Term · 7. Security & Standards
GDPR GDPR
The General Data Protection Regulation (GDPR) is the European Union's data protection law, in force since 2018, governing how organizations collect, process and protect the personal data of people in the EU. It grants individuals rights such as access, rectification and erasure, and requires a lawful basis, data minimization and breach notification. For IAM it drives least privilege, access certification, audit trails and the ability to prove who can access personal data and why.
Definition
EU General Data Protection Regulation (Regulation 2016/679) — landmark privacy law applicable from May 2018. Establishes rights for data subjects (access, rectification, erasure, portability, restrict processing, object), obligations for controllers and processors, mandatory breach notification (72 hours), DPIA requirements, DPO appointment, fines up to €20M or 4% global turnover.
- Application
- IDM/IAM impact: identity-proof requesters for DSARs, automated workflows for erasure (Right to be Forgotten), audit trails of PII access, MFA enforcement, privacy by design + privacy by default, consent management, DPIA for new identity systems.
- Sources
-
- GDPR (eur-lex official text, EN) primary source
- EDPB guidelines regulator
Related terms
-
CCPA / CPRA (California Consumer Privacy Act / Privacy Rights Act) (CCPA)
California state privacy law (CCPA 2018, expanded by CPRA 2020 effective 2023) granting California residents rights over …
-
Confidentiality
Security principle ensuring data is accessible only to authorized identities. One of the CIA triad (Confidentiality, Int …
-
Consent
Voluntary, specific, informed, unambiguous indication that a data subject agrees to processing of their personal data (G …
-
HITRUST CSF (Common Security Framework) (HITRUST)
Healthcare-focused certifiable framework consolidating HIPAA, HITECH, NIST, ISO 27001, PCI DSS, GDPR, and 40+ other auth …
-
Integrity
Security principle ensuring data is accurate, complete, and not modified by unauthorized parties. One of the CIA triad. …
-
Access Object
Access Object — a unit of an information resource for which access is regulated by access control rules. May be a file, …
Frequently asked questions
How does GDPR affect identity and access management?
GDPR requires that access to personal data be justified, minimal and auditable. IAM delivers this through least privilege, role and access reviews, audit trails, and timely deprovisioning — the evidence regulators expect.
What rights does GDPR give individuals?
Key rights include access to their data, rectification, erasure (right to be forgotten), restriction, portability and objection. Organizations must be able to locate and act on a person's data across systems to honor them.
What are GDPR penalties?
Fines reach up to 20 million euros or 4% of global annual turnover, whichever is higher, for serious violations. Beyond fines, breaches carry notification duties (often within 72 hours) and reputational cost.