Are You CCPA-Ready When It Comes to Your Salesforce Backups?

The CCPA (California Consumer Privacy Act) was established with the goal of increasing transparency, access, and control over a consumer’s personal information. The CCPA applies to all for-profit businesses of any size who do business in California. Pay attention to this new law as the consequences of non-compliance include considerable monetary fines. 

If you’re storing personal information in Salesforce, you can rest assured that they are taking necessary measures to allow their customers to comply with CCPA as it relates to the personal data in their production systems. However, unless you take the appropriate steps, these measures do not extend to the backups you maintain outside of Salesforce. 

How are you going to make sure you’re CCPA compliant when it comes to your Salesforce backups and archives? Here are some areas to pay attention to when evaluating if your backup strategy or solution is CCPA compliant.

Under the CCPA, It is crucial for companies to build trust through transparency and alert and inform their consumers about how personal data is being collected or used.  

At a minimum, a business should start distinguishing the personal information that it collects and identifying where that personal information is stored, including within backups, so it can better meet the stringent requests of the CCPA. To do this, a business must inventory the data it already has. This is a process similar to the Data Mapping that is recommended under the GDPR. The exercise forces companies to think about how data flows in, through, and out of their business.

When it comes to data, every company needs to be transparent. It is one thing to identify all of your buckets of data, but you also need to be able to query them based on many different criteria. So, when selecting your Salesforce backup solution, you need to ensure it has powerful, extensive search capabilities.

In order to comply with the CCPA, businesses are now required to respond to all personal data deletion requests from a company’s database, including backups, within a 45-day time period. The deadline can be extended an additional 45 days when reasonably necessary. 

Personal data within Salesforce backups doesn’t have to be deleted within the 90-day period, but it is still covered by CCPA. The law states that "if a business stores any personal information on archived or backup systems, it may delay compliance with the consumer's request to delete, with respect to data stored on the archived or backup system, until the archived or backup system is next accessed or used."

Under the CCPA, deletion rights do not apply to personal data that businesses have to retain in order to meet a legal obligation such as SEC 17a-4 and HIPAA compliance.

This means that companies will need to implement an effective way to respond to consumer deletion requests within Salesforce backups and be able to demonstrate to the consumer that their personal data has in fact been completely removed.

The CCPA establishes a right of access, which allows individuals to have full visibility of the data an organization holds about them, even within backups. With the Right to Access, people can obtain details about the data being processed and copies of the data items themselves within a 45-day time period. When responding to a data request, a business must indicate the:

• Categories of personal information collected or sold
• Categories of sources from which the personal information is collected
• Business for collecting or selling personal information
• Categories of third parties with whom the business shares personal information. 

It is important for businesses affected by the CCPA to consider how they are currently responding to data access requests and create a plan to address compliance-related processes, whether via automation, scaling, or simplification. Within Salesforce backups in particular, companies will need to implement an effective way to respond to consumer access requests within backups and be able to export copies of the personal data upon request.

While CCPA doesn’t have specific data retention restrictions, most experts recommend minimizing the amount of data retained to what’s absolutely necessary. Doing so will make responding to CCPA data deletion and data access requests much easier and faster.

When considering how long personal data needs to be kept, whether in their live environments or in Salesforce backups, companies should ask themselves the following questions:

1. Are we under any regulatory requirements, such as SEC (U.S. Securities and Exchange Commission), HIPAA (U.S. Health Insurance Portability and Accountability Act), or ESMA (European Securities and Markets Authority), requiring a specified period of time of personal data retention?
2. Do we have a specific legal or contractual reason for keeping the personal data?
3. Was the personal data collected for specified, explicit, and legitimate purposes?
4. Are we only keeping personal data that is adequate, relevant, and necessary to perform the service?
5. Is the personal data being kept longer than is necessary, for example, longer than the length of the contract?
6. Is the personal data stored securely?

If you answered “no” to any of the above, you will need to have a clear rationale documented as to why the personal data is being retained. To keep this personal data, your company must agree that the value of your processing activities outweighs the liability of retaining and securing it.

Once data retention policies have been reviewed, you’ll need to establish an efficient, repeatable process for archiving or removing personal data that no longer needs to be retained within Salesforce backups.

Data security and availability is key for CCPA compliance. That means all data must be backed up and encrypted, even within Salesforce backups. Your company is responsible for taking measures to ensure personal data isn’t breached or stolen. The minimum fine for this is $2,500 per record.

Personal data must be readily available for responding to deletion and access requests. To ensure personal data will be available in the event of a data loss or corruption, you’ll need an effective Salesforce data recovery plan.

Now that you’ve learned what to look for, has your answer changed? If your current backup strategy or solution allows for all of the following, you’re likely CCPA-ready!

• Search within data and attachment backups.
• Remove and/or export specific data from within backups.
• Automatically implement custom data retention policies.
• Encrypt backups in transit and at rest.
• Rapidly recover lost data at any level of granularity.