In May 2018 a new Data Protection Law (GDPR) comes into force. Replacing the current data protection laws with a single set of rules which are enforceable in each EU member state.
GDPR regulates any processing of data relating to an EU individual. This includes:
If your Organisation handles any personal data of individuals belonging to the EU then this applies to you.
So what’s changed?
The new laws place more obligations on Organisations and give more privacy rights to individuals. As an Organisation you are required to:
- Implement required policies and security procedures
- Ensure detailed records are kept on data activities
- Carry out an assessment of privacy impact
- Provide written agreements with 3rd party vendors
- Reporting of data breaches to data protection authorities and the individual concerned under certain circumstances
- New obligations for organisations who use profiling or monitoring of EU individuals
- Binding Corporate Rules (BCR’s) govern the legal transfer of personal data outside the EU
Large fines can be issues by authorities if a serious data breach occurs.
Salesforce and GDPR
Below are the three mechanisms that Salesforce use for personal data transfers across borders.
Binding Corporate Rules
BCR’s – European data protection Authority policies which govern the legal transfer of personal data outside the EU.
The EU-US Privacy Shield and Swiss-US Privacy Shield
Frameworks which provide a mechanism for companies to comply with European data protection requirements when transferring data from EU to US.
Standard contractual clauses
Known as ‘Model Clauses’, legal contracts for transferring data from EU to countries outside of EEA to protect personal data.
What do I need to do to get Compliant?
To start, the need for GDPR compliance has to be owned by senior management.
They need to be made aware how important the compliance with GDPR is. Without this buy in and the appreciation from the top of the risks, challenges and pitfalls, this job will be difficult.
Next step will be to set up a dedicated team with an overall data protection officer. It’s good to have at least one person from each department. Staff from IT Security, procurement, legal HR, product management and marketing are a must have.
Now you need to look at what you currently have in place regarding privacy and security and identify the areas to focus on. One of the biggest areas is where does your company store personal data?
This data can come from various sources such as employees, job applicants, web forms, customer purchases, loyalty or warranty cards, event attendees etc. When you start investigating this you will probably find there are multiple places and departments where this data is stored.
From your investigations you will be able to create a data processing register which will help you identify which processes pose a high risk to data privacy.
For each of these high-risk processes you need to carry out an assessment against the GDPR guidelines and collate any actions that need to be taken to ensure compliance.
Now you have a handle on the risks, you can plan what needs to happen to ensure your Company is compliant.
Things you need to consider are:
- Privacy Notices – needed wherever personal data is collected, including cookies and tags;
- Security – needed to stop unauthorised access to personal data including editing, deleting or disclosing;
- Data subject rights – management of consent preferences, complaints, access, restriction, portability and the right to be forgotten;
- Management of Vendors – contracts are required for vendors, affiliates and 3rd parties that handle personal data including data transfers;
- Response to Incidents – Detection and investigation of breaches and notification of such breaches to the relevant parties;
- Training – Employees and vendors must be aware of their responsibilities;
- Assessments – Data protection impact assessments – needed for each high-risk data activity.
Does Salesforce have anything to help me?
Funny you should ask that….
Let me introduce Salesforce Shield.
Shield is a set of security services which integrate natively with Salesforce (at an additional cost).
You may not need Shield to comply with GDPR but it can help with the journey to compliance. Shield provides transparency over how company data is being interacted with and provides encryption at rest without affecting any functionality. It is an enhancement on the out of the box encryption features.
You can encrypt, fields, files, attachments, chatter data. It sits on top of field level security and object level security.
Shield has three main features:
Allows encryption of data at rest without loss of functionality, as it’s built natively on the Salesforce Platform it is easy to set up.
The ability to be able to encrypt at rest assists with GDPR compliance by de-identifying sensitive personal data which is related to a person’s race, sexual orientation etc.
Gives visibility into what data users are accessing, which IP addresses they are using and any actions happening with that data. Accessed via the API into a csv file.
Field Audit Tail
Bit of a Time Machine as it allows you to see the value and state of data historically. Gives 10 years of audit data and up to 60 fields per object.
Spring 18 brings a couple of new data protection features to the table.
The 'Individual' Object
This new object will store individual’s data preferences on how they want their data used, shared and stored. A master-detail relationship connects the new object to the Lead or Contact.
Easy to setup can be found under ‘Data Protection and Privacy’ in Setup, select Edit and check the ‘make data protection details available in records’ box, you’re nearly good to go.
Now add the ‘Individual’ field to the Lead and/or Contact Page layouts and link a Contact or Lead to their ‘Individual’ Record using a Lookup search.
The out of the box fields are basic but enough to start with:
You can add your own fields and formulas and use the individual object to filter data in reports. For Marketing reporting, campaign segmentation allows exclusion of individuals who have opted out of receiving any communications and don’t want to be profiled.
If you use Data.com Prospector or Clean you will see that data relating to UK and Ireland Contacts is removed from the Connect database and, the Clean Status field will display ‘Not Found’.