GDPR, Salesforce, and You
Prepare for a New Era of Data Regulation
My mom has done it again- another phenomenal article! If you follow her on LinkedIn already, you know that she loves to write. She has been talking about GDPR for the past few months, and her company (Capstorm) has developed a solution for GDPR that is simple but brilliant. Read my mom's article below or click here to download!
What is the EU General Data Protection Regulation?
“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” https://www.eugdpr.org/
Translation: New privacy laws are in place regarding all data related to EU citizens and how companies handle that data.
Key aspects of GDPR include:
- Breach Notification - A mandatory 72 hour notification timeline is in place for most data breaches.
- Right to Access - Businesses must provide a copy of a person’s data upon demand in an electronic format.
- Right to be Forgotten - A person can request that all of their data be erased, and this must be done “without undue delay.”
- Consent - A person must be informed as to why their data is being collected and the intended use for that data.
GDPR & Salesforce
In addition to providing customers with GDPR information, Salesforce has taken many steps to ease the pain of this legislation, such as the new standard “Individual” object and a robust data processing addendum. Salesforce can not, however, be responsible for the data that each company enters into Salesforce, and complying with GDPR regulations is the responsibility of every company doing business in the EU, collecting or storing any personal data about EU subjects, or monitoring the behavior of EU subjects. “Monitoring can be anything from putting cookies on a website to tracking the browsing behavior of data subjects to high tech surveillance activities.”
Salesforce White Paper: GDPR Key Facts: https://c1.sfdcstatic.com/content/dam/web/en_us/www/documents/white-papers/gpdr-fact-sheet.pdf
Essentially, every company with an international reach or a sophisticated website is responsible for GDPR compliance.
GDPR & You
How do you prepare for GDPR?
Many resources are available, but they all have a common theme. You must consider:
Many resources are available, but they all have a common theme. You must consider:
- Personal Data
- What data you have
- Where the data is stored
- Who can view / with whom it is shared
- Why you have the data and how it is being used
- How long do you need it & why
- Processes & Procedures
- Data access requests
- Data removal requests
- Consent documentation
Personal Data
What is personal data?
The most basic definition is any data that can be used to identify an individual person, but this extends to more indirect identification such as a credit card or IP address. For a more in depth description, reference https://www.gdpreu.org/the-regulation/key-concepts/personal-data/.
The most complicated starting place for GDPR compliance is identifying each instance of personal data. This can be incredibly complex. For example, a single contact name and email address may be found in a myriad of places: A Salesforce contact record, Salesforce field history, Salesforce report, MailChimp campaigns, an in-house accounting system, within the outbound emails of 4 employees, with 2 contracts in Salesforce, any number of Salesforce notes and attachments, on a paper job application form, within a spreadsheet created by human resources, etc.
After determining all locations where personal data is stored, consider how these processes can be streamlined in order to eliminate unnecessary data storage locations. I.E. Converting from paper to electronic job applications and storing this data within Salesforce.
Next, be able to prove why the data is in your possession and that proper consent was obtained for the collection of this personal information. If data is being shared with a third party, you must be able to prove that a data removal request is complete. Personal information must also be corrected upon request so, for example, if a contact changes their email address this information must be relayed through your systems and to any third parties. Ease of data access is key in order to comply with Right to Access - providing an electronic copy of a person’s data upon request.
How long should data be retained?
Many marketing organizations prefer to keep personal information indefinitely for analytical purposes, but this practice is very risky. Companies are obligated to erase personal data when “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed” - GDPR Article 17 Right to erasure. For example, if a person applies for a mortgage but decides to use another lender, the “purpose” would be completed the moment the application is withdrawn. Should this data be kept for analytics? Marketing may say yes but to be in compliance with GDPR, you must be very careful with what data is retained and for how long. A best practice is to remove or obfuscate any personal data.
Many marketing organizations prefer to keep personal information indefinitely for analytical purposes, but this practice is very risky. Companies are obligated to erase personal data when “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed” - GDPR Article 17 Right to erasure. For example, if a person applies for a mortgage but decides to use another lender, the “purpose” would be completed the moment the application is withdrawn. Should this data be kept for analytics? Marketing may say yes but to be in compliance with GDPR, you must be very careful with what data is retained and for how long. A best practice is to remove or obfuscate any personal data.
Processes & Procedures
The Greatest Practical Guide on GDPR & Salesforce (Salesforce Ben): http://www.salesforceben.com/gdpr-salesforce-ebook/
Once you know where personal data is stored systems must be put in place to allow individuals to request a copy of their data. A simple method to find, provide, remove, and obfuscate personal data is key. The GDPR provides a fairly narrow timeline for responding to data requests - 30 days in most cases. Data must also be in a “commonly used and machine-readable format” - GDPR Article 20 “Right to data portability.”
Data removal
Salesforce provides guidance on data deletion, however locating the exact places where personal data is stored within Salesforce can be a challenge. How can you find every instance of a particular email address within an attachment body? If you are using data integration services, such as email to Salesforce, the challenge of data location increases exponentially.
Reference advice from Salesforce: Delete Personal Data
Removing or deleting data can have its own set of consequences due the the hierarchical structure of Salesforce. A better approach to outright deletion is data obfuscation. Obfuscation can take personal data and transform it so that it still pases validation rules and can be used for reporting, without violating GDPR regulations. An example: A lead requests to be removed from all marketing communication. You may wish to retain the fact that you had 2,000 leads generated from a particular marketing campaign, along with some non-personal items such as city and country. The individual lead, however, must have obfuscated data in the name, email, and phone fields. Instead of deleting the lead entirely, obfuscate.
