Are you GDPR-ready when it comes to your Salesforce Backups?

Share this article...

You diligently backup and archive your data in case a data loss or corruption were to occur, like many other Salesforce Admins. Enter the General Data Protection Regulation (GDPR) – an EU law that places stringent regulations on how EU Subject data is processed and how long it is stored.

Salesforce is taking necessary measures to allow their customers to comply with GPDR as it relates to the data in their production systems. However, these measures do not extend to the backups you maintain outside of Salesforce. How are you going to make sure you are GDPR compliant when it comes to your Salesforce backups and archives?

This post will address 4 elements that you should work into your backup strategy or solution in order to reach GDPR compliance in every corner of your database.

Keep Backed-Up Data Transparent with a Consistent Data Mapping/Inventory Process

Transparency is core to this EU regulation and has been for some time. One crucial aspect is enabling EU Data Subjects to understand and reject how the data is being processed. To keep your data processing transparent, I recommend you start by inventorying the data your company already has. This is a process referred to as Data Mapping under the GDPR. The exercise forces companies to think about how data flows in, through, and out of their business.

This isn’t an easy exercise to conduct. Firstly, there is never one person that knows how all data flows around a business, so it takes a lot of talking to people in other departments and analyzing all of your company’s toolsets to find out what is truly going on. Data could be on your intranet, kept in a local database, in a Windows file, Google apps, or in an Excel spreadsheet on an employee laptop (yikes!).

Once you have a handle on what data is where, you will then need to try and understand what it actually means. This data is flowing from A to B, but why? Do we still need it? Does anyone know? What data is sensitive and what is not? This gets even worse when you move outside of your own domain and consider all of your partners, suppliers, and clients. What data are they storing for you and how are they processing it?

Everyone is going through these pains right now. In my experience, there is one common denominator: every company needs transparency. It is one thing to identify all of your buckets of data, but you need to be able to query them based on many different criteria. So, when you are selecting your toolsets, whether it be a CRM, a database, or a backup solution, you will need to ensure the tools selected have powerful, extensive search capabilities.

Respond to Subject Access Requests (SARs) in a timely manner

Once you map out your Data Lifecycle through a Data Mapping exercise, you can begin to practically work out what your GDPR obligations and requirements are, as well as more efficiently respond to Subject Access Requests (SARs).

In order to respond to SARs in a timely manner, defined by GDPR as 30 days, you need to know:

  1. What personal data of the Data Subject you are processing;
  2. How you are processing that data;
  3. And to whom the data has been disclosed.

Some companies fear that there will be a huge tsunami of requests starting on May 25, when GDPR enforcement goes into effect. How many SARs can your company expect to receive? Nobody knows, so I would not worry about how many for now. Rather, focus on the big challenge: what are you going to do when you get a SAR? They can be incredibly difficult to answer and the effort required can be significant. Going through a Data Mapping exercise will make it much easier to respond to these requests going forward.

Customize Backup Retention to keep data for only as long as required

When companies consider how long personal data needs to be kept, whether in their live environments or in Salesforce backups, they should ask themselves the following leading questions:

  1. Are we under any regulatory requirements, such as SEC (U.S. Securities and Exchange Commission), HIPAA (U.S. Health Insurance Portability and Accountability Act), or ESMA (European Securities and Markets Authority), requiring a specified period of time of data retention?
  2. Do we have a specific legal or contractual reason for keeping the data?
  3. Was the data collected for specified, explicit, and legitimate purposes?
  4. Are we only keeping data that is adequate, relevant, and necessary to perform the service?
  5. Is the data being kept longer than is necessary, for example, longer than the length of the contract?
  6. Is the data processed in a manner that ensures appropriate security?

If you answered “no” to any of the above, you will need to have a clear rationale documented as to why the data is being retained. To keep this data, your company must agree that the value of your processing activities outweighs the liability of retaining and securing the data.

Maintain Immutable or Unchanged Backups

Immutable backups are those that have not been modified. This complies with GDPR Article 32, ‘Security of Processing’, which says you must keep data secure through confidentiality, integrity, availability, and resilience – clearly, data backups are therefore essential. One type of backup you can truly trust is a snapshot of your live Salesforce environment because it will restore intact, keeping the integrity of your live system. This is good, but remember, an immutable copy cannot be edited. Article 17, ‘Right to Erasure’, says all traces of personal data have to be deleted if you no longer require them, which directly clashes with Article 32.

How can your company comply with both of these GDPR Article requirements?

The first step is to remove as many hurdles as possible by only keeping the data as long as absolutely necessary. Right to Erasure wants personal data erased without undue delay – 30 days, for example, is reasonable. We can use this example: you keep your backups for ten days then delete a user off your live system, therefore, in ten days their data will also have aged out of the backups. However, if you keep your backups for longer than your retention period (eg. 6 months) then you will still hold and process that personal data for many months after, potentially against the user’s wishes.

Once you decide how long you absolutely need to retain personal data, you will need to implement a backup strategy that supports customizable backup retention periods.

There are plenty of good reasons why you would want to keep backups for a longer period, such as in regulated industries, audit trails and point-in-time sets of evidence are required. In these cases, the challenge becomes what happens if you get a deletion request and subsequently perform a restore that brings that deleted data back into the system? In this case, you need to ensure your backup strategy allows scrub on restore. This allows you to mark the data inside the backup as due for deletion and if that backup set ever does get restored, the deletion process will kick in and remove the data before it ever enters your live environment.

So, are you GDPR-ready when it comes to your Salesforce Backups?

If we return to our original question: how can you determine if you are ready for GDPR when it comes to your backups? If your current backup strategy or solution allows for all of the following, I would say you are GDPR-ready when it comes to your backups:

  1. Advanced Search and Find Capabilities for SARs: You need to know where every bit of data is, in your backups, including within attachments.
  2. Customized Retention: You must be able to customize how long your company keeps backups.
  3. Ability to Overwrite Specific Data: Before restoring any archived data, you must be able to mark specific personal data as due for deletion and then scrub on restore.
  4. Ability to Maintain Immutable/Unchanged Backups: Your backup solution must allow you to maintain exact snapshots of your live Salesforce environment.

About OwnBackup

No company operating in the cloud should ever lose data. Protect your Salesforce data from accidental and malicious corruption and loss with OwnBackup. Our automated, daily backups, data compare, restore, and sandbox seeding capabilities provide data protection peace of mind. Built for security and privacy, OwnBackup exceeds the General Data Protection Regulation (GDPR) requirements for backed-up data. This top-rated AppExchange ISV has helped hundreds of organizations survive data crises and meet compliance requirements.

For more information about GDPR and your Salesforce Backups, register for the GDPR Right to be Forgotten – Compliance for your Backups webinar or visit the OwnBackup AppExchange Listing.

2 thoughts on “Are you GDPR-ready when it comes to your Salesforce Backups?

  1. Good summary on the key points that need attention regarding backups and GDPR. There’s a slight misunderstanding on “regulated industries”. A regulatory requirement to retain data voids the right to be forgotten. This is clearly stated in Article 17-3-b of the GDPR. This runs deeper than it looks. Most jurisdictions have an “electronic transaction act” that mandates “business records” to be maintained for many years. The definition of a “business record” has been debated ever since and we can expect the GDPR to add fuel to that debate.

Add Comment