GDPR Compliance & Salesforce Privacy by Design and Accountability

RevCult is now OwnBackup Secure! In 2021, OwnBackup acquired RevCult, enhancing the cloud data protection platform with proactive data security. With OwnBackup Secure, you will strengthen security posture by understanding data exposure risks and proactively taking action to protect and secure your data—all within Salesforce.

The General Data Protection Regulation (GDPR) is a law on data protection and privacy for European Union citizens that came into effect on May 25, 2018. GDPR impacts a vast number of businesses, regardless of what products they sell, how big they are, or where they’re located. Compliance is mandatory, and the penalties are severe.

Companies that have Salesforce, however, have a bit of a leg up on the rest of the lot. Salesforce has some powerful features that can be applied to comply with different elements of GDPR.

Let’s start by taking a high-level look at GDPR. There are three strong themes that emerge from within GDPR:

• Privacy by Design: Prioritize privacy and security when designing a system.
• Data Protection and Accountability: Take responsibility for the privacy of other people.
• Individual Rights and Control: Consent management, the right to be forgotten, and data portability.

In this post, we’re going to focus on Privacy by Design and Accountability. So, if you’re impacted by GDPR and you have Salesforce, where do you even start?

Simple answer: Salesforce Shield.

Why Shield? Because Salesforce Shield has three components that align very well to GDPR, specifically:

• Platform Encryption: Natively encrypts sensitive data at rest
• Event Monitoring: Detailed data and activity monitoring
• Field Audit Trail: Prevents data loss, provides auditability and ability to recover information that might have been modified incorrectly

Now let’s take a look at some specific GDPR articles and explain how these 3 Shield components can support compliance.

Articles 25 and 32: Basics

Article 25: Data Protection by Design and by Default
When you’re designing or implementing a system or a way to store information, you should be thinking about privacy first, and by default, making the system as secure as possible.

Article 32: Security of Processing
Covers the general protection of data, technical security, data access control, change control, and oversight.

Salesforce Shield vs Article 25 and Article 32:

• Platform Encryption: Encrypts data at rest, which helps by de-identifying personal information. Allowing you to store it but while having it anonymized at the database level.
• Event Monitoring: Allows you to keep an eye on general security measures. If suspicious activity is detected, this will allow you to identify it as early as possible, which will and prevent possible further negative impacts. It also increases visibility and control over how users are interacting with company data.
• Field Audit Trail: Data Retention Policies/Data resilience—understand what has happened to your information and retrieve damaged information.
• Platform Encryption: Encrypts data at rest, which helps by de-identifying personal information. Allowing you to store it but while having it anonymized at the database level.

Articles 33 and 34: Breaches

Article 33: Notification of personal data breach to the supervisory authority
Responsible for telling authorities about a breach.

Article 34: Communication of a personal data breach to the data subject
Responsible for telling impacted individuals about a breach.

Salesforce Shield vs Article 33 and Article 34:

• Platform Encryption: Minimize the impact of a breach by using Platform Encryption to make the data useless. Encrypting personal data makes it unintelligible—so even if it is accessed in certain types of breaches, you may not need to notify individuals.
• Event Monitoring: Understand the severity of a breach through forensic research to know if it should be elevated to the individual or authority. Event Monitoring also allows you to monitor and identify suspicious activity early to contain or eliminate potential threats.

Article 5: Retention

Article 5: Principles relating to processing of personal data
What data can and should be stored, and for how long?

Salesforce Shield vs Article 5:

• Field Audit Trail: Defines detailed history retention policies to control and archive information history at an object level. Supports a key GDPR principle that personal data must be retained for “no longer than is necessary”—so it allows you to keep data long enough to provide evidence of what has occurred, but also knowing when it’s OK to delete.

Article 24: Controller and Processor

Article 24: Responsibility of the controller
If you’re using the data to do business, then you’re a “controller.” If you’re helping a controller do their business, you’re a “processor”. As a controller, it is your responsibility to know what data you have and be able to demonstrate your compliance with written policies.

Salesforce Shield vs Article 24

• Field Audit Trail: Allows you to prove and demonstrate that you have Historical Data Retention Policies both defined and implemented, and helps you know what you have in the system.
• Encryption Statistics: Prove that for a given field, 100% are encrypted at rest, in the data tier, with the most current key.

There’s much more to GDPR than was covered in this post, and it’s certainly here to stay. Our advice? Continue to educate yourself on the regulation and become more aware of how it specifically impacts your business by identifying your risk areas. For companies looking to enhance their Security and GDPR compliance, Salesforce Shield is a powerful solution that addresses some of the core aspects of GDPR: Privacy by Design, Data Protection and Accountability.

Interested in learning more? Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.