General Data Protection Regulation

Common Misconceptions | Capstorm’s Solutions | Additional Considerations

Common Misconceptions

Using Salesforce ensures that you are GDPR compliant.

  • Unfortunately, that is not necessarily true.  Salesforce has taken many steps to ease the pain of complying with this legislation, such as the new standard “Individual” object and a robust data processing addendum.  Salesforce can not, however, be ultimately responsible for your company’s Salesforce GDPR compliance.

GDPR does not apply to my business.

  • GDPR compliance and following GDPR regulations is the responsibility of every company doing business in the EU, collecting or storing any personal data about EU subjects, or monitoring the behavior of EU subjects.  Under the GDPR, onitoring can be as simple as putting cookies on a website.  If you have a sophisticated website the odds are high that somebody from the EU has clicked on it.

GDPR compliance is easy, I’ll just delete personal data upon request.

  • Salesforce GDPR Compliance goes far beyond an individual’s right to be forgotten.  Among other considerations, you will need to be able to demonstrate how the data was obtained, why you need it, how long it will be kept, and where the data is stored.  Locating every instance of a person’s data within Salesforce can also be difficult due to the hierarchical record structure.   Imagine the difficulty of finding all records that contain a single first and last name, among your million contact records, emails, attachments, contracts, etc.

Salesforce GDPR Compliance with CopyStorm/Search

Capstorm takes a two prong approach to Salesforce GDPR compliance.

  1. A Capstorm Salesforce backup is on-premises, allowing for instant data access and a high level of data visibility.  All data is behind your firewall and subject to your security guidelines.  Capstorm personnel can not access your data, and you are able to configure database permissions to determine who, on your team, is able to see what data.  Similar to Salesforce, you can set up views and even create separate databases in order to allow each person visibility into only the required data.  Optionally, specific fields can be transformed upon backup, so values are stored in your database using an encryption method of your choice.
  2. Locating specific instances of personal data is simple using CopyStorm/Search.  Simply specify the search criteria, select any or all tables, and view results.  Obfuscate data by entering your chosen replacement string value into CopyStorm/Search, and the application will insert this value into Salesforce in place of the personal data. This will drastically reduce the cost of Salesforce GDPR compliance within your organization by simplifying the process of identification and obfuscation of personal data.
CopyStorm/Search - Salesforce GDPR Compliance and advanced Salesforce search capabilities.
Rights Granted Under GDPR

Also known as the right to be forgotten- obfuscate personal data within Salesforce with an exhaustive search of your backup database.  Set a string value to replace the chosen data.

Provide information regarding the purpose for data processing by first locating all instances of the data subject within Salesforce.  Finding the source of the data, such as a lead source, is much simpler after you find all instances where the data resides!

Provide a copy of an individual’s personal data by first locating all instances of that data within Salesforce then exporting the results.  All data is in-house, so you are not reliant on a 3rd party to provide the data.

When a person provides changed  information, ensure that it is properly updated within Salesforce by finding all instances of the data.  Making a business decision based off on incorrect personal data, such as income amount on a loan application, can cause substantial financial liabilities to an organization!  If you use a 3rd party Salesforce backup, you are responsible for ensuring that they also have the correct data.

Additional Considerations

  • Plan for GDPR.  Identify each instance of personal data within your business.  This will likely extend far beyond Salesforce into in-house systems, email accounts, 3rd party vendors, etc.
  • Anticipated the unexpected.  Early lawsuits may have substantial bearing on how the law is applied in reality.  Actively monitor the legislation as the regulation matures, while ensuring that your policies are set up to meet the current definition of GDPR.
  • Minimize risk.  Complete control over data with 3rd party vendors may not be possible, as you are reliant upon their security measures, proof of data removal/obfuscation, and willingness to report a data breach quickly.  For this reason, consider keeping your Salesforce data backed up on-premises to ensure Salesforce GDPR compliance.

Click below for additional information on how you can prepare for GDPR.

Salesforce GDPR Compliance whitepaper