Your business survives and thrives on the Salesforce platform. While Salesforce’s flexibility, scalability, and security are exceptional – is your Salesforce implementation secure and GDPR compliant? General Data Protection Regulation (GDPR) turned two years old a few months ago. and has not been shy in dispensing fines to organizations large and small. While Salesforce is stringently secure, the waters can get murky in the area of customer privacy – the focus of GDPR. Salesforce’s assurance to “Connect with Customers in a Whole New Way” is built on the premise of data collection, data analysis, and Business Intelligence (BI). A recent class-action GDPR lawsuit against Salesforce and Oracle that could run into $11 billion, targets Salesforce’s intelligent “customer surveillance”. Here is your 5-point checklist to validate that your Salesforce is GDPR compliant and secure:
#1 Privacy by Design: Focus on the Articles at the Core of GDPR
Customer privacy is at the heart and soul of GDPR. Imbibe customer privacy into your applications right from the design phase.
Article 25, Data Protection by Design and by Default, is a guiding GDPR principle. Review that your design processes are built to guarantee minimal data collection, processing, and storage. Involve your Data Protection Officer (DPO) and/or legal teams to vet system design and implementation.
Article 17, Right to Erasure or the Right to be Forgotten also emphasizes the need to minimize the storage of customer data. Make sure that data collected in Salesforce can be erased completely – including the data stored by external Salesforce backups.
#2 Fine-tune Your Agreements and Policies: Both With ISVs and With Salesforce
Review the contractual agreements with Independent Software Vendors (ISV) that you’ve engaged with on Appexchange. Note, that if the ISVs access your customer data, the onus is on you to ensure that the processes are GDPR compliant. Sign a Data Processing Agreement (DPA) with all your ISVs, as well as with the mothership – Salesforce. Salesforce even has a template for your DPA.
Your agreements should also specify the data retention policy so data is pervasively deleted when the contract with the ISV is terminated. GDPR also requires that all data collected on citizens should be either stored in the EU, so it is subject to European privacy laws, or within a country that has similar levels of protection. Confirm the location of your ISVs data center.
And in the mix, don’t forget to update your own organization’s Data Security Policy and Privacy Policy to comply with the GDPR.
#3 Strictly Need-To-Know: Review Data Access Rights and Control
Assign a Data Protection Officer (DPO) to review your processes, integrations, and access rights for GDPR compliance. While Salesforce offers fine-grained roles and security settings, they are only as effective as their implementation. Take the time to map Salesforce roles and profiles such that access is strictly on a need-to-know basis. Verify at a granular level that Salesforce users have rights precisely as required to view, edit, and export Salesforce data. Less does mean more as far as security and compliance go.
Review authentication mechanisms used by your ISVs. Multi-Factor Authentication (MFA) is a proven way to mitigate credential theft and misuse – a frequent cause of data breaches. Validate that your vendors, partners, Cloud or Managed Service Providers (CSP/MSP) support MFA.
#4 Salesforce Hearts GDPR: Harness its GDPR-friendly features
Salesforce has helpful tools and mechanisms to ensure GDPR compliance. Consider using Salesforce Shield which builds additional layers of compliance that align with articles of GDPR. Platform encryption and event monitoring provided by Salesforce Shield help anonymize personal data with encryption and provide a clear audit trail.
Utilize Salesforce tools such as explicit opt-in checkboxes, and right to erasure tools to facilitate GDPR compliance. Use Salesforce sandboxing and seeding to innovate securely and test new releases without risking production. Here is an exhaustive list of FAQs that can shed light on other GDPR-friendly Salesforce features.
#5 Data Protection is a Shared Responsibility: Guarantee Uninterrupted Access and Recoverability
Salesforce, while exceptionally secure, cannot protect you from data loss at your end. These can include rather commonplace reasons such as accidental deletions, malicious insiders, malware, downtime, and/or sync errors. Read our ebook: 7 Reasons Why Salesforce Needs Backup. As per GDPR, your organization “shares responsibility” with Salesforce to safeguard customer data. Salesforce’s responsibility encompasses everything “of” the cloud – securing the facilities, hardware, and software that run cloud services. Your organization is responsible for the security “in” the cloud such as customer data, access management, network security, client-side data encryption.
Article 32 of the GDPR also mandates that organizations should “have the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”. The only sure-fire way to do it? SaaS Backup and Recovery. In fact, Salesforce themselves recommend third-party backup, particularly as their own native Salesforce data recovery service retired a few months ago.
Improve Salesforce GDPR Compliance With CloudAlly
CloudAlly Salesforce Backup and Recovery provides automated backup of all your Salesforce data, metadata, and Chatter feeds. CloudAlly pioneered Salesforce backup and thus our product is proven and robust. It eliminates Salesforce data loss with easy and flexible recovery from any point-in-time and at any level of granularity. Built-in sandbox seeding and Salesforce compare
What’s more, we’re thoroughly GDPR compliant and audit-ready. Some of our GDPR compliant features:
- Encrypted Backups: Your Salesforce backups are protected at-rest and in-transit. We store your backups on industry-leading Amazon S3 storage and encrypt it using advanced AES-256 bit encryption algorithms.
- Choice of data centers: Select from multiple data center locations in the EU, Australia, the US, and Canada.
- Secure MFA Authentication: CloudAlly Salesforce Backup supports MFA and OAuth. We even offer the option to make it mandatory for access.
- Compliant backups: Our solutions are stringently secure and compliant – ISO 27001 certified, GDPR, and HIPAA compliant, with 99.9% Uptime / Availability SLA.
- Unlimited Storage and Retention: We offer granular and point-in-time recovery which coupled with unlimited data retention and unlimited storage, means you have demonstrable recovery of any/all of your data from any point-in-time.
Don’t Risk Salesforce Non-Compliance With GDPR
Backup With CloudAlly.
