Tip #1- Become Informed
What is GDPR?
How are USA-Based Businesses Affected?
The regulation applies to companies based outside the EU if they are offering goods and services to, and maintain personal data about, individuals in the EU. If you allow EU residents to register their personal information online with your business, and you maintain these contact records, you are affected.
Tip #2- Your Data Compliance Strategy
Create a Data Protection Policy Document
If your core business involves processing personal data, a Data Protection Officer (DPO) should be designated. This could be an existing employee tasked with this function in addition to his/her other role, or it could be an outside consultant.
Conduct a Data Protection Impact Assessment
Most businesses will not need to appoint a DPO, however a Data Protection Impact Assessment should be undertaken which outlines the purpose of your business’ data processing, the types of personal data collected, categories of data subjects and storage periods.
In addition, you should outline the technical and organizational security measures to protect the personal data, as well as whether personal data is transferred to recipients outside the EU. Ensure that key departments are aware that the law is changing, and to anticipate the impact of GDPR.
Tip #3- Modify Registration & Landing Pages
The ‘I Agree’ Registration Problem
Many registration pages and dialog boxes have only the ability for a user to submit their information if they ‘agree’. GDPR also specifies that if a user does not consent - they cannot be denied the ability to register. Consequently, adding a checkbox that states ‘I do not Consent’ and subsequently recording this activity on the contact record is critical.
Silence is Not Consent
Privacy policies must be written in clear, straightforward language that specifies that a user will need to give an affirmative consent before his/her data can be used by a business. Under GDPR requirements, you must also address an individual’s rights with respect to data collection and use.
Tip #4- Handle Data with Care
Collect Only What You Need
Implement Daily Data Backup
Backups should retain copies of record data as well as system metadata. Article 32 of the GDPR specifies specific technical and organizational security measures including encryption, snapshots and methods for copying and restoring personal data including a documented back-up strategy. A daily automated backup of your Salesforce system will help you comply with the specifics of the regulation.
Tip #5- Be Aware
Review Roles, Profiles and User Access
Your Salesforce system offers many methods of segmenting and partitioning data to ensure only certain users have access to certain records. Many companies leave their Salesforce system unpartitioned, providing internal users with full access to all contact records regardless of their position in the company.
Implement Data Partitions
Salesforce settings allow you to block certain users from seeing specific records- or parts of- those records. In addition, you can block the ability to export data and specify where users can and cannot log in from (such as only within the company offices). Password policies can be updated to mandate more frequent password changes.
The views and opinions expressed in this article are those of the authors. Examples cited in this article are only examples. They should not be utilized in real-world situations as they are based only on limited and dated open source information. Salesforce® is a trademark of salesforce.com, inc.
© 2018 Snowforce, LLC. All Rights Reserved – June 2018