Skip to main content

GDPR, Salesforce, and You

GDPR, Salesforce, and You

Prepare for a New Era of Data Regulation

My mom has done it again- another phenomenal article!  If you follow her on LinkedIn already, you know that she loves to write.  She has been talking about GDPR for the past few months, and her company (Capstorm) has developed a solution for GDPR that is simple but brilliant.  Read my mom's article below or click here to download!


What is the EU General Data Protection Regulation?

“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” https://www.eugdpr.org/

Translation: New privacy laws are in place regarding all data related to EU citizens and how companies handle that data.

Key aspects of GDPR include:
  1. Breach Notification - A mandatory 72 hour notification timeline is in place for most data breaches.
  2. Right to Access - Businesses must provide a copy of a person’s data upon demand in an electronic format.  
  3. Right to be Forgotten - A person can request that all of their data be erased, and this must be done “without undue delay.”
  4. Consent - A person must be informed as to why their data is being collected and the intended use for that data.

GDPR & Salesforce

In addition to providing customers with GDPR information, Salesforce has taken many steps to ease the pain of this legislation, such as the new standard “Individual” object and a robust data processing addendum.  Salesforce can not, however, be responsible for the data that each company enters into Salesforce, and complying with GDPR regulations is the responsibility of every company doing business in the EU, collecting or storing any personal data about EU subjects, or monitoring the behavior of EU subjects.  “Monitoring can be anything from putting cookies on a website to tracking the browsing behavior of data subjects to high tech surveillance activities.”

Essentially, every company with an international reach or a sophisticated website is responsible for GDPR compliance.

GDPR & You

How do you prepare for GDPR?
Many resources are available, but they all have a common theme.  You must consider:
  • Personal Data
    • What data you have
    • Where the data is stored
    • Who can view / with whom it is shared
    • Why you have the data and how it is being used
    • How long do you need it & why
  • Processes & Procedures
    • Data access requests
    • Data removal requests
    • Consent documentation 

Personal Data

What is personal data?
The most basic definition is any data that can be used to identify an individual person, but this extends to more indirect identification such as a credit card or IP address.  For a more in depth description, reference https://www.gdpreu.org/the-regulation/key-concepts/personal-data/.

The most complicated starting place for GDPR compliance is identifying each instance of personal data.  This can be incredibly complex. For example, a single contact name and email address may be found in a myriad of places: A Salesforce contact record, Salesforce field history,  Salesforce report, MailChimp campaigns, an in-house accounting system, within the outbound emails of 4 employees, with 2 contracts in Salesforce, any number of Salesforce notes and attachments, on a paper job application form, within a spreadsheet created by human resources, etc.

After determining all locations where personal data is stored, consider how these processes can be streamlined in order to eliminate unnecessary data storage locations.  I.E. Converting from paper to electronic job applications and storing this data within Salesforce.

Next, be able to prove why the data is in your possession and that proper consent was obtained for the collection of this personal information.  If data is being shared with a third party, you must be able to prove that a data removal request is complete. Personal information must also be corrected upon request so, for example, if a contact changes their email address this information must be relayed through your systems and to any third parties.  Ease of data access is key in order to comply with Right to Access - providing an electronic copy of a person’s data upon request.

How long should data be retained?
Many marketing organizations prefer to keep personal information indefinitely for analytical purposes, but this practice is very risky.  Companies are obligated to erase personal data when “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed” - GDPR Article 17 Right to erasure.  For example, if a person applies for a mortgage but decides to use another lender, the “purpose” would be completed the moment the application is withdrawn. Should this data be kept for analytics? Marketing may say yes but to be in compliance with GDPR, you must be very careful with what data is retained and for how long.  A best practice is to remove or obfuscate any personal data.

Processes & Procedures

     
The Greatest Practical Guide on GDPR & Salesforce (Salesforce Ben): http://www.salesforceben.com/gdpr-salesforce-ebook/

Once you know where personal data is stored systems must be put in place to allow individuals to request a copy of their data.  A simple method to find, provide, remove, and obfuscate personal data is key. The GDPR provides a fairly narrow timeline for responding to data requests - 30 days in most cases.  Data must also be in a “commonly used and machine-readable format” - GDPR Article 20 “Right to data portability.”

