SalesforceSummaries: a series delivering key insights from Salesforce YouTube videos, to save you time as you keep up to date with the latest technological changes within the Salesforce ecosystem.
With the introduction of the EU General Data Protection Regulation (GDPR) as of May 25th 2018, there are a lot of things for both EU and non EU companies to consider, with regards to the storing of customer data. There is a wide range of existing Salesforce functionality that can be leveraged now to be GDPR compliant. There is also a set of new functionality to be released as of the Spring ’18 release that will further help companies to be GDPR complaint.
Presenter: Lien Ceulemans, Ian Glazer
Time: 60 minutes
Key Terms: GDPR compliant, privacy protection
[email protected] — There’s a wealth of information about GDPR already available.
GDPR Website with links to white papers: https://www.salesforce.com/campaign/gdpr/
GDPR Data Processing Addendum: https://www.salesforce.com/assets/pdf/misc/data-processing-addendum.pdf
[email protected] — The agenda is as follows:
[email protected] — At Salesforce, trust is the number 1 value. There have been many changes with regards to different international privacy industry standards and over the last few years, Salesforce have worked hard to ensure that customers continue to use their services in a compliant manner. More information on Salesforce’s commitment to data protection can be seen from the Salesforce GDPR website.
[email protected] — For example, Salesforce was the first top ten enterprise software company to achieve approval from the European Data Protection authority for processing binding corporate rules. This is another protocol for transferring data internationally in a legally compliant manner. You can see the list of compliance certificates that Salesforce has achieved here.
[email protected] — The law has 2 main goals: the first is that it replaces the patchwork of national laws. It’s a single set of rules across the EU. The current privacy law was initiated back in 1995 — before the widespread adoption of the internet. So this is an effort to modernize the privacy laws and to make them fit with the technological development.
[email protected] — The next goal is that GDPR expands the scope of the current privacy law. And in particular, with especial focus on the increased individual privacy rights. For example, one of the rights is ‘right for deletion’.
[email protected] — @8.30 — GDPR also increases the scope in terms of who it applies to. It’s applicable to EU companies and certain non-EU companies interacting with EU data subjects. For example, if a non EU company monitors the data of European Union citizens, the company will need to be compliant with GDPR.
[email protected] — GDPR is very comprehensive. It is 99 articles long, to be precise. The key purpose of GDPR is to promote security, accountability and individual rights. Companies must store data securely and be transparent about the data that they store on EU citizens.
[email protected] — Salesforce welcomes GDPR and the enhanced privacy of the individual.
[email protected] — The Data Processing Addendum, as of August 2017, forms part of the Master Subscription Agreement between Salesforce and its customers. As per clause 3.2, with effect from 25th May 2018, the following wording will replace Section 3.1 (‘Data Subject Request’):
*Data Subject Request. With effect from 25 May 2018, the following wording will replace Section 3.1 (“Data Subject Request”) in its entirety: Data Subject Requests. **SFDC shall, to the extent legally permitted, promptly notify Customer if SFDC receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). *Taking into account the nature of the Processing, SFDC shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, SFDC shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent SFDC is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from SFDC’s provision of such assistance.
Ian will talk about the tools that Salesforce customers have now and as of the Spring ’18 release to help them to be compliant with GDPR.
[email protected] — There are a number of tools and features available to Salesforce customers now to help be compliant with GDPR.
[email protected] — A key topic that is linked with GDPR is around data deletion. Salesforce have a process that deletes data and meta-data in expired and unused orgs. This answers the concerns around ‘how can I ensure that non-used data about myself is not used / stored?’.
[email protected] — Another area of conversation, in the context of GDPR, is around data portability. The regulation says that service providers need to be able to give the data subject information. Upon request, the data subjects information must be given to him/her.
There’s a huge array of options that customers have (both declarative and programmatic) to provide data.
[email protected] — On the contact and lead objects, there are a number of out-of-the-box options for storing consent data.
[email protected] — Most data in Salesforce can be deleted. However, for security reasons, the user record cannot be deleted. The way to be GDPR complaint is to nullify or anonymize fields like email and username.
[email protected] — Another data subject right, as part of GDPR, is the right to restrict processing. An example may be that a service provider billed the data subject the wrong amount. The data subject could ask the service provider ‘until this disagreement is resolved, I don’t want you to use my information’.
A conservative approach to this is the following:
[email protected] — The reason for adopting a conservative approach is that ‘processing’ is considered to be very broad. For example, if the data is displayed in the UI, or processed via a batch process etc could constitute being ‘processed’. And so, in order to be 100% sure that the data is not processed, it’s best to delete the data and then re-store it.
[email protected] — New features that can be used to form compliance with GDPR, as of the Spring ’18 release, are as follows:
[email protected] — Salesforce has introduced a way to store privacy preferences as a standard object. This standard object is called ‘Individual’.
[email protected] — You can enable this feature.
[email protected] — Individual Object does not contribute towards data storage.
[email protected] — There’s a number of new features soon to be available that target the ‘Right to be Forgotten’ and ‘Restrict Processing’ topics of GDPR:
- @44.00 — The Right to be Forgotten Flow is as follows:
- @45.00 — The Right to be Forgotten Flow is as follows: