GDPR, Salesforce, and You

Prepare for a New Era of Data Regulation

©2018 Capstorm, LLC | www.capstorm.com

Table of Contents What is the EU General Data Protection Regulation? 2

GDPR & Salesforce 3

GDPR & You 3 Personal Data 3 Processes & Procedures 4 Considerations with 3rd Party Vendors & Consultants 5 Factors Outside of Your Control 6 How can Capstorm Help? 7

Resources 7 Articles & Websites 7 GDPR Legislation 8 Salesforce.com Articles 8

What is the EU General Data Protection Regulation? “The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” https://www.eugdpr.org/ Translation: New privacy laws are in place regarding all data related to EU citizens and how companies handle that data. Key aspects of GDPR include:

1) Breach Notification - A mandatory 72 hour notification timeline is in place for most data breaches.

2) Right to Access - Businesses must provide a copy of a person’s data upon demand in an electronic format.

3) Right to be Forgotten - A person can request that all of their data be erased, and this must be done “without undue delay.”

4) Consent - A person must be informed as to why their data is being collected and the intended use for that data.

2 ©2018 Capstorm, LLC | www.capstorm.com

GDPR & Salesforce In addition to providing customers with GDPR information, Salesforce has taken many steps to ease the pain of this legislation, such as the new standard “Individual” object and a robust data processing addendum. Salesforce can not, however, be responsible for the data that each company enters into Salesforce. Complying with GDPR regulations is the responsibility of every company doing business in the EU, collecting or storing any personal data about EU subjects, or monitoring the behavior of EU subjects. “Monitoring can be anything from putting cookies on a website to tracking the browsing behavior of data subjects to high tech surveillance activities.” Salesforce White Paper: GDPR Key Facts: https://c1.sfdcstatic.com/content/dam/web/en_us/www/documents/white-papers/gpdr-fact-sheet.pdf Essentially, every company with an international reach or a sophisticated website is responsible for GDPR compliance.

GDPR & You How do you prepare for GDPR? Many resources are available, but they all have a common theme. You must consider:

● Personal Data ○ What data you have ○ Where the data is stored ○ Who can view / with whom it is shared ○ Why you have the data and how it is being used ○ How long do you need it & why

● Processes & Procedures ○ Data access requests ○ Data removal requests ○ Consent documentation

Personal Data What is personal data? The most basic definition is any data that can be used to identify an individual person, but this extends to more indirect identification, such as a credit card or IP address. For a more in depth description, reference https://www.gdpreu.org/the-regulation/key-concepts/personal-data/ . The most complicated starting place for GDPR compliance is identifying each instance of personal data. This can be incredibly complex. For example, a single contact name and email address may be found in a myriad of places: a Salesforce contact record, Salesforce field history, Salesforce report, MailChimp campaigns, an in-house accounting system, within the outbound emails of 4 employees, with 2 contracts in Salesforce, any number of Salesforce notes and attachments, on a paper job application form, within a spreadsheet created by human resources, etc.

3 ©2018 Capstorm, LLC | www.capstorm.com

After determining all locations where personal data is stored, consider how these processes can be streamlined in order to eliminate unnecessary data storage locations. I.E. Converting from paper to electronic job applications and storing this data within Salesforce. Next, be able to prove why the data is in your possession and that proper consent was obtained for the collection of this personal information. If data is being shared with a third party, you must be able to prove that a data removal request is complete. Personal information must also be corrected upon request so, for example, if a contact changes their email address this information must be relayed through your systems and to any third parties. Ease of data access is key in order to comply with Right to Access - providing an electronic copy of a person’s data upon request. How long should data be retained? Many marketing organizations prefer to keep personal information indefinitely for analytical purposes, but this practice is very risky. Companies are obligated to erase personal data when “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed” - GDPR Article 17 Right to erasure. For example, if a person applies for a mortgage but decides to use another lender, the “purpose” would be completed the moment the application is withdrawn. Should this data be kept for analytics? Marketing may say yes but to be in compliance with GDPR, you must be very careful with what data is retained and for how long. A best practice is to remove or obfuscate any personal data.