Data removal
Salesforce provides guidance on data deletion, however locating the exact places where personal data is stored within Salesforce can be a challenge.  How can you find every instance of a particular email address within an attachment body? If you are using data integration services, such as email to Salesforce, the challenge of data location increases exponentially.  

Reference advice from Salesforce: Delete Personal Data

Removing or deleting data can have its own set of consequences due the the hierarchical structure of Salesforce.  A better approach to outright deletion is data obfuscation. Obfuscation can take personal data and transform it so that it still pases validation rules and can be used for reporting, without violating GDPR regulations.  An example: A lead requests to be removed from all marketing communication. You may wish to retain the fact that you had 2,000 leads generated from a particular marketing campaign, along with some non-personal items such as city and country.  The individual lead, however, must have obfuscated data in the name, email, and phone fields. Instead of deleting the lead entirely, obfuscate.

Capstorm has a solution for finding all occurrences of a personal identifier and obfuscating the results within Salesforce.  Reference - How can Capstorm help? later in this document.

Considerations with 3rd Party Vendors & Consultants

If your business is sharing data with a 3rd party vendor, GDPR compliance carries a more hefty burden, and you may have liability for a third party’s actions.  Consider what personal data is shared, why is is shared, and how it is used by the vendor.



One solution is to keep data in-house as much as possible, and only share data containing obfuscated personal information.  Instead of allowing a consultant to view and extract data from Salesforce production, create a test data set for the consultant while transforming sensitive fields.  Consider an on-premises Salesforce backup solution (such a Capstorm’s CopyStorm) to ensure that only your team has access to your data. Additional items to consider:
  1. Is any personal data processing outsourced by the 3rd party? If so, do you know who is accessing the data and are all of the parties located in a country that follows strict data regulations?  Consider the difficulty of complying with a data removal/deletion if you do not know who actually has the data... 
  2. Are contracts in place to lower your liability?  Be aware that you may not be able to completely eliminate your liability even with a contract requiring that the 3rd party follow GDPR regulations. 
  3. How long will it take to get your data from the 3rd party? You have a limited window of time to prove that you have cleansed personal data.  Waiting for a 3rd party to return data can quickly consume the response period.  
  4. Is there a simple way to prove that data has been removed or obfuscated?  Do you have a view into the 3rd party’s databases? One major advantage to keeping personal data in-house is the ease of proving data removal. 
  5. What is the notification procedure in case of a data breach?  You may have 72 hours or less to announce the breach under GDPR.  Historically, revealing a breach is hard to admit because it throws doubt on the 3rd party’s security and credibility.  See more below…

Consider Equifax - A data breach was discovered on July 29th.  The public was not informed until September 7th. The timeliness of this announcement would likely have impacted Equifax strongly if Equifax was under GDPR regulations.  A fine can be up to 20 million euros or 4% of the prior year’s worldwide revenue - Ouch!

Factors Outside of Your Control

Despite your best efforts, factors outside of your control may have an impact on GDPR compliance.
  • Consider Microsoft’s case with the US Supreme Court.  Depending upon the ruling, Microsoft may have to violate GDPR by providing the US with emails, stored on a server in Ireland   http://money.cnn.com/2018/02/25/technology/microsoft-us-supreme-court-data-sharing/index.html
  • Complete control over data with 3rd party vendors may not be possible and even the best security systems can be breached.
  • Identifying all instances of personal data is extremely difficult and data repositories may be overlooked. (Perhaps a former employee did not surrender a phone or laptop that contained customer hone numbers and email addresses….)
  • GDPR legislation has yet to be tested in a court of law.  Early lawsuits may have substantial bearing on how the law is applied in reality.  It behoves every company to actively monitor the legislation as it matures while ensuring to the best of your ability that GDPR is closely followed. 

How can Capstorm help?

Capstorm’s CopyStorm/Search application empowers you to find all occurrences of a piece of personal data within Salesforce.  How? CopyStorm first recreates your Salesforce database in a local relational database. CopyStorm/Search analyzes the data, using criteria that you specify.  This search goes beyond field data into items that are difficult to search natively within Salesforce suche as CaseEmail threads. You can then choose which data to obfuscate within your Salesforce and select a data transformer.  Data can also be obfuscated with a value that you choose. A few obfuscation examples:
  1. A standard method to obfuscate emails: drew@capstorm.com may be replaced by accountmanager@capstorm.com , inserting the individual’s title instead of their name.  All instances of “Drew” are replaced by “accountmanager” thus ensuring that your data remains connected.  
  2. Replacing all instances of a name in a standardized format.  All instances of ‘Thomas Smith” may be replaced with “Patient367.” 
  3. A dictionary substitution for Salesforce sandboxes: Transform personal data into data that looks real, but does not reference the original data subject.  All instances of “Mary” are replaced by “Michelle”- a randomly chosen name that starts with the same letter. 

