riches of the internet, you willingly signed a deal with the digital devil—they’d hand over loads of their data in exchange for access to companies providing those riches. But with every new data breach, consumers grow increasingly nervous about how secure their information is, and regulators around the globe are beginning to impose new requirements on managing personal data contained in customer identities.

Much of consumers’ personal data is accumulated in the registration process, as consumers fill out web forms in exchange for usernames and passwords to subscribe to services. In the European Union (EU), as of May 25, 2018, “all companies processing the personal data of subjects residing in the Union, regardless of the company’s location” must comply with the new EU General Data Protection Regulation (GDPR). So, if an EU resident uses the internet to sign up with a US-based service provider and provides personal data when doing so, that company falls within the new regulatory regime.

The potential penalties for non-compliance are steep: up to 4% of annual global revenue or €20 million (whichever is greater). As implementation of GDPR looms, other countries and regions are working on their own, similar, regulatory efforts, indicating that the ground is shifting dramatically.

“The GDPR is causing great concern for businesses, with 50 percent of global companies saying they will struggle to meet the rules set out by Europe unless they make significant changes to how they operate,” according to SC Magazine UK.

The GDPR is broadly written to encompass digital records of personal information. So that sign-up process on your website may very well bring your business within the purview of the GDPR. Explicit consent—“opt in”—is required for processing sensitive personal data.

Other regions are developing or implementing similar regulatory regimes: The Ibero-American countries have adopted Standards for Personal Data Protection for Ibero-American States. The 21 Pacific Rim member nations of the Asia-Pacific Economic Cooperation forum have developed the APEC Privacy Framework.

Don’t sweat it

Don’t despair, though. “If you wake up in a cold sweat in the middle of the night with the letters GDPR floating just above your bed, then fear not — Customer Identity Access Management (CIAM) is your knight in shining armor,” writes CSO contributor Susan Morrow.  A CIAM solution can address much of the elements needed to comply with GDPR, Morrow asserts, such as having a user “show they are over or under a certain age without revealing their date of birth or live in a certain locality without revealing their full address.”

Regardless of where it is based, any company with global aspirations should be alert to how it will map its data to be able to handle requests under GDPR and similar regulatory regimes. A CIAM solution can help companies better understand how they, and the third-party services they use, handle, store and process personal data of individuals in the EU and any other region where similar issues prevail. To learn more about the impact of GDPR on customer identity and access management, download Okta’s ebook, Preparing your organization for the GDPR: What you need to know.

[Note: while this post discusses legal concepts and compliance topics, it does not constitute legal advice and is provided for informational purposes only.]