Processes & Procedures

“ ” The Greatest Practical Guide on GDPR & Salesforce (Salesforce Ben): http://www.salesforceben.com/gdpr-salesforce-ebook/

Once you know where personal data is stored systems must be put in place to allow individuals to request a copy of their data. A simple method to find, provide, remove, and obfuscate personal data is key. The GDPR provides a fairly narrow timeline for responding to data requests - 30 days in most cases. Data must also be in a “commonly used and machine-readable format” - GDPR Article 20 “Right to data portability.” Data removal Salesforce provides guidance on data deletion, however locating the exact places where personal data is stored within Salesforce can be a challenge. How can you find every instance of a particular email address within an attachment body? If you are using data integration services, such as email to Salesforce, the challenge of data location increases exponentially.

4 ©2018 Capstorm, LLC | www.capstorm.com

Reference advice from Salesforce: Delete Personal Data https://help.salesforce.com/articleView?id=data_deletion.htm&type=5 Removing or deleting data can have its own set of consequences due the the hierarchical structure of Salesforce. A better approach to outright deletion is data obfuscation. Obfuscation can take personal data and transform it so that it still passes validation rules and can be used for reporting, without violating GDPR regulations. An example: a lead requests to be removed from all marketing communication. You may wish to retain the fact that you had 2,000 leads generated from a particular marketing campaign, along with some non-personal items such as city and country. The individual lead, however, must have obfuscated data in the name, email, and phone fields. Instead of deleting the lead entirely, obfuscate. Capstorm has a solution for finding all occurrences of a personal identifier and obfuscating the results within Salesforce. Reference - How can Capstorm help? later in this document.

Considerations with 3rd Party Vendors & Consultants If your business is sharing data with a 3rd party vendor, GDPR compliance carries a more hefty burden, and you may have liability for a third party’s actions. Consider what personal data is shared, why it is shared, and how it is used by the vendor.

“ ”

https://www.infosecurity-magazine.com/opinions/thoughts-gdpr-third-party/

5 ©2018 Capstorm, LLC | www.capstorm.com

One solution is to keep data in-house as much as possible, and only share data containing obfuscated personal information. Instead of allowing a consultant to view and extract data from Salesforce production, create a test data set for the consultant while transforming sensitive fields. Consider an on-premises Salesforce backup solution (such a Capstorm’s CopyStorm) to ensure that only your team has access to your data. Additional items to consider:

1) Is any personal data processing outsourced by the 3rd party? If so, do you know who is accessing the data and are all of the parties located in a country that follows strict data regulations? Consider the difficulty of complying with data removal/deletion if you do not know who actually has the data...

2) Are contracts in place to lower your liability? Be aware that you may not be able to completely eliminate your liability even with a contract requiring that the 3rd party follow GDPR regulations.

3) How long will it take to get your data from the 3rd party? You have a limited window of time to prove that you have cleansed personal data. Waiting for a 3rd party to return data can quickly consume the response period.

4) Is there a simple way to prove that data has been removed or obfuscated? Do you have a view into the 3rd party’s databases? One major advantage to keeping personal data in-house is the ease of proving data removal.

5) What is the notification procedure in case of a data breach? You may have 72 hours or less to announce the breach under GDPR. Historically, revealing a breach is hard to admit because it throws doubt on the 3rd party’s security and credibility. See more below…

Consider Equifax - A data breach was discovered on July 29th. The public was not informed until September 7th. The timeliness of this announcement would likely have impacted Equifax strongly if Equifax was under GDPR regulations. A fine can be up to 20 million euros or 4% of the prior year’s worldwide revenue - Ouch! http://money.cnn.com/2017/09/08/technology/equifax-hack-qa/index.html

Factors Outside of Your Control Despite your best efforts, factors outside of your control may have an impact on GDPR compliance.

● Consider Microsoft’s case with the US Supreme Court. Depending upon the ruling, Microsoft may have to violate GDPR by providing the US with emails, stored on a server in Ireland.

http://money.cnn.com/2018/02/25/technology/microsoft-us-supreme-court-data-sharing/index.html ● Complete control over data with 3rd party vendors may not be possible and even the best

security systems can be breached. ● Identifying all instances of personal data is extremely difficult and data repositories may be

overlooked. (Perhaps a former employee did not surrender a phone or laptop that contained customer home numbers and email addresses….)