Capstorm has a solution for finding all occurrences of a personal identifier and obfuscating the results within Salesforce. Reference - How can Capstorm help? later in this document.
Considerations with 3rd Party Vendors & Consultants
If your business is sharing data with a 3rd party vendor, GDPR compliance carries a more hefty burden, and you may have liability for a third party’s actions. Consider what personal data is shared, why is is shared, and how it is used by the vendor.
One solution is to keep data in-house as much as possible, and only share data containing obfuscated personal information. Instead of allowing a consultant to view and extract data from Salesforce production, create a test data set for the consultant while transforming sensitive fields. Consider an on-premises Salesforce backup solution (such a Capstorm’s CopyStorm) to ensure that only your team has access to your data. Additional items to consider:
- Is any personal data processing outsourced by the 3rd party? If so, do you know who is accessing the data and are all of the parties located in a country that follows strict data regulations? Consider the difficulty of complying with a data removal/deletion if you do not know who actually has the data...
- Are contracts in place to lower your liability? Be aware that you may not be able to completely eliminate your liability even with a contract requiring that the 3rd party follow GDPR regulations.
- How long will it take to get your data from the 3rd party? You have a limited window of time to prove that you have cleansed personal data. Waiting for a 3rd party to return data can quickly consume the response period.
- Is there a simple way to prove that data has been removed or obfuscated? Do you have a view into the 3rd party’s databases? One major advantage to keeping personal data in-house is the ease of proving data removal.
- What is the notification procedure in case of a data breach? You may have 72 hours or less to announce the breach under GDPR. Historically, revealing a breach is hard to admit because it throws doubt on the 3rd party’s security and credibility. See more below…
Consider Equifax - A data breach was discovered on July 29th. The public was not informed until September 7th. The timeliness of this announcement would likely have impacted Equifax strongly if Equifax was under GDPR regulations. A fine can be up to 20 million euros or 4% of the prior year’s worldwide revenue - Ouch!
Factors Outside of Your Control
Despite your best efforts, factors outside of your control may have an impact on GDPR compliance.
- Consider Microsoft’s case with the US Supreme Court. Depending upon the ruling, Microsoft may have to violate GDPR by providing the US with emails, stored on a server in Ireland http://money.cnn.com/2018/02/25/technology/microsoft-us-supreme-court-data-sharing/index.html
- Complete control over data with 3rd party vendors may not be possible and even the best security systems can be breached.
- Identifying all instances of personal data is extremely difficult and data repositories may be overlooked. (Perhaps a former employee did not surrender a phone or laptop that contained customer hone numbers and email addresses….)
- GDPR legislation has yet to be tested in a court of law. Early lawsuits may have substantial bearing on how the law is applied in reality. It behoves every company to actively monitor the legislation as it matures while ensuring to the best of your ability that GDPR is closely followed.
How can Capstorm help?
Capstorm’s CopyStorm/Search application empowers you to find all occurrences of a piece of personal data within Salesforce. How? CopyStorm first recreates your Salesforce database in a local relational database. CopyStorm/Search analyzes the data, using criteria that you specify. This search goes beyond field data into items that are difficult to search natively within Salesforce suche as CaseEmail threads. You can then choose which data to obfuscate within your Salesforce and select a data transformer. Data can also be obfuscated with a value that you choose. A few obfuscation examples:
- A standard method to obfuscate emails: drew@capstorm.com may be replaced by accountmanager@capstorm.com , inserting the individual’s title instead of their name. All instances of “Drew” are replaced by “accountmanager” thus ensuring that your data remains connected.
- Replacing all instances of a name in a standardized format. All instances of ‘Thomas Smith” may be replaced with “Patient367.”
- A dictionary substitution for Salesforce sandboxes: Transform personal data into data that looks real, but does not reference the original data subject. All instances of “Mary” are replaced by “Michelle”- a randomly chosen name that starts with the same letter.
For a personal introduction to CopyStorm/Search, contact info@capstorm.com
Resources
You can read the full transcript of the legislation at https://gdpr-info.eu/. Please note that all information within this paper is to be considered informative and should not be taken as legal advice.
Take the Trailhead Module - European Union
Articles & Websites
GDPR Portal
Information Commissioner’s Office
GDPR Superheroes
Personal Data Definition
The Greatest Practical Guide on GDPR & Salesforce (Salesforce Ben)
InfoSecurity: Top Thoughts for GDPR Third-Partyt Management
Equifax data breach: What you need to know
Supreme Court to hear high-stakes Microsoft case testing email privacy
GDPR Legislation
Intersoft Consulting - GDPR legislation in an organized / searchable format
Salesforce.com Articles
Salesforce’s GDPR Information Page
Salesforce GDPR Key Facts
Salesforce GDPR: Fiction versus Fact
About the Author
Rebecca Gray is part of the Capstorm team, the industry leader in Salesforce backup & restore. She is a certified Salesforce Administrator and a leader of the St. Louis Salesforce user group. Rebecca also authors the Trailhead Baby blog, (trailheadbaby.blogspot.com) a site dedicated to all things Trailhead with tips & tricks for difficult trails. Rebecca can be contacted @RebeccaGray on the Salesforce success community or by emailing rebecca@capstorm.com. Explore Capstorm’s Salesforce backup and recovery solutions at www.capstorm.com.
Comments
Post a Comment