Organizations holding personal information in Salesforce that fall within the purview of European Union(EU) privacy law, the General Data Protection Regulation (GDPR), have legal obligations to protect personal data to comply with the regulation.
Organizations failing to comply with GDPR can invite regulatory fines and suffer loss of reputation. The Irish Data Protection Commission has fined Meta €1.2 billion for using outlawed data transfer mechanisms to transmit the personal data of EU users to the US.
While Salesforce offers robust security features, organizations remain responsible for ensuring that their backup and data retention strategies align with GDPR requirements. A well-structured backup plan must comply with key GDPR principles, such as data minimization, the right to be forgotten, and lawful data processing.
Let's examine the key principles of GDPR and Salesforce backup best practices to comply with its provisions for protecting user personal data.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a data privacy law enacted by the European Union (EU) that came into effect in 2018. The objective is to standardize and uphold the privacy structures that protect user personal data.
Who does the GDPR law apply to?
The law applies to organizations operating within the EU and its member states as well as to citizens and residents of the EU and its member states.
Organizations outside the EU that process the personal data of EU individuals and have 250 employees or more must comply with the law. On the other hand, organizations outside the EU with fewer than 250 employees are exempt from some of the record-keeping responsibilities associated with GDPR.
Web retailers with site content targeting EU users and organizations with site web tools tracking EU user data.
Key Principles for GDPR Compliance
According to Article V of GDPR, there are six key principles that data collectors must meet to be considered GDPR compliant:
1. Lawfulness, fairness, and transparency
This principle requires organizations to process personal data transparently and according to the law.
2. Purpose limitation
Organizations should collect personal data for explicitly stated and legitimate purposes. The only acceptable reasons for deviating from this principle are if organizations are archiving personal data for public interest, using it for scientific or historical research, or statistical purposes.
3. Data minimization
This principle informs organizations that personal data must be adequate, relevant, and limited to what is necessary for their purposes.
4. Accuracy
The principle of accuracy requires organizations to take every reasonable step to ensure personal data is accurate and, where necessary, kept up to date. Any personal data found to be inaccurate must be erased or rectified without delay.
5. Storage limitation
This principle stipulates that organizations can only keep personal data identifying a data subject for no longer than necessary. They can hold the data only as long as required to accomplish the intended purposes, and then it must be securely destroyed or archived for acceptable reasons.
The only acceptable reasons for not observing this principle are if organizations are archiving personal data for public interest, in which case they must still follow regulations to safeguard the archived data, using it for scientific, historical, or statistical purposes.
6. Integrity and confidentiality
Organizations must use appropriate technical or organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
When an organization neglects to comply with these principles, it risks penalties of up to 20 million euros, or 2% to 4% of its global annual turnover, whichever is higher.
What are the organizational responsibilities for complying with GDPR?
Organizations using Salesforce must implement policies and controls to protect personal data, uphold data subject rights, and maintain secure backup and retention practices for compliance with GDPR:
- Obtain informed consent
Organizations must notify users of site cookies upon entry. Users should be automatically exempt from data collection and processing unless they opt-in.
Data controllers should ensure the subject knows what data will be collected, how they will use it, storage duration, and with whom the data will be shared.
- Secure personal data
As per Article 32 of GDPR, data controllers are responsible for ensuring the security of personal data. They must take technical and operational measures to prevent breaches, unlawful disclosures, loss, or destruction of data and the systems that process it.
- Privacy by design
Data collection must be designed to default to only the data necessary for the intended purposes. In addition, controllers or processor systems must be able to detect cyber threats and have a clear protocol for responding. Once a subject's data has served its purpose and the controller has no lawful reason to hold it, it must be destroyed.
- Data transfer
Organizations are responsible for secure data transfers. They must ensure that the involved entities have satisfactory protections for data processing and storage. Moreover, organizations should also take extra precautions when transferring data to organizations outside the EU.
Data controllers need to employ precise legal contracts that hold all parties accountable to explicitly stated security measures.
