In a mature Salesforce Org with hundreds of thousands of records, it might be difficult to know where to start on GDPR compliance. In this post, we’ll cover the steps you need to take to get your Salesforce Org GDPR compliant.
Why is GDPR compliance important?
The General Data Protection Regulation (GDPR) puts individual rights at the center of data protection — and enforces heavy regulatory fines for organizations that do not safeguard these rights.
GDPR requires organizations to understand what types of data they collect, and how that data is being used, and stored. Often, this means rewriting processes and rethinking how personal data is handled; as you can imagine, this is no easy task, especially in customizable systems like Salesforce.
To get you started on your journey, we’ve compiled a list of best practices and steps you can take today to get your Salesforce Org GDPR compliant from the ground up.
Your GDPR compliance checklist for Salesforce
1. Get familiar with the terms and conditions of GDPR
As you can imagine, understanding the GDPR framework and its implications is fundamental for compliance. The first step will be determining whether your organization is subject to GDPR (to put simply, if you sell your products/services to EU residents or have their information in your database, then you are). Then, you’ll need to assess the different rights outlined in the framework to see how they apply to you — and how you can ensure you’re complying with them.
2. Designate a leader or committee to own the project
Once you’ve got a handle on what GDPR means for your organization, you will need to designate a leader or committee to oversee the project. The project owner will be an important advocate to management, and will be crucial to securing buy-in or approval, aligning departments, and raising awareness more broadly as to why GDPR compliance is important.
3. Assess your current processes
After you’ve gotten buy-in and created a team of leaders to own your compliance project, you’ll need to review existing processes to identify pain points. Your goal here should be to ensure you can comply with data subject requests (ie, if an individual requests to have their data deleted). To do this, you’ll need to identify where you store personal data, create a data inventory and complete a privacy impact assessment on high-risk processes.
4. Establish controls
Once you’ve reviewed your current protocols, you should have an idea where new processes and additional controls are required. Some common measures might include creating data subject consent preferences, ensuring privacy disclosures are sent/present when data is collected, creating contracts with vendors that receive personal data, or establishing a process for reporting security breaches, disposing of data, and classifying your data (learn more about data classification here).
Below, we cover some of the technical considerations of building new controls and processes for GDPR compliance in Salesforce.
5. Document all of your activities
Documentation is another critical step in any compliance project. Given that GDPR is a regulated framework, there will be auditors assessing your system to ensure compliance — and the easiest way to prove that you are adhering to GDPR’s policies is by documenting all of your compliance activities. Keep copies of your data inventory and processing activities, as well as all written policies, training materials and contracts.
Technical Considerations
While the steps above are a good baseline for creating a GDPR compliance framework, there are some specific questions and considerations that we didn’t detail. Take a look below to ensure you’re addressing the right things in your compliance strategy.
Data Collection:
- Where is the data you’re collecting coming from?
- What information are you collecting?
- What reason are you collecting this information?
- Do you have consent to collect it?
- Does this data include Personally Identifiable Information (PII)?
Data Processing:
- How do you process this information?
- Who is processing this information?
- Are you keeping a record of your processing activities?
- How often are you processing this information?
Access and Deletion Rights:
- How accessible is the information I’ve collected?
- How will I export personal information for an individual?
- How will I ensure I’ve deleted all PII of an individual present in my system?
- Have I sent collected data to a third party? If so, how will I retrieve and have it deleted?
Implementing a comprehensive compliance strategy can be a daunting task — but if you follow the steps above, you’ll be well on your way to getting your Salesforce Org, or any business-critical application you run, GDPR-compliant. Head to Salesforce.com to learn more specifics about GDPR compliance in your Org.
