Tip #1- Become Informed
What is GDPR?
On May 25th, 2018, the new European Union (EU) General Data Protection Regulation (GDPR) went into effect. The Regulation specifies a comprehensive set of rules on personal data breaches.
Data protection authorities will be able to impose fines to businesses of up to €20 million or 4% of a company’s worldwide turnover.
How are USA-Based Businesses Affected?
The regulation applies to companies based outside the EU if they are offering goods and services to, and maintain personal data about, individuals in the EU. If you allow EU residents to register their personal information online with your business, and you maintain these contact records, you are affected.
Tip #2- Your Data Compliance Strategy
Create a Data Protection Policy Document
A Data Protection Policy should include an explanation about the personal data you collect and the specific reasons why. You should also have written policies about informing individuals about the personal data you possess about them, and outline procedures to give them access to their data.
If your core business involves processing personal data, a Data Protection Officer (DPO) should be designated. This could be an existing employee tasked with this function in addition to his/her other role, or it could be an outside consultant.
Conduct a Data Protection Impact Assessment
Most businesses will not need to appoint a DPO, however a Data Protection Impact Assessment should be undertaken which outlines the purpose of your business’ data processing, the types of personal data collected, categories of data subjects and storage periods.
In addition, you should outline the technical and organizational security measures to protect the personal data, as well as whether personal data is transferred to recipients outside the EU. Ensure that key departments are aware that the law is changing, and to anticipate the impact of GDPR.
Tip #3- Modify Registration & Landing Pages
The ‘I Agree’ Registration Problem
Many registration pages and dialog boxes have only the ability for a user to submit their information if they ‘agree’. GDPR also specifies that if a user does not consent - they cannot be denied the ability to register. Consequently, adding a checkbox that states ‘I do not Consent’ and subsequently recording this activity on the contact record is critical.
Silence is Not Consent
Privacy policies must be written in clear, straightforward language that specifies that a user will need to give an affirmative consent before his/her data can be used by a business. Under GDPR requirements, you must also address an individual’s rights with respect to data collection and use.
Tip #4- Handle Data with Care
Collect Only What You Need
Collect personal data with a clearly defined business purpose, and don’t use it for something else.
Implement Daily Data Backup
There are many third-party solutions available for backing up your Salesforce instance. Backups are inexpensive and can provide the ability to restore the system or records as of a certain date.
Backups should retain copies of record data as well as system metadata. Article 32 of the GDPR specifies specific technical and organizational security measures including encryption, snapshots and methods for copying and restoring personal data including a documented back-up strategy. A daily automated backup of your Salesforce system will help you comply with the specifics of the regulation.
Tip #5- Be Aware
Review Roles, Profiles and User Access
Your Salesforce system offers many methods of segmenting and partitioning data to ensure only certain users have access to certain records. Many companies leave their Salesforce system unpartitioned, providing internal users with full access to all contact records regardless of their position in the company.
Your Data Protection Impact Assessment should include a review of your Salesforce users and which records and specific data fields on those records each user has access to.
Implement Data Partitions
Salesforce settings allow you to block certain users from seeing specific records- or parts of- those records. In addition, you can block the ability to export data and specify where users can and cannot log in from (such as only within the company offices). Password policies can be updated to mandate more frequent password changes.
The views and opinions expressed in this article are those of the authors. Examples cited in this article are only examples. They should not be utilized in real-world situations as they are based only on limited and dated open source information. Salesforce® is a trademark of salesforce.com, inc.
© 2018 Snowforce, LLC. All Rights Reserved – June 2018