The General Data Protection Regulation (GDPR) ushers in a new era in data privacy. As the #1 CRM platform, Salesforce provides companies like yours with the tools to build trust while enhancing customer experiences.  Gain increased transparency and control of your customers’ data, all while harnessing the power of that data to connect with customers in new ways.
 
 
As of May 25, 2018, a new landmark privacy law called the General Data Protection Regulation (GDPR) is in effect in the European Union (EU). The GDPR expands the privacy rights of EU individuals and places new obligations on all organizations that market, track, or handle EU personal data. How does this affect your company?
 
 
The GDPR is a comprehensive data protection law in the EU that strengthens the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It updates and replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state.
The GDPR regulates the “processing” of data for EU individuals, which includes collection, storage, transfer, or use. Any organization that processes personal data of EU individuals is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
 
The key changes are the following: expanded data privacy rights for EU individuals, data breach notification and added security and accountability requirements for organizations. The GDPR also officially recognizes Binding Corporate Rules for organizations to legalize transfers of personal data outside the EU, and includes a 4% global revenue fine for organizations that fail to adhere to the GDPR compliance obligations. Overall, the GDPR provides a central point of enforcement by requiring companies to work with a lead supervisory authority for cross-border data protection issues.
No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. Salesforce’s data processing addendum, which references our Binding Corporate Rules, Privacy Shield certification, and the European Commission’s model clauses, will continue to help our customers legalize transfers of EU personal data outside of the EU. See our FAQ on our data processing addendum for more information.
 
 
Is your organization struggling with how to approach the GDPR? PwC shares four key steps that will get your teams moving in the right direction and will help remove roadblocks.
- Raise awareness of the importance of GDPR compliance with organization leaders
- Obtain executive support for necessary staff resources and financial investments
- Choose someone to lead the effort in becoming GDPR-compliant
- Build a steering committee of key functional leaders
- Identify privacy champions throughout the organization 
- Review existing privacy and security efforts to identify strengths and weaknesses
- Identify all the systems where the organization stores personal data, and create a data inventory
- Create a register of data processing activities and carry out a privacy impact assessment for each high-risk activity
- Document compliance
- Ensure privacy notices are present wherever personal data is collected
- Implement controls to limit the organization’s use of data to the purposes for which it collected the data
- Establish mechanisms to manage data subject consent preferences
- Implement appropriate administrative, physical, and technological security measures and processes to detect and respond to security breaches
- Establish procedures for responding to data subject requests for access, rectification, objection, restriction, portability, and deletion (right to be forgotten)
- Enter into contracts with affiliates and vendors that collect or receive personal data
- Establish a privacy impact assessments process
- Administer employee and vendor privacy and security awareness training
- Compile copies of privacy notices and consent forms, the data inventory and register of data processing activities, written policies and procedures, training materials, intracompany data transfer agreements, and vendor contracts
- If required, appoint a data protection officer and identify the appropriate EU supervisory authority
- Conduct periodic risk assessments
 
 

We are committed to our customers' success, including compliance with the GDPR.”

PRESIDENT, LEGAL AND GENERAL COUNSEL, AMY WEAVER
 
 
Take our “EU Privacy Law Basics” Trailhead module. Our module is a free, guided learning path that helps you cover the most ground in the shortest amount of time about GDPR. Consider it your personal game plan for exploring what GDPR is. Additional information about the GDPR is available on the official GDPR website of the EU.