For a personal introduction to CopyStorm/Search, contact info@capstorm.com

Resources

You can read the full transcript of the legislation at https://gdpr-info.eu/.  Please note that all information within this paper is to be considered informative and should not be taken as legal advice.  

Take the Trailhead Module - European Union
Privacy Law Basics or reference these sites for additional information:

Articles & Websites


GDPR Portal

Information Commissioner’s Office

GDPR Superheroes

Personal Data Definition

The Greatest Practical Guide on GDPR & Salesforce (Salesforce Ben)

InfoSecurity: Top Thoughts for GDPR Third-Partyt Management

Equifax data breach: What you need to know

Supreme Court to hear high-stakes Microsoft case testing email privacy

GDPR Legislation


Intersoft Consulting - GDPR legislation in an organized / searchable format

Salesforce.com Articles


Salesforce’s GDPR Information Page


Salesforce GDPR Key Facts

Salesforce GDPR: Fiction versus Fact



About the Author
Rebecca Gray is part of the Capstorm team, the industry leader in Salesforce backup & restore.  She is a certified Salesforce Administrator and a leader of the St. Louis Salesforce user group.  Rebecca also authors the Trailhead Baby blog, (trailheadbaby.blogspot.com) a site dedicated to all things Trailhead with tips & tricks for difficult trails.  Rebecca can be contacted @RebeccaGray on the Salesforce success community or by emailing rebecca@capstorm.com. Explore Capstorm’s Salesforce backup and recovery solutions at www.capstorm.com.

Comments

Popular posts from this blog

Service Cloud Specialist Superbadge - 4,5,6,7

Part of doing the Service Cloud Specialist superbadge is trying new things, so I am putting up picture of new things that I've tried recently.  One of my favorite new things this week was taking a shower with my whole block collection.  Mom put me in the shower, and I sneaked out to grab the block bin and dumped it in.  I'm concerned to share photos because of the slight nudity, however, I can assure you that it was a glorious adventure.  Instead, I'll share my favorite Saturday new thing- walking to the coffee shop for a sprinkle donut!  Back to the superbadge... Challenge 4 Case Routing If you haven't taken the Onmi Channel module yet, now is a good time! I kept that particular module open one on screen while I walked through this step.  It is hard to give many hints about this step without giving away too many details - so - the best advice is to read through the challenge and label each step with the corresponding Salesforce term.  (IE - "The...

Business Administration Specialist Superbadge- 3 & 4

This afternoon, I added a genius wig in an attempt to look a little older and more experienced.  The free lemonade offer worked!  I made two dollars today!  A huge thank you to Jocelyn Fennewald , Salesforce MVP, for pointing out the "remove all columns" option within the report creator.  When you start a create a new report, simply click to start with a clean screen.  If you are familiar with report and dashboards, this challenge should only take 30 or so minutes to complete.  Below are tips and gotchas for each report / dashboard.  If you need more help, leave a comment! Reports Accounts by Market To create the "Market" row grouping, use a bucket field. Make sure that the correct date range is selected. High Value Residential  This report includes: 1 filter, 1 grouping, and 1 summarized field.  Rated Accounts by State The record count for state and account rating are automatically added. Note the filter.  ...

Service Cloud Specialist Superbadge - 1,2,3

A confession - I know next to nothing about service cloud.  While I was excited that a new superbadge was available, it made me a little nervous that I had to do all of the prerequisites and tackle new things like macros.  New things - new year - let's get started! (Right after I finish guitar practice) If you are also a service cloud novice, the Omni-Channel Basics is a crucial prerequisite even though it is not officially required. Challenge 1 App Appearance  This, like all superbadges, requires a careful read through the instructions prior to any clicking.  I found it helpful to take a separate notebook and write down the steps that I would need for each challenge step - for example -  My rough notes for challenge 1: Create 2 profiles  Tweak service Console 3 new items on utility bar Allow access for new profiles Create User  Beware - After editing the service console, you might have to edit the new profiles.  I found i...