On May 25, 2018, a new landmark privacy law called the General Data Protection Regulation (GDPR) takes effect in the European Union (EU). The GDPR expands the privacy rights granted to EU individuals, and it places many new obligations on organizations that market to, track or handle EU personal data, no matter where an organization is located. Salesforce is here to help our customers in their efforts to comply with the GDPR through our robust privacy and security protections.
 
A new comprehensive data protection law in the EU that updates existing laws to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state.
The GDPR regulates the “processing,” which includes the collection, storage, transfer or use, of personal data about EU individuals. Any organization that processes personal data of EU individuals, including tracking their online activities, is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).

The GDPR provides more privacy rights to EU individuals and places significant obligations on organizations. Some of the key changes are:

  • Expanded rights for EU individuals: The GDPR provides expanded rights for EU individuals such as deletion, restriction, and portability of personal data.
  • Compliance obligations: The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.
  • Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
  • New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.
  • Binding Corporate Rules (BCRs): The GDPR officially recognizes BCRs (which Salesforce offers for certain of its services) as a means for organizations to legalize transfers of personal data outside the EU.
  • Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred.
  • One stop shop: The GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. Salesforce’s data processing addendum , which references our Binding Corporate Rules, Privacy Shield certification, and the European Commission’s model clauses, will continue to help our customers legalize transfers of EU personal data outside of the EU. See our FAQ on our data processing addendum for more information.
Take our “EU Privacy Law Basics” Trailhead module . Additional information about the GDPR is available on the official GDPR website of the EU .
 
Salesforce welcomes the GDPR as an important step forward in streamlining data protection requirements across the EU and as an opportunity for Salesforce to deepen our commitment to data protection. Similar to existing legal requirements, compliance with the GDPR requires a partnership between Salesforce and our customers in their use of our services. Salesforce will comply with the GDPR in the delivery of our service to our customers. We are also dedicated to helping our customers comply with the GDPR. We have closely analyzed the requirements of the GDPR and are working to make enhancements to our products, contracts, and documentation to help support Salesforce’s and our customers’ compliance with the GDPR. 

At Salesforce, trust is our #1 value and nothing is more important than the success of our customers and the protection of our customers’ data. Salesforce's robust privacy and security program meets the highest standards in the industry. We have consistently reinforced our commitment to protecting our customers’ through our actions over the last few years:

  • In October 2015, within hours of the European Court of Justice invalidating the EU-U.S. Safe Harbor program, we offered all of our customers a data processing addendum that allowed them to continue to transfer data to Salesforce without interruption.
  • In November 2015, we became the first top 10 software company to achieve approval for binding corporate rules for processors from European data protection authorities.
  • In August 2016, we became one of the first companies to certify compliance with the EU-U.S. Privacy Shield Framework.

Additionally, Salesforce's Trust and Compliance documentation describes the architecture and infrastructure of our services, the security- and privacy-related audits and certifications our services have received, applicable administrative, technical, and physical controls, and sub-processors and other entities material to our services.

 

We are committed to our customers' success, including compliance with the GDPR.”

President, Legal and General Counsel, Amy Weaver
 
  • Raise awareness of the importance of GDPR compliance with organization leaders  
  • Obtain executive support for necessary staff resources and financial investments
  • Choose someone to lead the effort
  • Build a steering committee of key functional leaders
  • Identify privacy champions throughout the organization 
  • Review existing privacy and security efforts to identify strengths and weaknesses 
  • Identify all the systems where the organization stores personal data and create a data inventory 
  • Create a register of data processing activities and carry out a privacy impact assessment for each high-risk activity
  • Document Compliance
  • Ensure privacy notices are present wherever personal data is collected
  • Implement controls to limit the organization’s use of data to the purposes for which it collected the data
  • Establish mechanisms to manage data subject consent preferences
  • Implement appropriate administrative, physical, and technological security measures and processes to detect and respond to security breaches
  • Establish procedures to respond to data subject requests for access, rectification, objection, restriction, portability, and deletion (right to be forgotten)
  • Enter into contracts with affiliates and vendors that collect or receive personal data
  • Establish a privacy impact assessments process
  • Administer employee and vendor privacy and security awareness training
  • Compile copies of privacy notices and consent forms, the data inventory and register of data processing activities, written policies and procedures, training materials, intra-company data transfer agreements, and vendor contracts
  • If required, appoint a data protection officer and identify the appropriate EU supervisory authority
  • Conduct periodic risk assessments
 
 
Salesforce is leveraging the power of our Customer Success Platform to provide customers with a free resource to learn about the GDPR with a Trailhead module titled “EU Privacy Law Basics,” the first installment in our new “Learn Privacy and Data Protection Law” trail. The module provides detailed information in the requirements of the GDPR, provides tips on what organizations can do to begin preparing for the GDPR, and explains how Salesforce can help customers comply with GDPR requirements. 
Salesforce has published an updated data processing addendum containing revised or additional provisions to assist customers with their compliance with the GDPR.
 
Salesforce maintains detailed Trust and Compliance documentation that describes the architecture and infrastructure of our services, the security- and privacy-related audits and certifications our services have received, applicable administrative, technical, and physical controls, and sub-processors and other entities material to our services.