GDPR and customer identity: where compliance breaks down

TL;DR: GDPR compliance is shifting from manual legal and IT workflows to identity-based controls for consent, access, erasure, logging, and lifecycle management, according to Okta. The core issue is not policy intent but operational scale: compliance fails when identity data, downstream app permissions, and audit evidence remain fragmented across systems.

NHIMG editorial — based on content published by Okta: Starting Your General Data Protection Regulation (GDPR) Journey with Okta

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

Questions worth separating out

Q: How should organisations operationalize GDPR access and erasure requests through identity systems?

A: Treat them as lifecycle workflows, not manual tickets.

Q: Why do manual GDPR processes break down as organisations scale?

A: Manual processes break down because the number of requests, apps, and data stores grows faster than the team’s ability to reconcile them.

Q: How do you know if consent management is actually working?

A: Consent management is working when the current purpose, scope, and timestamp are available in one authoritative record and downstream applications honor those attributes consistently.

Practitioner guidance

• Model GDPR rights as lifecycle workflows Map access, rectification, portability, and erasure to governed provisioning and deprovisioning steps, with ownership and approval paths defined before requests arrive.
• Store consent with the authoritative identity record Keep consent purpose, scope, and timestamp as identity attributes that downstream apps can read consistently.
• Centralize access evidence and login history Aggregate system logs, access reports, and suspicious activity signals into one evidentiary trail that supports breach notification and subject access requests.

What's in the full article

Okta's full article covers the operational detail this post intentionally leaves for the source:

• The specific mapping between GDPR articles and Okta identity functions for consent, access, and erasure workflows.
• Examples of how Universal Directory is used to store consent and profile attributes for downstream enforcement.
• The logging and reporting approach used to support breach investigation and supervisory authority notification.
• The staged compliance model showing how organisations move from manual handling to platform-based governance.

👉 Read Okta's analysis of GDPR compliance through customer identity →

GDPR and customer identity: where compliance breaks down?

Explore further

View Full Forum →  |  NHI Foundation Course →