- Maintain records
GDPR requires organizations to maintain consistent and transparent documentation of data operations. They must meticulously document what data was processed, which, in the case of special categories of data, also means documenting the category and the reason for data processing. Data controllers should also keep records of entities with whom data is shared and about data transfer mechanisms.
- Breach notification
In the event of a data breach, data controllers have up to 72 hours to inform their GDPR supervisory authority. They must disclose the nature of the breach, such as unlawful or accidental disclosure, loss, or alteration of data.
If the breach information cannot be gathered and provided within 72 hours, the controller must submit what information they have within 72 hours, and the rest must follow as soon as possible. Lastly, if the breach is significant and could pose a threat to data subjects, organizations must also inform them.
How Does Salesforce Ensure GDPR Compliance?
Salesforce is committed to complying with the GDPR to protect customer data. The company's services have earned numerous security-related certifications based on the administrative, technical, and physical safeguards to protect customer personal data. These certifications include the International Organization for Standardization (ISO) 27001 and 27018 standards, the American Institute of CPAs' (AICPA) System, and more.
Additionally, Salesforce publishes Trust and Compliance documentation for each service describing the architecture, security- and privacy-related audits and certifications, and the applicable administrative, technical, and physical controls.
Salesforce provides robust features and tools to support organizations in managing data privacy and protection to comply with GDPR.
Secure cross border data transfer
Salesforce provides customers with a robust data processing addendum containing data transfer frameworks, enabling organizations to legally transfer personal data to Salesforce outside the European Union.
Personal data anonymization
Salesforce Shield builds additional layers of compliance that align with GDPR articles. Features such as encryption and event monitoring help organizations anonymize personal data.
Data retention period
Salesforce data, such as emails, tasks, and events, has specified retention periods. The platform also retains audit logs, including login history and API usage.
The default retention period for most records in Salesforce is 6 months, after which it is automatically archived. Organizations can customize data retention periods for different types of data based on business and regulatory requirements.
Consent management
Tools like Preference Centers allow customers to manage their communication preferences, ensuring consent is followed across the platform. Platform tools such as explicit opt-in checkboxes and right-to-erasure tools help organizations with GDPR compliance.
Data deletion
Salesforce's Flow Builder automates processes such as data deletion upon receiving a 'Right to Be Forgotten' request.
Organizations can effectively ensure GDPR compliance within their Salesforce environment by leveraging these features and following data backup best practices for GDPR compliance.
What Are Salesforce Data Backup Best Practices for GDPR Compliance?
While Salesforce itself is GDPR compliant, it is crucial for businesses using the platform to implement and maintain GDPR-compliant processes.
Best practices for GDPR compliant Salesforce backup should focus on security, integrity, and availability of personal data. Here are some key practices:
1. Implement data retention policy to meet data minimization and storage limitation principles
Your Salesforce data includes records, custom objects, files, content, and metadata, such as custom objects, configurations, and workflows. Implementing a data retention policy enables you to ensure a GDPR compliant Salesforce backup that contains necessary data, aligning with the principle of data minimization.
Data retention policy is about managing data across its lifecycle, from when it's created and imported to when it's deleted or archived. A clear data retention policy helps you delete backups periodically, ensuring you don't keep records beyond the stipulated duration to meet the GDPR principle of storage limitation.
2. Schedule regular backups to protect against data loss and corruption
While GDPR does not explicitly mandate backups, they are crucial for ensuring data availability and integrity, as required by Article 32. A regular backup plan protects against accidental loss or corruption of data.
For a GDPR compliant Salesforce backup, you can use native Salesforce backup services such as the Data Export Service for weekly or monthly exports, selecting data objects for inclusion in the backup. A premium Salesforce Backup and Restore helps you schedule automated daily backups, while third-party data backup tools enable you to take more frequent, granular backups.
To decide on backup frequency, you should consider factors such as how often your data changes and the criticality of the information. Additionally, you should factor in your organization's recovery point objective (RPO) for scheduling backups.
