The new EU Privacy Regulation, the GDPR, will come into effect on May 25th 2018. This much-anticipated new law has been the subject of discussion, but what exactly is it, to whom does it apply and how should you prepare your organization?
GDPR stands for General Data Protection Regulation, this new law is meant to protect EU citizens’ personal data. Let’s start at the beginning: what precisely is personal data? This term covers all personal information that can be used to identify an individual directly or indirectly; such as a name, telephone number, place of birth, date of birth etc.
And why is new legislation needed to protect our personal data? Currently, all EU countries have their own privacy laws, based on the European directive from 1995. Since then, in the early days of the internet, so many developments have occurred that the decision to review and adapt these rules was logical.
One of these developments is that organizations today collect and share more personal data than ever before. The number of data leaks has also increased, for example through ransomware. In The Netherlands alone, this happened over 2,300 times in the first quarter of 2017 (source: Dutch DPA), presenting serious challenges when it comes to the protection of personal data.
In The Netherlands alone, data leaks occured over 2,300 times in the first quarter of 2017.
Whereas the data processing principles remain basically unchanged in the Netherlands, there are differences in relation to current legislation. The new principle of accountability has been added, meaning you must be able to present documented evidence of having taking adequate organizational and technical measures to comply with GDPR.
The rights of the data subjects have been further expanded. Now including the ‘right of access’, the ‘right to rectification’, the right to restriction of processing’ and the ‘right to be forgotten’. Among other things, this means that the data subject can demand access to all their personal data stored by that organization, request that data be amended, removed or made portable, e.g. by download. Before an organisation can process a data subject’s personal data, permission needs to be given by the data subject. On this the GDPR specifies that appropriate measures must be taken to inform, easily accessible manner using plain language.
For the complete information surrounding the new GDPR, please visit the Official GDPR website of the EU.
GDPR’s focus on protecting personal data is bound to affect your organization. Any organization that processes personal data of EU citizens, will need to comply. The assumption that GDPR applies only to the B2B market is false. The law was designed to protect personal data of all EU citizens, including your own employees, clients and partners. Depending on the sort of personal data your organization processes and to what end, certain parts of the GDPR apply. Getting expert advice on such details is important.
On the policy, organizational and technical levels, you will need to take certain measures. You should consider data classification, actors and stakeholders within your organization, the objectives you have for processing the data, the data life cycle, as well as managing the impact, setting up internal and external communication, creating awareness inside your organization and a plan for managing possible security incidents.
Although the main focus should not be on technology but rather on policy, as your Salesforce partner, we feel that issue deserves attention in this blog. Once you have determined what personal data you collect and process and to what purpose, we can determine what changes, if any, are required in your Salesforce environment. We can advise you on issues like removal of personal data by request of involved parties, anonymization and pseudonymization of personal data, recording verifiable permission, data portability etc.
GDPR is aimed primarily at protecting your consumers. Indeed, this implies certain obligations on your part but when the processing of the personal data and its purpose are well thought out in advance, the technological aspect is a matter of logical implementation.
For more information and advice on GDPR & your Salesforce environment, feel free to call us at 020- 750 8350.
Once you have determined what personal data you collect and process and to what purpose, we can determine what changes, if any, are required in your Salesforce environment.
Finally The above text contain personal opinion and insights. Gen25 highly recommends you to seek legal counsel on GDPR compliance. For more information on GDPR and what you can do for your organization, these are some useful links: the Official GDPR website of the EU, the Salesforce Website on GDPR or take the Salesforce Trailhead on GDPR.