General Data Protection Regulation
What is GDPR?
On May 25, 2018, a new landmark privacy law called the General Data Protection Regulation (GDPR) replaces the patchwork of national data protection laws across the European Union for the past 20 years. The GDPR expands the privacy rights of EU individuals and places new obligations on all organizations that market, track, or handle EU personal data.
- As companies are increasingly using data intelligence to understand and serve customers better, it's critical that they are accountable to an individual's rights to privacy and security.
- Organizations need to respect their privacy by restricting what personal data they collect and process and by safeguarding that data. Privacy obligations apply to any information, either by itself or used with other pieces of information, that could identify an individual person living in the European Union.
- The GDPR has the potential to impact any business that collects data in or from Europe. Significant fines may be levied on organizations who fail to meet their obligations with respect to handling data under the GDPR.
How does ComplianceQuest Support GDPR?
- We’re making continual adjustments and improvements to ensure we are best positioned to meet our legal obligations and to assist our customers in protecting and having more control over both organizational and personal data. Our customer relationships along with the trust they place in us, are at the very heart of our business and are never taken for granted. We see GDPR as affording us yet another opportunity to continue protecting our customers’ data.
- ComplianceQuest is a 100% native force.com application suite, built and run on the Salesforce platform. As such, ComplianceQuest EQMS suite inherits all attributes of the Salesforce platform. Salesforce gives companies transparency and control of customer data to accelerate compliance with regulations such as the GDPR, while still being able to harness the power of data to connect with customers in new ways.
- Salesforce has closely analyzed GDPR as it relates to the Salesforce infrastructure, platform, and products. Salesforce best-in-class privacy and security standards, along with robust platform capabilities already meet many of the GDPR requirements.
- The Salesforce Platform accelerates GDPR readiness through:
- Right to be Forgotten – ability to delete customer personal data at both an organization and individual level to meet your obligations under the GDPR
- Consent – includes an Individual Object for tracking privacy preferences across multiple roles in your organization which can relate to one or many Contacts, Accounts, and custom object records.
- Accountability / Transparency - offers customers a robust data processing containing strong privacy commitments. It contains data transfer frameworks ensuring that customers can lawfully transfer personal data to Salesforce outside of the European Economic.
- Data Portability - Salesforce Platform helps customers’ requests to export their data. Data can be extracted via both UI-driven as well as API-driven methods, including reports and report/dashboard APIs, data loader, Apex, SOAP and REST APIs, and third-party ETL tools.
- Restriction of Processing - On the Salesforce Platform, records can be identified, exported, and deleted upon receiving a verified request to restrict processing. If the restriction is lifted later, the records can be re-imported.
- Security - Salesforce has security built into every layer of the Platform. The infrastructure layer comes with replication, backup, and disaster recovery planning. Network services have encryption in transit and advanced threat detection. Application services implement identity, authentication, and user permissions. Salesforce also offers san additional layer of trust with Salesforce Shield, including Platform Encryption, Event Monitoring, and Field Audit Trail.
- The Salesforce Spring ’18 release provided updates to help support GDPR including:
- Ability to make data protection details available in records through an Individual Object that stores details about data protection and privacy preferences.
- Associate a Contact to their relevant Individual record.
- Checkbox Fields added for:
- Don’t Market, Don’t Process, Don’t Profile, Don’t Track
- Block Geolocation Tracking
- Export Individual’s Data
- Ok to Store PII Data Elsewhere (PII = Personally Identifiable Information), also known as data transfer.
- Forget this Individual