GDPR, whats that?
The replacement of Data Protection Directive 95/46/EC, a regulation mechanism for unified adaptable composition of Data Privacy laws to protect and empower EU citizens data privacy. The law makers believe this comprehensive suite will reshape the way organization approach data Privacy.
The GDPR stands for, General Data Protection Regulation. This comes into effect from May 25, 2018 and enforceable in each EU member state.
So, time is really slipping away. Before the law comes to action, as expected, its normal to feel the chaos, confusions and lack of confidence to transform businesses to comply the mandate.
What GDPR governs?
GDPR governs and control the ownership of Data for EU individuals. It covers
• transfer and
This means any organization which holds personal data of EU Individuals for any of the above purposes are in scope of this law. When we talk about scope, its very wide in terms of GDPR to define context of “Personal Data”. And any organization, irrespective of its geographical presence comes under purview of GDPR, if it deals with “Personal Data” of EU citizens.
- Transparency : Organizations must always process personal data lawfully, fairly, and in a transparent manner.
- Purpose : Organizations can collect personal data only for specified, explicit, and legitimate purposes. They cannot further process personal data in a manner that’s incompatible with those purposes.
- Data minimization and relevance : Organizations can collect only personal data that’s adequate, relevant, and limited to what’s necessary for the intended purpose.
- Accuracy : Personal data must be accurate and, where necessary, kept up to date.
- Data Deletion: Personal data must be kept only for as long as it’s needed to fulfill the original purpose of collection.
- Security : Organizations must use appropriate technical and organizational security measures to protect personal data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration.
- Accountability : A data controller is responsible for implementing measures to ensure that the personal data it controls is handled in compliance with the principles of the GDPR.
What changed in GDPR?
The GDPR is one set of rules which combines all aspects of data privacy. Over the time, the old laws were had become less suitable to control present day situation. Today, personal data also called data subject means a lot for every individual, hence protection in all sense becomes mandatory. Also businesses today, find their base over understanding customer and monitoring the behavoiur closely to make definite strategy and maximum ROI. This is where individuals personal data plays vital role to answer difficult business questions or give high percentage to probability of prediction.
GDPR has provided an empowerment to EU individuals, for ownership of their personal data. Lets see how this is made possible:
Increased authority for EU Individuals : The GDPR provides expanded rights for EU individuals such as deletion, restriction, and portability of personal data.
Obligation against compliance: Organizations are liable to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.
Responsibilities in the event of data breach : Organizations are accountable and responsible to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
Profiling and Monitoring : The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.
Binding Corporate Rules (BCRs): The GDPR officially recognizes BCRs (which Salesforce offers for certain of its services) as a means for organizations to legalize transfers of personal data outside the EU.
Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred.
Centralization of all data privacy laws: GDPR is a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.
The GDPR grants data subjects a number of rights regarding how controllers handle their data. These rights require controllers to have systems in place to respond to and effectively address data subjects’ requests.
- Data Access: Data subjects have the right to confirm with a data controller whether the organization is processing their personal data.
- Right to Object: Data subjects can in certain cases object at any time to the processing of their personal data, in particular if the processing is for direct marketing purposes.
- Data Rectification: Data subjects can request that a controller correct or complete personal data if the data is inaccurate or incomplete.
- Restriction of Processing: Data subjects can request that a controller stop access to and modification of their personal data.
- Data Portability: In certain cases, data subjects have the right to ask a controller to provide their personal data in a structured, commonly used, and machine-readable format (for example, a .csv file) so that they can transmit their own personal data to another company.
- Right to Erasure: Also known as “the right to be forgotten,” this right empowers data subjects to request that a data controller delete or remove their personal data in situations such as the following: when the data is no longer needed for the original purpose, when the data subject withdraws consent, or when the data subject objects to the processing and the controller has no overriding legitimate interest in the processing.
Myths vs Fact
Myth: “Processing European personal data requires the consent of the data subject.”
Fact: Consent is only one of the legal bases one can use for the processing of personal data. For instance, personal data can also be processed:
when necessary for the performance of a contract to which the data subject (the individual whose data is processed) is a party;
when there is a legal obligation to do so (such as the submission of employee data to a tax authority); and
sometimes even on the basis of legitimate interests, such as commercial and marketing goals. The legitimate interest must, however, outweigh any detriment to the privacy of the data subject.
Myth: “European personal data must be stored within Europe.”
Fact: The GDPR does not contain any obligation to store information in Europe. However, transfers of European personal data outside the European Economic Area (EEA) generally require that a valid transfer mechanism be in place to protect the data once it leaves the EEA (Chapter V, Articles 44-50). Salesforce ensures that its customers can comply with this by offering its customers a data processing addendum (DPA) that incorporates Salesforce’s processor Binding Corporate Rules, EU-U.S. and Swiss-U.S. Privacy Shield Certification, and the Model Clauses as approved by the European Commission. Please find more information about these transfer mechanisms here.
Myth: “The GDPR requires EU personal data to be encrypted at rest.”
Fact: The GDPR does not mandate specific security measures. Instead, the GDPR requires organizations to take technical and organizational security measures which are appropriate to the risks presented.
Myth: “If an organization is established outside the EU, the GDPR does not apply to its processing of EU personal data.”
Fact: Regardless of where an organization is established, the GDPR applies to EU personal data which is processed in the context of: ● offering goods and services (whether paid or not) to people in the EU; or ● monitoring the behavior of people in the EU, for example by placing cookies on the devices of EU individuals (Article 3(2)).
For more interesting myths and reality check out this link
What’s Salesforce role in this?
Salesforce claims to welcome GDPR whole heartedly and commited to provide all support to its customers in achieving their milestone in compliance to this law.
• In October 2015, within hours of the European Court of Justice invalidating the EU-U.S. Safe Harbor program, we offered all of our customers a data processing addendum that allowed them to continue to transfer data to Salesforce without interruption.
• In November 2015, we became the first top 10 software company to achieve approval for binding corporate rules for processors from European data protection authorities.
• In August 2016, we became one of the first companies to certify compliance with the EU-U.S. Privacy Shield Framework.
What steps Salesforce suggests to Customers
- Get Buy-In and Build a Team
In essence of First thing first, you should make leaders of your organization aware about GDPR compliance, obligations and corporate responsibility towards it. Then you must build a team with correct composition of security champions and a lead privacy expert.
- Access the organization
The basic step for the team must be to first review the existing processes and access the strength and weakness with respect to privacy of data. Identify all systems where the organization stores personal data, processes that transform or transfer data. Then make the impact analysis matrix for each high risk activity.
- Set up Controls and Processes
• Ensure privacy notices are present wherever personal data is collected
• Implement controls to limit the organization’s use of data to the purposes for which it collected the data
• Establish mechanisms to manage data subject consent preferences
• Implement appropriate administrative, physical, and technological security measures and processes to detect and respond to security breaches
• Establish procedures to respond to data subject requests for access, rectification, objection, restriction, portability, and deletion (right to be forgotten)
• Enter into contracts with affiliates and vendors that collect or receive personal data
• Establish a privacy impact assessments process
• Administer employee and vendor privacy and security awareness training
- Document Compliance
• Compile copies of privacy notices and consent forms, the data inventory and register of data processing activities, written policies and procedures, training materials, intra-company data transfer agreements, and vendor contracts
• If required, appoint a data protection officer and identify the appropriate EU supervisory authority
• Conduct periodic risk assessments
More links for Reference:
- Official GDPR website of EU
- Salesforce GDPR overview
- Salesforce Data Processing Addendum
- Salesforce Trust and Compliance documentation
- Salesforce GDPR Fact sheet