On the 25th May 2018 one of the most important changes in the European legislation is taking place – namely, the General Data Protection Regulation (GDPR). The updated law concerns all companies that deal with personal information within the EU – also including companies that sell goods and services in the EU (even if they are not physically in the EU). A crucial thing to remember when it comes to GDPR is that it’s a law that doesn’t need to be approved by the Parliament of each country in the European Union, meaning that it is automatically accepted.
GDPR In a nutshell – what is changing?
1. What is ‘personal information’
The new regulation is expanding the meaning of ‘personal information’. The basic concept remains the same – every combination of information that can identify someone personally is considered personal information. Sensitive personal information is considered data about someone’s health status, religion and so on. However, another layer of specification has been added – personal data includes information about the geographical location and online identification such as the IP address. As for sensitive data – genetic and biometric information has been added to this category.
2. Control over personal data
One of GDPR’s main aims is to give more control to one’s personal information to that respective person. This can be done in a few ways:
• The right to be forgotten - everyone has the right to ask the admin of a certain website or else to delete all information about them; please note there are restrictions to this rule
• The right for restriction – everyone can ask an administrator not to process their data (so they can store it but not use it for anything)
• The right for access – everyone has the right to ask from an administrator to give them access to all of their data
3. Consent for the use of personal data
The GDPR legislation makes giving consent a central part of how a person’s data is being processed. The consent needs to be given freely by the person (companies can’t make it obligatory), needs to be specific (a person is giving them for a certain purpose), informed (the person needs to be aware of why they are giving consent) and clear (giving consent cannot be automatically assumed to translate to other forms of use of personal data).
4. How is personal data being protected?
The new regulation makes administrators and other people processing data to deploy appropriate technical and organizational methods for data protection so that the level of defense is equal to the level of risk that certain personal data is exposed to.
5. Signalling a breach in GDPR
Every breach of the security when storing and processing data should be reported within 72 hours of noticing it.
6. Estimating the importance
In some high-risk cases, administrators should make a special estimation of the importance or impact of the potential risk that comes with choosing a particular way of data processing.
7. Transferring data outside of the EU
The regulations forbids data transfers outside of the European Union, unless the proper measures for data protection have been taken. The GDPR law continues to deem acceptable the current mechanisms that are in operation on the matter.
GDPR requires admins to be fully transparent about the processes of collecting and processing personal data in the moment of their collection
This is a new concept within GDPR, which includes any form of automatic processing of personal data, which aims to assess or forecast the work, economic status, interest, health, behavior, location or movement of a person.
The fees that a company that isn’t compliant might have to pay are quite drastic – up to 20 million, or 4% of the annual turnaround (whichever is bigger).
11. Leading regulation body
The concept of a centralized governing body is being introduced in the case of a company operation in more than one country, thus reducing the efforts and needless bureaucracy of having many governing organizations.
How does Salesforce help their clients be compliant?
Salesforce is the first software company in Top 10 which approved the so called "binding corporate rules"; these rules have been approved by the European Data protecion authorities. Salesforce is also among the first companies to be certified in line with the EU-US Privacy Shield Network and the Swiss-UK Privacy Shield Network (these are mechanisms for transferring personal data between the EU, USA and Switzerland, approved by the respective national regulators).
The right to be forgotten
Each of the Salesforce Cloud modules allows users to delete personal data on both individual and organizational level.
The Salesforce platforms has a wide range of methods for data export via an user-friendly interface as well as various API integrations. The export formats are CSV, JSON and XML.
Consent and Restrictions in processing
Salesforce helps their clients be compliant with GDPR with ready-made solutions that indicate and save personal preferences when it comes to processing and using someone’s data. In the Salesforce platform the data can be identified, restricted, exported or deleted at that person’s request. In case of a change of the consent, the data can be re-imported at a later time.
Salesforce gives their customers a thorough and clear annex with lots of information about data processing within the platforms. This annex has strict requirements about how the data is being stored and processed and it explains the mechanism of data transfer, ensuring compliance with GDPR.
SecuritySecurity is embedded in every layer of Salesforce. Its very architecture is designed to back up information in emergency cases. Information transfer is done only via encrypted channels and the applications themselves have functionalities that allow identity management, authorization and various access rights. Salesforce also offers another layer of security called Salesforce Shield, which allows for further data encryption.
Five GDPR myths
1. Personal data of EU citizens needs to be stored in the European Union
That is not true. The GDPR regulations is simply imposing some more requirements when it comes to transferring data outside the European Economic Area. These new laws should be obliged when it comes to transferring data outside of the EU.
2. Data should be encrypted
GDPR doesn’t impose any requirements when it comes to storing data. What the regulation actually requires is that organisational and technical measures about data storage are in place. Data encryption could be such a measure but it isn’t the only one required.
3. Everyone has the right to ask for their personal data to be deleted
The right to be forgotten isn’t absolute – for example, if keeping someone’s files on record is required by law, then the person cannot be ‘forgotten’ even if they want to. One example is that financial institutions are required to keep records of financial transactions in the past 5 years.
4. Data processing is now only done through consent
Consent is one of the main pillars of the new GDPR law. However, consent can be considered automatic when it comes to legal obligation (for example, a contract) or when the processing is required for something else of that nature.
5. Every company should have a data officer, responsible for data protection
Keep calm! This requirement is only applicable for a companies that deal mainly with ‘sensitive’ data or surveillance, or for government organisations.
If you have more questions, don't hesitate to drop us a message and ask - we'll be happy to help!