Using Salesforce to Address Data Privacy Regulations
Privacy laws around the world protect individuals’ personal information, but because these laws vary widely, global organizations face an array of challenges in staying compliant. So, how can you follow all the privacy laws in every country where your business operates? In this article, we discuss some of the most common laws and offer some good compliance practices along with a solution that addresses your customers’ right to be forgotten.
Before making any changes, check with your legal team or hire a legal IT team to assess where your organization stands and where it needs to be. This article does not constitute legal advice. Privacy laws are complex, and while we explore some key concepts in this article, no one document can cover every potential small (but important!) detail as applies to every organization.
Although privacy laws differ, most focus on the following aspects:
· How personal information can be collected
· How personal information can be used
· How and with whom personal information can be shared
· Where and how personal information can be stored
· How personal information must be secured
· When to delete or amend personal information
· If and how personal information can be transferred to other countries
· How breaches of personal information are reported
· What rights individuals have regarding their personal information
Let’s take a closer look at the most prominent privacy laws before exploring some good practices and tips for compliance.
The General Data Protection Regulation
The General Data Protection Regulation (GDPR) establishes rules for how companies, governments, and other entities can process the personal data of individuals in the European Union. The GDPR passed the European Parliament in 2016, and all organizations were required to be compliant by May 25, 2018.
You may be wondering who this law applies to. Great question! If your organization processes the personal data of EU citizens or residents or if you offer goods or services to EU citizens or residents, then the GDPR applies to you even if your organization is not located in the European Union.
The GDPR focuses on seven principles:
· Lawfulness, fairness, and transparency. Organizations must process data legally, impartially, and in a transparent manner.
· Purpose limitation. Organizations can collect personal data only for specified legitimate purposes.
· Data minimization . Organizations can only collect personal data that’s adequate, relevant, and limited to what’s necessary for the intended purpose.
· Accuracy. Personal data must be accurate and kept up to date.
· Storage limitation. Organizations can only store personally identifying data for as long as necessary for the specified purpose.
· Integrity and confidentiality. Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality, such as by using encryption.
· Accountability. The data controller is responsible for demonstrating GDPR compliance with all these principles.
Violations will result in extremely high fines, which are broken down into two tiers. Less severe infringements could result in a fine of up to €10 million or 2 percent of the firm’s worldwide annual revenue, whichever is higher. More serious infringements could result in a fine of up to €20 million or 4 percent of the firm’s worldwide annual revenue, whichever is higher.
The GDPR also gives individuals the right to control the personal data they provide:
· The right to be informed
· The right of access
· The right to rectification
· The right to erasure
· The right to restrict processing
· The right to data portability
· The right to object
· Rights related to automated decision-making and profiling
The GDPR consists of hundreds of pages of requirements for organizations to comply with. We have offered a high-level summary here, but if your organization is affected by the GDPR, we strongly recommend that you consult with an experienced lawyer for guidance. Check out this site for more details: https://gdpr.eu/what-is-gdpr/.
The California Consumer Privacy Act
Although the United States has some data privacy laws related to healthcare and financial services, there is no broad federal law equivalent to the GDPR. California is one of the first states to enact a similarly ambitious law that aims to protect its citizens’ personal information.
The California Consumer Privacy Act (CCPA) protects the data privacy of technology users and others by imposing rules on companies that collect, use, and share California residents’ personal data. This law applies to companies that do business in California, regardless of where the company is located, and meet any of the following criteria:
· Annual gross revenues of more than $25 million
· Buy, receive for commercial purposes, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices a year
· Derive 50 percent or more of annual revenues from selling consumers’ personal information
Signed into law in 2018, CCPA requires businesses to inform residents about how their data is being collected and processed, including the following protections for consumers resident in California:
· Businesses must disclose to a requesting consumer the categories and specific pieces of personal information the business has collected.
· At or before data collection, businesses must inform consumers about the categories of personal information to be collected and the purposes for which the information will be used.
· Businesses must disclose and deliver, for free, personal information as requested by consumers. However, businesses are not required to provide personal information to a consumer more than twice in a 12-month period.
Under this law, California citizens are granted rights in relation to the personal information that is being collected about them, including the following:
· Know what personal information is being collected about them
· Know whether their personal information is sold or disclosed and to whom
· Say no to the sale of personal information
· Access their personal information
· Receive equal service and price, even if they exercise their privacy rights
Like the GDPR, the CCPA breaks down its fines into two tiers: unintentional and intentional violations. For unintentional violations, the maximum fine is $2,500. For intentional violations, the maximum fine is $7,500.
