Interestingly, the GDPR traces its lineage all the way back to 1950, building on the right to privacy established in the European Convention on Human Rights (article 8, clause 1):
“Everyone has the right to respect for his private and family life, his home and his correspondence.”
While this charter is relatively contemporary, the global sentiment for privacy and protection of personal information is exceedingly clear. One can easily site a plethora of additional regulations designed with the same intent as GDPR, although in different industries or jurisdictions, including:
- HIPAA (Health Information Portability and Accountability Act, 1996)
- CCPA (California Consumer Privacy Act, 2020)
- FCRA (Fair Credit Reporting Act, 1970)
- FERPA (Family Educational Rights and Privacy Act, 1974)
- GLBA (Gramm-Leach-Bliley Act, 1999)
- ECPA (Electronic Communications Privacy Act, 1986)
- VCDPA (Virginia Consumer Data Protection Act, coming 2023)
The verdict is in, and digital privacy is now the minimum standard!
Who Does the GDPR Affect?
The simple answer is “basically everyone”… and we are only half joking! There are scenarios in which the GDPR would not apply, but this blog assumes organizations are either in the EU or doing business B2B/B2C with EU citizens. Let’s review a few scenarios that could impact even the most security-conscious enterprises in the world:
Your marketing team sponsored and attended an event in Spain
During the event, they met 200 new faces, 75% of which expressed interest in continuing a conversation at some point in the future. Your sales team reaches out a week later and receives a friendly “No thank you, please do not contact me again.” However, marketing implements a new digital campaign solution and the “do not contact” flag does not carry over cleanly to the new system.
A month later the “no thank you” lead receives an automated email about a workshop pertaining to a topic that interested them at the conference. Shortly thereafter, a formal complaint comes in demanding a formal Data Subject Access Request (DSAR) be processed.
Your global enterprise contracts outbound sales to other companies
These contracted resources do their best to identify an Ideal Customer Profile (ICP) and reach out in a respectful manner, but a handful of all potential prospects request to opt-out of future communications. With contracted employees coming and going, eventually an opt-out request is missed and a lead accidentally gets another phone call or email. Here comes the next DSAR! Even though your organization has “legitimate interest,” the letters from various attorneys start rolling in due to the failure to abide by the opt-out request.
Your organization stores PII (Personally Identifiable Information) data and experiences a data breach
As part of this cybersecurity incident, attorneys are asking your IT teams if appropriate access controls have been established around this PII data.
Unfortunately, some components of the PII data in question have not been encrypted and were exposed during the breach.
Your organization is now liable for fines reaching into the hundreds of millions of dollars due to a failure to classify, encrypt, and restrict access to certain sensitive data elements.
What Should I Do If I Have an Incident?
Honesty is the best policy if you are in a scenario in which a DSAR request is submitted. Work closely with the data subject, explain where the data came from, why it was collected, and what you are willing to do to assist with their right to erasure. Because many of the modern data privacy laws are relatively new, some data subjects may be satisfied with a compliant Data Protection Officer’s efforts to remediate the problem. Other times, you may be at the mercy of someone’s personal vendetta. Either way, once the incident happens, you may be wondering – is it too late now to say “sorry?” (yes, we totally slipped a cheesy Justin Bieber reference in here just for you).
Now that the pop culture reference is out of the way, let’s get more specific with some of the EU’s recommendations for how you can do well to remain compliant with the GDPR*:
- Minimize the processing of personal data.
- Pseudonymize personal data as soon as possible.
- Be transparent about the function and processing of personal data (the “What?” and “Why?” questions for what is collected and stored).
- Enable data subjects to access and monitor the data that you process.
- Enable the controller to create and improve security features.
- Treat data protection as a requirement when designing or architecting new systems, processes, and applications.
- Delegate research and development functions to ensure your organization uses state-of-the-art technology to abide by data privacy regulations.
*(portions of the above list quoted directly and/or summarized from recital 78 at GDPR.EU)
Steps to Take in the Event of a Data Breach or Data Subject Access Request
Data breaches are something we always hope to avoid however, it is important to acknowledge that you cannot guarantee that you’ll never have a data breach of some type. Under Articles 32 and 33 of GDPR, you need to make sure you have processes in place to deal with data breaches and more importantly, ensure you report them to the right authorities and people within the allowed time.
GDPR states you must respond to a Data Subject Access Request (DSAR) within 30 days, so it’s important to follow these steps to deal with them as swiftly as possible:
Verify the requester’s identity
The first step you should take is to verify the requester’s identity so that you can determine whether you have all the information you need to fulfill the request.
Clarify what the request is
Find out a bit more about the request itself. Is it merely a request for access, or are they invoking other rights of the personal data being held?
Is the request valid?
Establish whether the request is valid and if it can be completed within the one-month period. If not and you know you will need more time, you can request an extension.
Inspect the data
Once you start collecting the data, check whether the data needs to be amended and if you need to protect the personal information of any other data subjects.
Choose the format
Once you’ve collected all the data, determine the most appropriate format in which to provide the information.
Provide data to the requester
When all the data has been collected, you will then provide any relevant parts to fulfill their request.
It’s a good idea to ensure you have an established DSAR process in place beforehand so that you can deal with requests quickly.
What About Legitimate Interest in Article 6?
This is an interesting question as “legitimate interest” is very vague and flexible. Generally speaking, it is probably wisest to assume that the privacy rights an individual EU citizen possesses will almost always outweigh your organization’s “legitimate interest” in processing their data (see Article 6, item 6). Is it possible the “legitimate interest” clause could be your saving grace? Maybe … but if luck favors the prepared, it is better to be proactive about developing internal policy and teams to get out in front of these problems than trying to fix them once they happen!
How CapStorm Can Help You Maintain Digital Privacy Standards
CapStorm serves the Salesforce community with self-hosted data management solutions designed to assure, enable, and govern Salesforce data & metadata. Over the past ~12 years, CapStorm has established partnerships with enterprise organizations in 48 countries, assisting highly-regulated industries with ways to ensure their enterprise data strategies are both robust and compliant.
CapStorm’s solutions preserve granular control over data classification while empowering regulatory compliance. If nothing is more secure than keeping your data behind your on-prem or cloud-based firewalls, perhaps you should consider contacting CapStorm today for a consultation. Let us share a few use cases about how Salesforce’s largest customers leverage our platform to abide by cross-jurisdictional regulatory requirements with expert confidence!