3. Implement GDPR compliant third-party data backup solutions
Though Salesforce native backup solutions offer flexibility, customization options may be limited compared to third-party tools. These tools' advanced features, like metadata backups, versioning, and point-in-time recovery, enable seamless restoration of both data and configurations, allowing you to create a GDPR compliant Salesforce backup.
As a best practice, you must complement Salesforce backup solutions with third-party data backup and recovery tools to ensure the security and reliability of personal data.
4. Automated Salesforce backups to protect data
Consider automating Salesforce backups with solutions like Flosum to overcome the challenges of effort-intensive and time-consuming manual Salesforce backups. It can help you save time, avoid errors, and protect your data against mishaps, ensuring its integrity and confidentiality.
5. Define a process for removing data
A structured data removal process considers relationships between objects, the recycle bin, and connected applications before deleting data from Salesforce. Once the data retention period ends, you can use Salesforce's features to either delete or archive data that is in the public interest. You can use Salesforce's built-in tools and configuration settings to enforce data retention and deletion rules for a GDPR compliant Salesforce backup.
6. Data encryption to protect backups
You should use data encryption to protect and store data and avoid unauthorized access during the backup process. The native Salesforce encryption features are reliable, and you must consider data security when considering third-party backup tools.
7. Regulate access and permissions
Review permissions to your Salesforce backup regularly to ensure only authorized personnel can view or edit backup files. System administrators must apply the principle of least privilege by assigning user permissions based on roles to limit access to sensitive data. They must ensure that no ordinary user has permission to modify metadata, customize the application, modify all data, or view and set up configuration.
Additionally, you can enhance security through multi-factor authentication (MFA) to add an extra layer of protection.
How Can Flosum Help You Create a GDPR Compliant Salesforce Backup?
Flosum Data Backup offers custom-designed backup services, ensuring your customers' personal data is secure and recoverable. The tool's centralized Salesforce data backup operations enable you to customize backup timing and frequency for all services across enterprises, allowing you to meet key principles for a GDPR compliant Salesforce backup.
Flosum automated data backups regularly back up your data and provide seamless recovery options, including granular search capabilities and flexible restore points. It comprehensively covers data and metadata, preventing data loss or corruption and enabling you to perform on-demand restoration at any point in time, a key feature of GDPR compliant Salesforce backup.
Flosum also encrypts the data in transit and rest. It offers a 4-hour RPO and a Recovery Time Objective (RTO) of only 5 minutes, limiting downtime.
For more information and solutions,visit Flosum, a leading provider of secure DevSecOps, data management, and data protection platforms for Salesforce. Schedule a call with us today.
Frequently Asked Questions (FAQ)
Does GDPR apply to backups?
GDPR applies to backups as they contain personal data. Proper backup practice is essential to ensure the privacy and security of personal data. Organizations must ensure backups comply with data retention policies, the right to erasure, and security requirements that conform to the key principles of GDPR. Backups should be encrypted, access-controlled, and deleted when no longer needed.
Is Salesforce data GDPR compliant?
Salesforce provides tools and security measures to support GDPR compliance. However, it depends on how an organization configures and manages its data. To fully comply with GDPR, organizations must implement proper consent management, deletion policies, and data subject rights using native Salesforce solutions and third-party tools.
How do I manage GDPR in Salesforce?
You can manage GDPR in Salesforce by using encryption, access controls, and audit logs for security. You must configure consent tracking, implement data retention policies, and automate deletions. You can leverage Salesforce Privacy Center and native backup solutions to comply with GDPR’s legal, security, and transparency requirements.
What is a GDPR compliant database?
A GDPR-compliant database stores and processes data adhering to the six key principles of data minimization, fairness and transparency, purpose limitation, accuracy, storage limitations, and data integrity and confidentiality. A GDPR-compliant database ensures data security, access controls, encryption, and retention policies while supporting data subject rights like access, correction, and deletion.
