Today on the Salesforce Admins Podcast we have a conversation with Lee Aber, Chief Information Security Officer at OwnBackup, to talk about backing up your data under GDPR, when began on May 25.
Join us as we talk about the complex interactions between backups and GDPR, how to look at your data infrastructure, and understanding how to change that data.
You should subscribe for the full episode, but here are a few takeaways from our conversation with Lee Aber.
The challenge of GDPR.
“My role as CISO is to protect corporate data, as well as to protect customers’ data,” Lee says, “someone has to keep focused on the security of it, but also on the privacy aspect.” With the advent of GDPR, starting May 25th for anyone with EU customers, those are really important things to be worried about. In GDPR lingo, if you are an Admin that has their data in Salesforce and you have a sub processor (like OwnBackup) to backup your data, you are the “controller” and OwnBackup would be the “processor.”
“As an Admin, you have to determine how long you keep the data for, as well as how long they are in backups,” Lee says, “and you also need to flip it the other way around where if a customer in the EU were to submit a data subject request to opt out or correct information, know how you apply that to your corporate structure.” That means knowing what vendors you’ve shared that data with and how to get the changes you need to happen there as well.
Understand your corporate data structure.
Right now, we’re 12 days past when GDPR enforcement kicked in, so we know that companies have been working on their data structures to figure out how to comply. You have 30 days to respond to a request, and you’ll need to reach out to every vendor that works with your data in order to meet the requirements. “You have to figure out how to respond to that in a timely, efficient manner, across your infrastructure and have it actually be accurate. With a lot of companies that we work with, they know in one silo where the answer is but they don’t know, holistically, where that data is,” Lee says.
At OwnBackup, they’ve built tools into their interface to help Admins submit requests directly rather than dealing with support tickets. That starts with the ability to search everything in the database to see where someone’s data actually is, whether that’s in contacts, attachments, or anywhere else. Once you know where to find it, you can submit the request to make changes or delete it. They have joint liability for GDPR data requests, “so we try to make it as easy as possible for customers,” Lee says.
Dealing with conflicting GDPR and regulatory requirements.
Some regulatory requirements in industries, like healthcare or finance, require you to keep data around, which can obviously conflict with GDPR. Article 32, which is about security of processing, “without getting into all the legalese, I’ll just say that the processor (the SaaS backup provider) has to ensure a level of security, confidentiality, integrity, and be able to restore the data in a timely manner.”
On the flipside is Article 17, right to erasure. This can be hard to figure out if you have a regulatory requirement to make sure that you have immutable backups where the data cannot be changed or modified. For a backup provider like OwnBackup, the key is to strike a balance that honors both, making sure that data doesn’t come out but also that there’s the anonymity that customers want. “I like to joke that I had hair before this process,” Lee says.
What you can do to catch up on GDPR.
If you’re in a position that many Salesforce Admins are in, where you know that GDPR will be important but you haven’t yet gotten any requests, there are still some important things to do to get started. As mentioned earlier, the first thing is to get a good understanding of your data and how you can make the changes you need to make. After that, you need to put a retention policy in place that covers why you have that data and whether you have the right to have it. “A big component of GDPR is the minimization aspect,” Lee says, “GDPR says you can only keep data as long as legally necessary and as long as you have consent for it.”
To get caught up, there are great resources available from Salesforce, OwnBackup, and the European Commission guidelines coming out soon called “Article 29 Working Party.”
- OwnBackup for GDPR: https://www.ownbackup.com/gdpr-solution
- Salesforce GDPR Readiness: https://www.salesforce.com/gdpr/overview/
- European Privacy Law Basics module on Trailhead: https://trailhead.salesforce.com/modules/european-union-privacy-law-basics
We want to remind you that if you love what you hear, or even if you don’t head on over to iTunes and give us a review. It’s super easy to do, and it really helps more Admins find the podcast. Plus, we would really appreciate it.