Not all that long ago, the end of the world was a trending topic. You probably remember: December 21st, 2012. According to some, we poor earth dwellers were speeding toward a date that would bring our doom.
In the end, of course, the hubbub was for naught, just like Y2K before it. Over five years later, the world has yet to end (knock on wood).
However, there is another significant date on the horizon, looming for businesses across the globe like an oncoming migraine, and this one will bring a guaranteed change. I’m talking about May 25, 2018, the day the GDPR takes effect.
What is the GDPR?
Broadly speaking, the European Union’s General Data Protection Regulation, or GDPR, is meant to provide residents of the EU with greater control of their personal data and better protection from increasingly pervasive data breaches. While the U.S. tends to regulate individual privacy in business by sector, the EU is taking a much more comprehensive approach.
When it comes to the parties involved, there are three key terms to know: data controller, data processor and data subject. Let’s say Company X designs and sells mobile apps, and they use Agency Z to market those apps via email and social campaigns. In this example, Company X is the data controller, and Agency Z — at least in regard to the consumer information gathered via those campaigns — is the data processor. As for the data subject, that’s the consumer.
Under the GDPR, data controllers are responsible for upholding the rights of data subjects, even if the data is stored on servers belonging to the data processor. Failure to protect these rights could result in a massive fine: Up to 4% of annual global turnover or 20 million euros (whichever is greater).
Now, if you’re an American, you’re probably about ready to stop reading, but you shouldn’t. Because the GDPR doesn’t only apply to companies in the European Union, but any company that collects personal data or behavioral information from someone in an EU country. And that means any data, whether or not a financial transaction has taken place (think marketing surveys, etc.).
How do you become compliant?
To make sure your business is fully GDPR compliant, you’ll need to be able to meet particular requirements across a number of separate protections, as outlined below.
- Breach Notification: In the event of a breach that’s likely to “result in a risk for the rights and freedoms of individuals,” you must notify data subjects within 72 hours.
- Right to Access: You must be able to confirm whether a data subject’s data is being processed, and if so, where and for what purpose.
- Data Portability: You must be able to provide a data subject’s data in a commonly used electronic format (CSV, JSON and XML).
- Right to Be Forgotten: If a data subject wishes to have her/his data erased, you must be able to comply.
- Privacy by Design: When building your system and processes, you must keep the above requirements in mind.
If you currently do business with any country in the European Union and you know you’re not able to manage data in a way that makes the above protections possible, then you will not be GDPR compliant.
How can Salesforce help you become compliant?
As a CRM platform, Salesforce gives you control of customer data in a way that makes it much easier to comply with many of the GDPR’s individual requirements. For instance, with Salesforce you can:
- Easily identify records in a single shared database
- Extract data via both UI-driven and API-driven methods, then export into common formats such as CSV, JSON and XML
- Delete customer data or give customers the power to delete their own data
Because of Salesforce’s vast potential for security customization, it can be built to suit the particular data privacy needs of your organization.
Will you be ready?
May 25, 2018 is coming up fast. Is your business ready to manage data in a way that will protect you from costly fines? If not, it isn’t the end of the world — but it is time to make a change. Let us know if you’ve got questions about building a Salesforce org that will help you maintain compliance.
