Salesforce GDPR Compliance Guide for Businesses

GDPR is a key data protection regulation document for all companies that want to work with EU businesses and/or citizens. In this article, we provide a Guide for Organisations on Salesforce GDPR Compliance.

What is GDPR?

GDPR stands for The General Data Protection Regulation. It was adopted back in 2016 and came into force in 2018. 

GDPR replaced national laws of the EU member states that governed data privacy and protection. It became increasingly popular worldwide with many other states having it as an exemplar for their own legislation. 

GDPR is applied to all the citizens of the EU member states (27 European countries) and 3 EFTA states (Norway, Lichtenstein, and Iceland). United Kingdom adopted GDPR and retained the law after Brexit with the right to independently review it. There are certain differences between EU GDPR and UK GDPR.

GDPR protects the human rights related to data privacy of all EU citizens, even if they are staying outside the EU at the time of data collection. It is applied to all businesses that collect such data regardless of the place of registration of the business. The violation fines can reach up to 20M euros or 4% of revenue.

In a nutshell, GDPR regulates how businesses from all over the world process the private data of EU citizens, giving the latter more control over their data. 

GDPR essentials

In this section, we will talk about essential terms and principles that you need to know to understand GDPR.

A data subject is the owner of the personal data, an individual.

Personal data is any information about the data subject that can identify them (e.g., name, contact data, sociometric information, and even pseudonymous data).

Data processing under GDPR is any action performed on data, e.g., copying, deleting, recording, storing, etc.

A data controller is a person who makes a decision on data processing. These are owners or data processing employees.

A data processor is a third-party entity that processes personal data for the controller. For example, Salesforce is a data processor.

GDPR imposes privacy by design. This means that data protection should be incorporated into the data processing process of a product at the stage of its development. 

Another important part of GDPR is the role of Data Protection Officers mandatory for the EU businesses that meet the following criteria:

• Process personal and/or sensitive personal data on a large scale
• Systematically monitors the individuals on a large scale on a regular basis.

Key citizen rights protected by GDPR:

1. Right to consent or withdraw consent on data collection, processing, and storing.
2. Right to receive notification in case of data breach.
3. Right to access the collected information about yourself.
4. Right to be forgotten, i.e., demand that your data be deleted.
5. Right to data portability, i.e., citizens can transfer the collected data to other services.

Salesforce GDPR Compliance

Salesforce is a data processor under the GDPR. This CRM is GDPR compliant and it provides a number of security measures to ensure that your business remains GDPR compliant. The following measures are also recommended by Salesforce to the businesses:

1. Encryption.
2. Accountability.
3. Pseudomnymization and Anonymization.

The following steps will also help you with Salesforce GDPR compliance:

1. Prepare and sign Data Processing agreements with Salesforce and any Independent software vendors of the third-party apps you are using.
2. Adhere to the privacy by design when developing your Salesforce Org.
3. Create roles with limited areas of access to data and processing rights (e.g., a Sales rep can access only the data of the prospects and clients they work with).
4. Hire a Data protection officer, even if you aren’t an EU business.
5. Use native and third-party tools to protect personal data inside Salesforce, for example, GDPR-compliant Salesforce backup.

FAQs