£183.39 million. That’s how much British Airways were fined for a data breach of customer data. It’s also the largest fine issued under the GDPR. While it is unlikely that your company would face a fine of similar magnitude, GDPR fines are designed to be painful and not a warning. Fortunately, if your company uses Salesforce, you will have some tools to ensure compliance with the GDPR. There are still, however, some steps you must take to protect your customer data, company reputation and corporate finances.
Today, I’ll share the tools that Salesforce provides to keep your data safe and your company compliant, as well as some steps you must take to make sure you do your part too.
What is the GDPR, and why does it matter to me?
The General Data Protection Regulation (GDPR) is a European law which went into effect in May 2018. The idea behind the law was to give individuals living in the EU rights and better protection over their personal data. Demand for similar regulation is growing both in other countries and American states (the California Consumer Privacy Act came into force on 1 January 2020) as well as heightened consumer concern over their online data, the importance of the GDPR is unlike to diminish anytime soon.
To see the details of the GDPR, you can go to the official website. The basic principles you need to consider are
- 1. It applies to EU citizens, companies in the EU, and anyone who is in the EU.
- 2. You have to obtain user consent for communication permissions. In practice, this means you must provide clear terms and conditions and a user has to opt in to receive marketing messages.
- 3. Users can request that their data be deleted, and you must comply
- 4. Users have to know how their data is being used and if it is being transferred to a third-party.
- 5. If their data leaks, a user needs to be informed within 24 hours of the leak being detected (even on non-workdays)
- 6. Companies must take appropriate measures to protect user data, and are even obliged to use “state of the art” solutions. A definition, which just like art in a gallery, is subjective.
As you can see, there are some significant implications for how companies handle security and user data. Luckily, Salesforce has taken measures which help your company stay GDPR compliant.
How does Salesforce help you stay GDPR compliant?
Salesforce follows the best-practices for a data processor and provides you with useful tools to stay GDPR compliant.
Collecting user permission
Salesforce provides built-in tools and easily configured options to collect user permission data. An example is obtaining marketing contact permission. Salesforce can provide opt-in checkboxes on relevant forms and avoid mass mailers to contacts who haven’t opted in. It will also display a warning message concerning the user’s permissions when viewed (for example, email opt-out).
Right to eraser tools
Along with tools for collecting permission, Salesforce has features to delete data upon a user’s request quickly. This is another essential tool for GDPR compliance as users have the right to request the deletion of their data.
Segregated and restricted data access
Although many different businesses use Salesforce, Salesforce’s data architecture keeps each organisations data separate and secure. If another company’s system becomes compromised, your user data is still safe. Furthermore, the way Salesforce is designed allows you to set specific access levels for different users which reduces the risk of administrator access leaking.
Salesforce also provides testing sandboxes and development environments, which helps encourage developers to work on new features and releases without risking production. Of course, developers for other solutions which don’t provide these tools could make their own development sandboxes. And a reckless Salesforce consultant could ignore the tools provide but having them encourages better practices.
A technical setup that meets EU standards
Salesforce is one of the largest and leading cloud solution providers. They don’t just follow the technical best practices but lead the way in setting new best practices. Salesforce’s business model also necessitates that they continue to advance security and their business model makes it far more cost-effective than even the largest enterprises.
As a customer, you gain the benefit of the same investments they make for the most-significant brands around the world. Salesforce is also transparent about its security procedures on their Trust website. They disclose server downtime, security issues and details of their technical setup, which don’t help nefarious agents to crack their system. But don’t just take Salesforce’s word for it, they have been checked by outside agencies.
Salesforce Independently vetted
Salesforce security is independently vetted by the world’s leading security evaluators including
- ISO 27018 certification of security standards
- SOC 1(SSAE), SOC 2 and SOC 3 security audits
- Payment Card Industry Data Security Standard (level 1 compliance)
- German Cloud Compliance Controls Catalogue Certification C5
- And many more industry and country specific standards
While these in themselves don’t prevent a data breach, they require the highest security standards and drive Salesforce to best-practices.
Salesforce’s tri-annual new releases also help with security and GDPR compliance. Hackers are constantly looking for new weaknesses to exploit in systems, the longer a version of Salesforce has been around, the more time you are giving a hacker to find a vulnerability. In their regular releases, Salesforce adopts the latest advances and blocks more vulnerable legacy technologies.
BUT! You still need to do your part.
Salesforce gives you all the tools you need for data security and GDPR compliance, but that doesn’t mean you are guaranteed to be compliant. Just as human error continues to be the leading cause of road accident, it is also the leading cause of security issues for companies with Salesforce system.
Can’t protect you from your users
If someone in your organisation sets their password as “password”, then all of Salesforces transport layer encryption means nothing. It’s like having the world’s strongest bank vault but leaving the door open and telling the security guards to go home.
You still have security responsibilities
If a data breach does, somehow, occur, then you have responsibilities such as contacting users whose data has been leaked. Even with the tools that Salesforce affords, you still need to do your part and fulfil your security obligations.
Are your Integrations GDPR compliant?
Salesforce follows the best security practices and has a robust infrastructure, but that doesn’t guarantee your integrations are equally secure. Many integrations do have high-security standards, and AppExchange application must meet security criteria as part of the review. Still, if you are using a third-party application developed by a less knowledgeable creator, they might expose your user data that way or not be GDPR compliant in some other way.
We recommend mature solutions, which have been developed in accordance with Salesforce’s specifications to mitigate such risks in our clients’ orgs.
These GDPR tools are why we are focused on Salesforce, and you should too
Salesforce’s robust GDPR security infrastructure and built-in tools are just one of the reasons why we are fully focused on the Salesforce. It allows us quickly to configure solutions for clients which follow best standards and the latest industry innovations. Although there are steps you need to take to ensure compliance, our consultants can help you fulfil your obligations and identify any security concerns.
Łukasz Oniszczuk is the Chief Security Officer at VRP Consulting. He has worked in IT for 15 years including 10 years as an IT and business processes auditor and Information Security Manager working for global companies.