We Almost Violated GDPR within Our Salesforce Backups

The “Reimagining a Data Disaster with OwnBackup” series tells anonymized stories of real life OwnBackup customers. Tune in next week for the next post in the series, “Reimagining a Data Disaster Scenario with OwnBackup: I Almost Made 20,000 New Leads Disappear from Salesforce.”

Have you ever experienced that panic-stricken moment when you receive a GDPR Subject Access Request and stare into the screen in front of you contemplating how the heck you are going to search for every instance of one person’s personal data across all company-wide backups? This is the anonymous story of a IT Director whose company was at risk of violating the GDPR.

I am a IT Director for a small, International B2B technology company. I received a GDPR Subject Access Request from a customer who resided in Belgium and had just gotten married. She asked for her name to be changed across our company’s systems.

The GDPR provides new rights for EU individuals and strengthens existing ones. It is designed as a central regulation to give EU individuals increased control over how their personal data is collected, processed, and stored in a globally connected digital world. GDPR has been around since 2016 and enforcement began on May 25th, 2018. Infringements under the GDPR carry administrative fines up to €20 million or 4% of total yearly worldwide turnover. Furthermore, there could also be individual lawsuits, class-action lawsuits, and personal liability claims against your organization.

Earlier that month I received an email from my boss in regards to the newly enforceable GDPR. Since we were such a small company, my boss felt the GDPR probably would not impact us, so we held off on preparing.

Contemplating my client’s request, I wondered how I would find my client’s personal information throughout all my company’s Salesforce backups? I was boggled...Now I wish my company had taken the GDPR more seriously.

I swiftly began sifting through the various places I could remember that we stored our customer data. This included my Weekly Export .CSV file backups saved on my hard drive. I rigorously tried to locate all of the records that mention my client’s name. No luck. I was running out of time to respond to my client in a timely fashion, defined by the GDPR as 30 days.

A task that should have been done quickly and efficiently ended up taking me over a month to complete. Because I could not find all of our customer’s data within 30 days, my company was in violation of GDPR. We were unprepared and now we could end up incurring hefty fines if we didn’t change our view on preparing for the GDPR soon.

Now, what if I told you there was a way to easily locate that client’s information across all Salesforce backups and attachments within the standard 30-day deadline? There is actually a devoted team on a mission to support companies with regulatory compliance for Salesforce backups.

Let’s replay the above story again and I’ll show you what I mean...

I am a IT Director for a small, International B2B technology company. I received a GDPR Subject Access Request from a customer who resided in Belgium and had just gotten married. She asked for her name to be changed across our company’s systems.

Earlier that month I received an email from my boss in regards to the newly enforced GDPR laws. Since I am the sole manager of our small company's information systems, he requested that I begin doing research on the regulation and how we could ensure that our systems were GDPR-ready. The GDPR is an important set of rights and protections for EU Individuals, as well as an opportunity for organizations to deepen their commitment to data privacy and the protection of all personal data.

While doing a bit of investigating, I stumbled upon OwnBackup’s GDPR eBook, which explained the importance of being aware of and preparing your company for GDPR. I found out that in cases where EU Data Subject’s data was not immediately deleted or rectified from backups and archives, due to compliance, regulatory, legal or other justifiable reasons, companies must remain transparent. This means that after taking action on an EU Subject’s request, you should inform them of their options, the facts around their Data Subject Requests as well as the action taken and results.

My company was responsible for maintaining an inventory of personal data, for responding to requests for data across all backups, and for making personal data accessible to clients. OwnBackup enables you to quickly and easily find Data Subject’s information within your Salesforce backups, so I called OwnBackup and decided to purchase their complete data protection solution.

After receiving that GDPR Subject Access Request from our customer residing in Belgium, I logged into OwnBackup and submitted a Subject Rectification Request. On the OwnBackup platform, I first went to the Subject Access Request section and then clicked “Rectify Record”. A short form popped up where I filled out my client’s details and the specific changes that needed to be adjusted, then pressed submit. In a few days, my client’s name was modified to her married name all from a single submission.

My client was impressed by the accelerated and accurate alteration of her information. Because of OwnBackup, I can confidently respond to Subject Access Requests within our company’s Salesforce backups.

This story focuses on just one of the multiple Data Subject Rights that are necessary to comply with for the GDPR. What happens when more and more EU Data Subjects begin to exercise their rights under GDPR? OwnBackup has developed a scalable solution to respond to these requests within your Salesforce backups well within the standard 30-day window.

Tune in next week to read another real life data disaster story, entitled “Reimagining a Data Disaster Scenario with OwnBackup: I Almost Made 20,000 New Leads Disappear from Salesforce” and how OwnBackup came to the rescue!