Okta’s GDPR Commitment
The General Data Protection Regulation (GDPR) came into effect on May 25th, 2018, in the European Union (EU). At Okta, we are committed to our customers’ success. We’re here to assist our customers with their efforts to comply with the GDPR through the comprehensive privacy and security protections that we offer.
These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein. Okta is not liable to you for any loss or damages that may result from your implementation of any recommendations in these materials. Okta makes no representations, warranties, or other assurances regarding the content of these materials. Information regarding Okta's contractual assurances to its customers can be found at okta.com/agreements.
Okta’s Data Processing Addendum
Okta has published an updated data processing addendum (“DPA”) containing updated and added provisions, in order to help customers with their compliance with the GDPR. The DPA updates our customers’ existing agreements with Okta, and sets forth Okta’s obligations under the GDPR with regards to our provision of the Okta service. Okta’s DPA – which includes self-service instructions for Okta customers on how to execute the document, on page 1 – is available on our website here.
What is the GDPR?
The GDPR arose, in large part, as a holistic way to harmonize laws and regulations across the EU and to strengthen the protection of personal data of individuals in the EU, in light of the rapidly evolving technological landscape.
The GDPR regulates the “processing” of personal data, which includes the collection, storage, and use or transfer of personal data in the EU.
The definition of personal data under the GDPR includes any information that can identify or make someone identifiable (the data subject). The concept of personal data under the GDPR is very broad. Some types of personal data are obviously identifying (such as names), but it isn’t all so straightforward. The definition of personal data under the GDPR extends to any information that could be linked to a person, even indirectly. Therefore, personal data may cover other data, such as geolocation or behavioural data. The GDPR was written to be future-proof, so it doesn’t provide a finite list of personal data types.
The GDPR applies globally to any entity that processes personal data of individuals in the EU, independently of the location of that entity, and to companies that monitor the behaviour of individuals within the EU. It also classifies entities as either data controllers or data processors.
Speaking broadly, those categories can be defined as follows:
- A data controller is the entity that determines the means and purposes of processing personal data.
- A data processor processes personal data on behalf of the controller.
How does all of this impact you?
The biggest potential negative impacts of violating the GDPR are the possibility of fines, and the resulting erosion of an organization’s good standing in the eyes of its employees, business partners, customers, and other entities whose personal data it handles.
Okta’s commitment to GDPR compliance
Okta complies with the GDPR in delivering our service to our customers. In the last few years, Okta has monitored new guidance and regulations, and we have made enhancements to our products and services, our documentation, and our contractual documentation to help our customers meet their GDPR compliance requirements.
Okta provides a strong foundation for GDPR compliance and can help reduce your risk. Be sure to consult with your organization’s legal team to understand how the GDPR may apply to your organization.
Remember that any other entity that handles your organization’s personal data, including your vendors and partners could add to your organization’s overall risk profile. Okta provides consolidation and visibility into the use of personal data, which can help meet security and compliance needs for both your enterprise and customers.
Our platform helps both individual users and large enterprises ensure they’re complying with GDPR requirements.