GDPR
General Data Protection Regulation (Regulation (EU) 2016/679)
The GDPR is the EU's comprehensive data protection law governing how personal data of individuals in the EU is collected, processed, and secured. It has applied since 25 May 2018 and sets binding rules on lawful basis, consent, individual rights, security, and accountability. It is the global benchmark for privacy regulation.
Who it applies to
Any organization (controller or processor) that processes the personal data of individuals in the EU, regardless of where the organization is located. Its extraterritorial reach covers non-EU companies that offer goods or services to, or monitor the behavior of, people in the EU.
Identity requirements
- Establish a valid lawful basis (such as consent or legitimate interests) for processing identity data
- Obtain freely given, specific, informed, and unambiguous consent where consent is the basis
- Apply data minimization and purpose limitation to identity attributes collected and stored
- Implement appropriate technical and organizational security measures, including strong authentication and encryption where appropriate
- Honor data subject rights including access, rectification, erasure, and portability
- Maintain records of processing and conduct Data Protection Impact Assessments for high-risk identity processing
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Customer identity & consent (CIAM) | Requires lawful basis, granular consent capture, and preference management for customer identity data. |
| Authentication & MFA | Drives strong authentication and encryption as appropriate technical measures to protect identity data. |
| Audit, logging & accountability | Mandates records of processing and demonstrable accountability for how identity data is handled. |
| Breach notification | Requires notifying the supervisory authority within 72 hours of becoming aware of a personal data breach. |
| Data residency & cross-border transfer | Restricts transfers of personal data outside the EU absent adequacy or safeguards such as standard contractual clauses. |
Penalties
Fines of up to 20 million euros or 4 percent of total worldwide annual turnover, whichever is higher.
GDPR: frequently asked questions
- Who must comply with GDPR?
- Any controller or processor handling personal data of individuals in the EU, including non-EU organizations that offer goods or services to, or monitor, people in the EU.
- Does GDPR require MFA?
- GDPR does not name MFA explicitly, but it requires appropriate technical and organizational security measures, and regulators increasingly treat strong authentication such as MFA as an expected safeguard for protecting identity data.
- How quickly must a breach be reported under GDPR?
- Controllers must notify the relevant supervisory authority without undue delay and where feasible within 72 hours of becoming aware of a personal data breach.