Walter Scott Exceeds GDPR Requirements for Salesforce Backups with Own

About Walter Scott

Walter Scott & Partners Limited (Walter Scott) was established in 1983 to manage long-term equity portfolios for institutional investors around the world. The firm is a non-bank subsidiary and 100% owned by The Bank of New York Mellon Corporation. All operations are based in Edinburgh, Scotland. Original research is at the core of the firm’s investment process, which is structured to identify companies capable of sustained high rates of internal wealth generation. This is the firm’s primary value-adding activity and is carried out by its own investment professionals.

Industry
Financial Services
Headquarters
Edinburgh, Scotland
Employees
200
Products
Backup and Recovery
GDPR
Salesforce Weekly Export
Clouds

Salesforce Is Central to Walter Scott’s Business Operations

Walter Scott stores core business data on Salesforce, including client personally identifiable information (PII), client communications, events attended, and internal gifts and event entertainment. This client data is fed into many other Walter Scott applications including their dealing, administration, and document management applications. Client mailings and key client correspondence are also stored in Salesforce. A weekly backup of all Salesforce data and configuration was taken and stored separately as a .CSV file on a corporate server in case of any restore requirements.

Walter Scott Prioritises GDPR Compliance

For any companies still not in compliance with GDPR, the consequences of such non-compliance can be expensive. GDPR fines typically range from 10 to 20 million euros or potentially 2 to 4 percent of an organisation’s total, worldwide revenue, whichever is higher. Violations can be deemed lower level, such as Article 32—security of processing, or upper level, such as Article 7—right to consent, Article 16—the right to rectification, Article 17—right to erasure, and Article 20—right to data portability.

Walter Scott prepared for GDPR by:

  1. Analysing all applications for PII, including Salesforce.

  2. Cataloging Salesforce data inventory.

  3. Adding a Privacy Notice field to Salesforce to indicate that contacts had received the Walter Scott Privacy Notice.

  4. Anonymising contacts who did not give permission or were not contactable.

  5. Planning the process for responding to Data Subject Access Requests.

Walter Scott Found the Weekly Backup Insufficient for GDPR Compliance

After assessing their preparedness, Walter Scott was comfortable that they could efficiently respond to Subject Access Requests (SARs) within their live Salesforce instance. They were not certain they would be able to respond to such requests within their Weekly Export .CSV files without a great deal of manual effort. With this backup method, the SARs response process for backed-up data would be challenging and time-consuming. If Walter Scott received a SAR for erasure or rectification, the process would include searching for each data subject within multiple .CSV files and editing fields for each of those subjects within each individual .CSV file.

Under GDPR, companies may only retain necessary EU Subject data. They must archive or remove anything else. Tracking and removing specific EU Subject data would be extremely manual with the Weekly Export. Walter Scott’s admin team would have to manually archive or delete data so that nothing would be kept past their set retention period.

The Weekly Export did not meet the data resiliency or encryption requirements of GDPR Article 32. In the event of a data loss or corruption, recovery could take days with .CSV files and they would not be able to restore to a specific point in time other than the end of the week. Furthermore, a data loss or corruption would interfere with Walter Scott’s real- time communication system, interrupt reporting, and waste business time and money.

Walter Scott Remains GDPR Compliant with Own

With Own, Walter Scott can easily search within their backup archives to find PII and swiftly respond for Subject Access Requests. Unlike other cloud-to-cloud backup competitors, Own allows Walter Scott to maintain full control over responding to Subject Access Requests with their self-service interface. Additionally, full data retention controls enable their data governance team to align with internal corporate policies. Own aligns with GDPR Article 32, secure data processing of PII, by encrypting data in transit and at rest and ensuring immutable/unchangeable backups.

Walter Scott Accelerated Data Recovery with Own

Own’s simple onboarding process allowed Walter Scott to begin backing up their Salesforce data in minutes. With Own, Walter Scott has been able to enhance their Recovery Point Objective (RPO) from one week, with the Weekly Export, to less than a day, with Own. Walter Scott also sped up their Recovery Time Objective (RTO) from five weeks, with the Weekly Export, to less than one day, with Own.

"With Own, Walter Scott can easily search within their backup archives to find PII and swiftly respond for Subject Access Requests...Own allows Walter Scott to maintain full control over responding to Subject Access Requests with their self- service interface."

Get started

Share your details and we’ll contact you shortly to schedule a custom 25-minute demo.

Schedule a demo

Get started

Share your details and we’ll contact you shortly to schedule a custom 25-minute demo.

Book a demo
The beauty of Own is that we retain control over the searching, locating, and anonymisation of data where required. It took minutes to implement and is so easy to use. We now have confidence that we can respond to any GDPR or restore queries accurately and quickly with Own in place.
Leigh Etienne
Senior IT Manager at Walter Scott
Financial Services
Backup and Recovery
GDPR
Salesforce Weekly Export