GDPR and the EU Privacy Law with Salesforce

Share this article...

Data Protection Act 1998

You may have heard of, or be familiar with, the Data Protection Act (DPA) a UK law designed to protect stored personal data, which was initially signed by the Parliament in 1998.

The Act controls how your personal information is used by anyone who processes it, i.e organisations, businesses, government bodies, etc. The Act is controlled by the Information Commissioner’s Office (ICO), an independent authority set up to uphold information rights in the public interest.

The Data Protection Act is based on 8 principles which need to be complied with by anyone responsible for processing personal data. Information should be:

Used fairly and lawfully

Used for limited, specifically stated purposes

Used in a way that is adequate, relevant and not excessive


Kept for no longer than is absolutely necessary

Handled in accordance with people’s data protection rights

Kept safe and secure

Not transferred outside the European Economic Area without adequate protection

As anyone working on Salesforce accesses and manages data in some degree or another, the Data Protection Act is extremely important.

Over recent years, the importance of protecting personal data has dramatically increased. Countries within the EU currently have very similar data protection laws, but so that these countries can all follow the same law, the European Union is bringing in the General Data Protection Regulation (GDPR) from 25 May 2018.

GDPR 2018

If your business collects, stores, or uses personal information about European residents, the GDPR will definitely impact your business processes.

It’s main concepts are much the same as those in the current Data Protection Act, so if you are currently complying, that is a great starting point. However, do note there are some things which are new and different.

One of the major changes is that you will need unambiguous consent to process someone’s personal data and it must only be processed for its agreed original purpose. Other changes include: reporting all significant data breaches to your data protection authority, having an appointed Data Protection Officer, complying with restrictions on automated profiling, shorter timescales for delivering subject access requests (individuals may ask for copies of the information which is held about them), and there are major increases in the penalties that data protection authorities can impose on companies who violate privacy laws.

The General Data Protection Regulation has 7 key principles. Personal data should be:

Used lawfully, fairly and transparently

Used for limited, specifically stated purposes

Used in a minimized way, not excessive


Deleted if no longer necessary for its purpose

Kept safe and secure

Used only by Data Controllers who can demonstrate compliance with the GDPR

The ICO has a great resource: 12 steps to take now – Preparing for the General Data Protection Regulation.

Salesforce’s entire business is built on trust and security, with over 150,000 businesses trusting Salesforce to safeguard their data in the cloud. Proactively they are already carrying out their due-diligence and via Trailhead they have recently released a module on this, so you can learn more and get a badge here!

2 thoughts on “GDPR and the EU Privacy Law with Salesforce

    1. Hi Vincent, yes this is a topic that will impact CRM/Marketing Automation administration, and one that’s starting to cause a stir. I have some pointers to share, so keep an eye out for the post in the next little while!

Add Comment