If data privacy compliance is keeping you up at night, consider that your CEO, CISO, and legal team may be feeling under siege at the challenge of becoming GDPR-compliant.
But consider the alternative to compliance. The Ponemon Institute, in December, 2017, found that the average cost of compliance in fiscal year 2017 was $5.47 million, with companies allocating 14.3 percent of their IT budget to compliance spending. The average cost of noncompliance during the same 12-month period was $14.82 million. It’s either “pay now, or pay much more later.”
Compounding and complicating the problem, organizations of all kinds, even today, collect and store vast amounts of personal data, often without a clear definition or any control of why, how, and by whom the data will be used.
It’s no surprise that Salesforce collects vast amounts of data, irrespective of the type of organization. But it may come as a surprise that much of that data is personal data. In a Salesforce Research survey, 86 percent of respondents said that if they trust a company, they’re more likely to “share their experiences,” and that number goes up to 91 percent among millennials and Gen Zers.
But perception becomes reality: Salesforce also found that 59 percent of respondents believe their personal information is vulnerable to a security breach, while 54 percent believe that the companies with that data don’t have their best interests in mind.
But GDPR is designed to give EU citizens greater control over their personal data than ever before. For companies that collect data of any EU citizen, it means a major shift in how they manage and control data.
And the benefits extend to the U.S. The number of US-based enterprises using Salesforce dwarfs the number of users in all of Europe, and of any other nation in the world. As of March 2018, all 50 U.S. states, as well as the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, had enacted breach notification laws that require businesses to notify consumers if their personal information is compromised. Clearly, GDPR is a boon to users, but it can imperil enterprises.
Enterprises may find themselves compromised by the challenge of meeting the requirements of GDPR. One very immediate concern: how can they extract personal data from business data without losing the vital data they need to run their businesses? Whether they adopt the “letter of the law” of GDPR, or just its intent, their concern is well founded. Under GDPR:
It’s a scant six months since GDPR was enacted, and yet an entire 88-page blueprint for compliance is in the public domain. For the sake of compliance personnel, we have spelled out eight considerations of compliance, focusing on security and data management, in the Odaseva Data Success platform:
Personal Data Backup. You must back up the personal data of data subjects GDPR Article 32-1.c Backup personal data in case users, admins or integrations corrupt Salesforce data.
Data Breach Detection. You must detect data breaches to notify supervisory authorities GDPR Article 33.1 Get alerts when personal data is massively corrupted (i.e. Ransomware), deleted or downloaded (with Shield Event Monitoring).
Sandbox Pseudonymization. You must implement Data Minimization with measures such as pseudonymization GDPR Article 25.1 Anonymize personal data in your full sandbox to remove access from consultants, developers and admins. Pseudonymize it to keep valuable business data for analytics.
Right of Access. You must provide personal data access to data subjects GDPR Article 15.3 Target specific personal data from Salesforce and make it accessible to data subjects, human error free, in Salesforce, via our API, or directly in Communities.
Right to Portability. You must provide personal data in a machine-readable format to data subjects GDPR Article 20.1 Extract personal data in CSV files, excluding business records or fields belonging to your company, and make it accessible in Salesforce, via our API, or directly in Communities.
Right to Be Forgotten. You must erase personal data within 30 days when requested GDPR Article 17 Automate personal data erasure. Based on your specific data model, combine deletion, anonymization, pseudonymization and “leave untouched” at the record or field level.
Personal Data Archiving. You must keep some personal data to meet regulations or to assert a right in court GDPR Article 5.1.e, 30.1.f Set up a custom personal data archiving/retention plan and restrict access to personal data while keeping admin rights for when you need it.
Personal Data Lifecycle. You must establish a data lifecycle/retention policy ahead of processing GDPR Article 25.2, 5.1.e Set up an automated personal data storage limitation using a fully automated Hot-Warm-Cold-Forget data tiering strategy.
And how can organizations achieve full compliance with GDPR? The regulation is binding on organizations across the European Union. In the US, GDPR compliance may give way to regulations enacted by states and US territories. Still, European organizations may require that US companies with which they do business meet all the security and data management requirements of GDPR.
Companies everywhere would do well to remember that customers are in the driver’s seat and can take their business where they know their data will be secure.
This is the first of two blogs on GDPR from Odaseva. The second will delve more deeply into specific requirements of GDPR: