The CCPA (California Consumer Privacy Act) was established with the goal of increasing transparency, access, and control over a consumer’s personal information. The CCPA applies to all for-profit businesses of any size who do business in California. Pay attention to this new law as the consequences of non-compliance include considerable monetary fines.
If you’re storing personal information in Salesforce, you can rest assured that they are taking necessary measures to allow their customers to comply with CCPA as it relates to the personal data in their production systems. However, unless you take the appropriate steps, these measures do not extend to the backups you maintain outside of Salesforce.
How are you going to make sure you’re CCPA compliant when it comes to your Salesforce backups and archives? Here are some areas to pay attention to when evaluating if your backup strategy or solution is CCPA compliant.
Under the CCPA, It is crucial for companies to build trust through transparency and alert and inform their consumers about how personal data is being collected or used.
At a minimum, a business should start distinguishing the personal information that it collects and identifying where that personal information is stored, including within backups, so it can better meet the stringent requests of the CCPA. To do this, a business must inventory the data it already has. This is a process similar to the Data Mapping that is recommended under the GDPR. The exercise forces companies to think about how data flows in, through, and out of their business.
When it comes to data, every company needs to be transparent. It is one thing to identify all of your buckets of data, but you also need to be able to query them based on many different criteria. So, when selecting your Salesforce backup solution, you need to ensure it has powerful, extensive search capabilities.
In order to comply with the CCPA, businesses are now required to respond to all personal data deletion requests from a company’s database, including backups, within a 45-day time period. The deadline can be extended an additional 45 days when reasonably necessary.
Personal data within Salesforce backups doesn’t have to be deleted within the 90-day period, but it is still covered by CCPA. The law states that "if a business stores any personal information on archived or backup systems, it may delay compliance with the consumer's request to delete, with respect to data stored on the archived or backup system, until the archived or backup system is next accessed or used."
Under the CCPA, deletion rights do not apply to personal data that businesses have to retain in order to meet a legal obligation such as SEC 17a-4 and HIPAA compliance.
This means that companies will need to implement an effective way to respond to consumer deletion requests within Salesforce backups and be able to demonstrate to the consumer that their personal data has in fact been completely removed.
The CCPA establishes a right of access, which allows individuals to have full visibility of the data an organization holds about them, even within backups. With the Right to Access, people can obtain details about the data being processed and copies of the data items themselves within a 45-day time period. When responding to a data request, a business must indicate the:
It is important for businesses affected by the CCPA to consider how they are currently responding to data access requests and create a plan to address compliance-related processes, whether via automation, scaling, or simplification. Within Salesforce backups in particular, companies will need to implement an effective way to respond to consumer access requests within backups and be able to export copies of the personal data upon request.
While CCPA doesn’t have specific data retention restrictions, most experts recommend minimizing the amount of data retained to what’s absolutely necessary. Doing so will make responding to CCPA data deletion and data access requests much easier and faster.
When considering how long personal data needs to be kept, whether in their live environments or in Salesforce backups, companies should ask themselves the following questions:
If you answered “no” to any of the above, you will need to have a clear rationale documented as to why the personal data is being retained. To keep this personal data, your company must agree that the value of your processing activities outweighs the liability of retaining and securing it.
Once data retention policies have been reviewed, you’ll need to establish an efficient, repeatable process for archiving or removing personal data that no longer needs to be retained within Salesforce backups.
Data security and availability is key for CCPA compliance. That means all data must be backed up and encrypted, even within Salesforce backups. Your company is responsible for taking measures to ensure personal data isn’t breached or stolen. The minimum fine for this is $2,500 per record.
Personal data must be readily available for responding to deletion and access requests. To ensure personal data will be available in the event of a data loss or corruption, you’ll need an effective Salesforce data recovery plan.
Now that you’ve learned what to look for, has your answer changed? If your current backup strategy or solution allows for all of the following, you’re likely CCPA-ready!