● GDPR legislation has yet to be tested in a court of law. Early lawsuits may have substantial bearing on how the law is applied in reality. It behooves every company to actively monitor the legislation as it matures while ensuring to the best of your ability that GDPR is closely followed.

6 ©2018 Capstorm, LLC | www.capstorm.com

How can Capstorm help? Capstorm’s CopyStorm/Search application empowers you to find all occurrences of a piece of personal data within Salesforce. How? CopyStorm first recreates your Salesforce database in a local relational database. CopyStorm/Search analyzes the data, using criteria that you specify. This search goes beyond field data into items that are difficult to search natively within Salesforce such as CaseEmail threads. You can then choose which data to obfuscate within your Salesforce and select a data transformer. Data can also be obfuscated with a value that you choose. A few obfuscation examples:

1. A standard method to obfuscate emails: drew@capstorm.com may be replaced by accountmanager@capstorm.com , inserting the individual’s title instead of their name. All instances of “Drew” are replaced by “accountmanager” thus ensuring that your data remains connected.

2. Replacing all instances of a name in a standardized format. All instances of ‘Thomas Smith” may be replaced with “Patient367.”

3. A dictionary substitution for Salesforce sandboxes: Transform personal data into data that looks real, but does not reference the original data subject. All instances of “Mary” are replaced by “Michelle”- a randomly chosen name that starts with the same letter.

For a personal introduction to CopyStorm/Search, contact info@capstorm.com

Resources You can read the full transcript of the legislation at https://gdpr-info.eu/ . Please note that all information within this paper is to be considered informative and should not be taken as legal advice. Take the Trailhead Module - European Union Privacy Law Basics or reference these sites for additional information:

● https://www.salesforce.com/gdpr/overview/ ● https://www.eugdpr.org

Articles & Websites GDPR Portal https://www.eugdpr.org/ Information Commissioner’s Office https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf GDPR Superheroes https://www.gdprsuperheroes.com/5-steps-for-admins/

7 ©2018 Capstorm, LLC | www.capstorm.com

Personal Data Definition https://www.gdpreu.org/the-regulation/key-concepts/personal-data/ The Greatest Practical Guide on GDPR & Salesforce (Salesforce Ben) http://www.salesforceben.com/gdpr-salesforce-ebook/ InfoSecurity: Top Thoughts for GDPR Third-Partyt Management https://www.infosecurity-magazine.com/opinions/thoughts-gdpr-third-party/ Equifax data breach: What you need to know http://money.cnn.com/2017/09/08/technology/equifax-hack-qa/index.html Supreme Court to hear high-stakes Microsoft case testing email privacy http://money.cnn.com/2018/02/25/technology/microsoft-us-supreme-court-data-sharing/index.html

GDPR Legislation Intersoft Consulting - GDPR legislation in an organized / searchable format https://gdpr-info.eu/

Salesforce.com Articles Salesforce’s GDPR Information Page https://www.salesforce.com/gdpr/overview/ Salesforce GDPR Key Facts https://www.salesforce.com/content/dam/web/en_us/www/documents/white-papers/gpdr-fact-sheet.pdf Salesforce GDPR: Fiction versus Fact https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/gpdr-fiction-versus-fact.pdf

About the Author Rebecca Gray is part of the Capstorm team, the industry leader in Salesforce backup & restore. She is a certified Salesforce Administrator and a leader of the St. Louis Salesforce user group. Rebecca also authors the Trailhead Baby blog, (trailheadbaby.blogspot.com) a site dedicated to all things Trailhead with tips & tricks for difficult trails. Rebecca can be contacted @RebeccaGray on the Salesforce success community or by emailing rebecca@capstorm.com . Explore Capstorm’s Salesforce backup and recovery solutions at www.capstorm.com .

8 ©2018 Capstorm, LLC | www.capstorm.com