ownbackup logo
CUSTOMER STORY

Walter Scott Exceeds GDPR Requirements for Salesforce Backups with OwnBackup

Walter Scott Overview

Walter Scott & Partners Limited (Walter Scott) was established in 1983 to manage long-term equity portfolios for institutional investors around the world. The firm is a non-bank subsidiary and 100% owned by The Bank of New York Mellon Corporation. All operations are based in Edinburgh, Scotland. Original research is at the core of the firm’s investment process, which is structured to identify companies capable of sustained high rates of internal wealth generation. This is the firm’s primary value-adding activity and is carried out by its own investment professionals.

Industry

Financial Services

Location

Edinburgh, Scotland

Founded

1983

Salesforce Users

150

Salesforce Is Central to Walter Scott’s Business Operations

Walter Scott stores core business data on Salesforce, including client personally identifiable information (PII), client communications, events attended, and internal gifts and event entertainment. This client data is fed into many other Walter Scott applications including their dealing, administration, and document management applications. Client mailings and key client correspondence are also stored in Salesforce. A weekly backup of all Salesforce data and configuration was taken and stored separately as a .CSV file on a corporate server in case of any restore requirements.

"The beauty of OwnBackup is that we retain control over the searching, locating, and anonymisation of data where required. It took minutes to implement and is so easy to use. We now have confidence that we can respond to any GDPR or restore queries accurately and quickly with OwnBackup in place."

cs-leigh-etienne

Leigh Etienne
Senior IT Manager
Walter Scott

Walter Scott Prioritises GDPR Compliance

For any companies still not in compliance with GDPR, the consequences of such non-compliance can be expensive. GDPR fines typically range from 10 to 20 million euros or potentially 2 to 4 percent of an organisation’s total, worldwide revenue, whichever is higher. Violations can be deemed lower level, such as Article 32—security of processing, or upper level, such as Article 7—right to consent, Article 16—the right to rectification, Article 17—right to erasure, and Article 20—right to data portability.

Walter Scott prepared for GDPR by:

  1. Analysing all applications for PII, including Salesforce.
  2. Cataloging Salesforce data inventory.
  3. Adding a Privacy Notice field to Salesforce to indicate that contacts had received the Walter Scott Privacy Notice.
  4. Anonymising contacts who did not give permission or were not contactable.
  5. Planning the process for responding to Data Subject Access Requests.

Walter Scott Found the Weekly Backup Insufficient for GDPR Compliance

After assessing their preparedness, Walter Scott was comfortable that they could efficiently respond to Subject Access Requests (SARs) within their live Salesforce instance. They were not certain they would be able to respond to such requests within their Weekly Export .CSV files without a great deal of manual effort. With this backup method, the SARs response process for backed-up data would be challenging and time-consuming. If Walter Scott received a SAR for erasure or rectification, the process would include searching for each data subject within multiple .CSV files and editing fields for each of those subjects within each individual .CSV file.

Under GDPR, companies may only retain necessary EU Subject data. They must archive or remove anything else. Tracking and removing specific EU Subject data would be extremely manual with the Weekly Export. Walter Scott’s admin team would have to manually archive or delete data so that nothing would be kept past their set retention period.

The Weekly Export did not meet the data resiliency or encryption requirements of GDPR Article 32. In the event of a data loss or corruption, recovery could take days with .CSV files and they would not be able to restore to a specific point in time other than the end of the week. Furthermore, a data loss or corruption would interfere with Walter Scott’s real- time communication system, interrupt reporting, and waste business time and money.

cspdf-thumb-walterscott

OwnBackup + Walter Scott

"If Walter Scott received a SAR for erasure or rectification, the process would include searching for each data subject within multiple .CSV files and editing fields for each of those subjects within each individual .CSV file."

Download PDF

Walter Scott Remains GDPR Compliant with OwnBackup

With OwnBackup, Walter Scott can easily search within their backup archives to find PII and swiftly respond for Subject Access Requests. Unlike other cloud-to-cloud backup competitors, OwnBackup allows Walter Scott to maintain full control over responding to Subject Access Requests with their self-service interface. Additionally, full data retention controls enable their data governance team to align with internal corporate policies. OwnBackup aligns with GDPR Article 32, secure data processing of PII, by encrypting data in transit and at rest and ensuring immutable/unchangeable backups.

Walter Scott Accelerated Data Recovery with OwnBackup

OwnBackup’s simple onboarding process allowed Walter Scott to begin backing up their Salesforce data in minutes. With OwnBackup, Walter Scott has been able to enhance their Recovery Point Objective (RPO) from one week, with the Weekly Export, to less than a day, with OwnBackup. Walter Scott also sped up their Recovery Time Objective (RTO) from five weeks, with the Weekly Export, to less than one day, with OwnBackup.

"With OwnBackup, Walter Scott can easily search within their backup archives to find PII and swiftly respond for Subject Access Requests...OwnBackup allows Walter Scott to maintain full control over responding to Subject Access Requests with their self- service interface."