There has been a lot of attention surrounding GDPR. But what is it? Why does it matter? How will GDPR affect your Salesforce? What responsibilities do you have as a Salesforce Administrator? And what can you do to prepare? So many questions! In this article we take a quick look at these questions and some additional resources available to you, when preparing for this change.
What is GDPR?
First up, let’s take a look into what exactly GDPR is.
General Data Protection Regulation, otherwise known as GDPR, is the new privacy regulation coming into force in 2018. It will replace the EU’s previous Data Protection Directive, and align privacy laws and regulations across all EU member states.
It is primarily aimed at giving individuals more control over how their data can be collected, used, and stored. While also extending the rights of individuals to have their data removed/deleted.
One key point to note. Even though this is obviously applicable for all EU countries, it may also apply to any business which deals with personal data of an individual within these countries. So if you are in USA, India or even Fiji – but dealing with personal data from an individual living within the EU – GDPR will still apply.
When will GDPR take affect?
The legislation will take affect from the 25th May 2018.
What is ‘personal data’?
Another thing to consider is how GDPR will redefine what is considered to be ‘personal data’. Overall the definition has been clarified and it will include ways modern technology allow an individual to be identified.
Personal data, relates to any information which can identify an individual. This could be either directly (for example a person’s name) or indirectly (a unique online identifier/ID or geolocation data). The purpose of GDPR here is to clarify and provide stronger governance towards what is personal data. Especially when compared to the preceding legislation.
What can you do to prepare?
At this stage it is worth pointing out this is something that potentially needs company-wide buy-in and support especially from your organisation’s leadership team.
The first step is to be aware of the changes, we have taken some of the first steps here.
Salesforce is trying to support its users through the pending change. The responsibility though relies on end-users to ensure compliance. And to that end they have published a Trailhead module to support their users.
The Spring ’18 release also includes a number of changes to support users with GDPR.
If your company hasn’t started the process to confirm compliance, then it is worth having a discussion with your manager or with your companies designated Data Protection Officer.
GPDR is an enhancement from previous legislation so the changes required might be small, but it is important to understand how those changes could impact to your business.
For example, say your business relies on email marketing. Your contact lists may not contain details on how the individual’s consent has been attained. With GDPR, it may be worth investigating your requirements for that data and plan how to reconfirm or get consent.
Which leads us nicely onto the next step…
Map your data processes
A key to being able to understand any risks relating to GDPR and your Salesforce is to map out how data enters your Salesforce org.
Is it a web-to-lead form? Or perhaps a landing page describing your products that tracks user behaviour via Marketing Cloud? Or do your sales team import contacts via Data.com?
What happens to it once it is in Salesforce? Is it stored as leads, contacts, person accounts? Do you have custom fields on objects containing personal data?
This is a chance to get all these flows down on paper. And remember to include if there are any prompts for user opt-in and what the purpose of the data is.
Are there any other resources to help me?
So as we wrap up here, it is worth mentioning that we have only just started to scratch the GDPR surface.
The changes come into affect in May, so there is still time to prepare. And if you were compliant with previous legislation like the Data Protection Act here in the UK, then GDPR may be an extension of your existing processes. But don’t take this as legal advice!
There are a number of great resources available to help companies with this transition.
For Salesforce users:
- as previously mentioned, I would start with Trailhead.
- Salesforce has now also published a Data Protection & Privacy guide in the Help section, and
- check the Spring ’18 release notes, as there are a number of features changing (or added to the platform) due to GDPR
Additionally, I found a number of site relating to GDPR when preparing this post:
- Data Protection People has a post called, ‘The perfect CRM system for GDPR compliance’
- Next port of call, the ICO has published a 12 step e-book relating to GDPR.
- SalesforceBen also has an e-book detailing GDPR.
- And finally (and if you are really interested) here is an 88 page document from the EU relating to GDPR