What does “privacy by design and by default” mean? Here’s what Salesforce users preparing for the GDPR need to know about one of the most important compliance requirements.
The General Data Protection Regulation (GDPR) is set to strengthen the protection of personal data in a time of increased concern over privacy, rapid cloud computing adoption by enterprise companies, and a rise in headline-grabbing data breaches. It will regulate any organization that collects, stores, transfers, or uses the personal data of European Union citizens, regardless of whether the organization has a physical presence in the EU. A failure to comply with the many requirements means steep fines.
One of the fundamental requirements to meet GDPR is data protection. Specifically, Article 25 of the GDPR mentions “data protection by design and by default”, which addresses the need of the data controller (i.e., the organization collecting and processing personal data) to implement vital technical and organizational measures such as pseudonymization (the encryption of personal data so it cannot be linked back to data subjects) and other data protection principles such as data minimization (storing only relevant data necessary for the intended purpose) in an effective way to protect the rights of data subjects and to meet GDPR requirements.
Basically, “data protection by design and by default” means organizations must be proactive, not reactive, when it comes to privacy. For example, when companies create a new feature, policy, product, or technology, data protection must be part of the design from the beginning. New applications, systems, or services that collect and process personally identifiable information must also be designed for data minimization in mind, alongside the protocols and tools necessary for protecting that data. In the context of the GDPR, data security and pseudonymization should be the key design components in a company’s IT architecture from the start.
In the context of Salesforce and similar customer relationship management (CRM) software, system administrators should implement data minimization and design protocols that only give users access to the data that’s relevant to their work and restrict access to other data types as much as possible. Salesforce has numerous built-in features that allow for this kind of data handling, including multiple levels of data access configuration, the ability to maintain lists of authorized users, password policies, and limiting login access to certain hours and locations. Admins should consider who has access to what kind of data and ensure that all traffic is tracked with an audit trail in the case of a breach for notification purposes.
For pseudonymization, a central component for maintaining GDPR compliance, a data protection platform such as eperi Cloud Data Protection for Salesforce can fully render sensitive information unreadable before it’s sent to Salesforce. Only authorized users who hold the encryption keys can read the data, and to ensure data never falls into the wrong hands, eperi Gateway gives you sole control of the encryption keys so only you control your company’s data protection processes, which ensures GDPR compliance requirements without sacrificing Salesforce functionality. For maintaining a “data protection by design and by default” philosophy at your organization, consider combining your CRM software with eperi Gateway to maintain GDPR data compliance.
Recommended for You
Free eBook: Global Compliance - What the C-Suite Should Know about Compliance Regulations When Moving to Cloud Services