Something of greater financial concern to businesses is the fact that the CCPA allows California citizens to bring lawsuits for the breach of their “non-encrypted or non-redacted personal information,” even in the absence of evidence of actual damage. Consumers can collect between $100 and $750 for each event. If the damages are greater than $750, then the consumer may receive a larger amount. Given the possible risks of private lawsuits, proper data security should be a top priority for any business subject to the CCPA.
In terms of processes and controls, being GDPR compliant builds up CCPA compliance. For more information about the CCPA, check out this site: https://oag.ca.gov/privacy/ccpa.
Key US Privacy Laws
Since the United States follows a sectoral approach to privacy regulation, the country has many federal laws focusing on certain industries that have privacy implications, some of which specify data types that are particularly sensitive and therefore require more protection. In this section, we highlight some of the key privacy laws that affect a variety of industries:
Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM). Under CAN-SPAM, commercial emails must have a clear, accurate subject line, a postal address for the sender, disclosure of the email’s promotional nature, and a way for recipients to opt out of similar messages from the sender at no cost.
Children’s Online Privacy Protection Act (COPPA). COPPA requires that operators of websites and online services obtain verifiable parental consent prior to collecting a child’s personal information. They must also provide parents with additional rights regarding the disclosure and deletion of the child’s information.
Electronic Communications Privacy Act (ECPA). ECPA regulates the collection and use of phone, text, and other online communications when they are made, transmitted, or stored electronically.
Fair and Accurate Credit Transactions Act (FACTA) and Fair Credit Reporting Act (FCRA). Both laws regulate the creation and use of consumer reports pertaining to individual’s credit or general characteristics that are used to establish eligibility for credit, insurance, employment, or another business purpose.
Family Educational Rights and Privacy Act (FERPA). FERPA provides students with the right to access, amend, and control the disclosure of records that directly relate to them and that are maintained by or on behalf of a school.
Health Insurance Portability and Accountability Act (HIPAA). HIPAA imposes a variety of requirements on certain businesses in the healthcare industry regarding the security and privacy of protected health information.
Privacy Act. The Privacy Act governs federal government agencies’ collection, maintenance, use, and disclosure of personally identifiable information stored in their records.
Telephone Consumer Protection Act (TCPA). TCPA regulates and restricts telemarketing solicitations and the use of automatic telephone equipment, such as dialing systems and prerecorded messages.
Gramm–Leach–Bliley Act (GLBA). GLBA regulates US companies and their affiliates that provide financial products or services to consumers. GLBA requires these companies to provide initial and annual privacy notices that outline their data collection, use, and disclosure practices. It also requires them to protect such data with administrative, technical, and physical security control.
Clearly, there are many laws out there with a variety of goals, rules, and enforcement mechanisms. A common theme across these laws and their enabling regulations — for example, in HIPAA and the Privacy Act — deals with the management of individuals’ data and the proper disposal of that data. Make yourself aware of which specific laws apply to you and your organization. If your operations comply with these “tent-pole” laws and regulations while generally make it substantially easier to comply with niche or domain-specific rules and regulations.
What Next?
After this whirlwind tour of (some of) these privacy laws, the compliance process might feel overwhelming. But there are some strategies your team can leverage to drive compliance:
· Establish ownership. Get buy-in, and build your team. Make sure leadership is aware of the importance of following regulations, and identify the core team to work on compliance.
· Assess your organization. Analyze your existing privacy and security efforts to identify the top areas of focus.
· Understand your data. Evaluate the type of data you have and where it comes from.
· Look at your exposure. Examine your contracts with vendors, partners, and third-party processors.
· Analyze the gap. Understand where your organization stands in terms of compliance, and identify where you need to be.
· Establish controls and processes. Create a road map of necessary operational and technological changes.
· Ensure document compliance. Document your compliance, for example, with privacy notices, consent forms, and written policies.
The most challenging areas of action are often in devising the controls and technology changes needed to meet the requirements of data privacy. Below are examples of both controls, and technological and functional processes that can be put into place:
One challenge that we have seen companies struggle with is the need to be able to purge systems of customer data. Many companies have convoluted manual processes to demonstrate compliance. This is both inefficient and potentially flawed, resulting in customer data not being found or deleted when required.
A powerful solution for data privacy
At Cervello, we are experts in the development and management of Salesforce. Our clients typically manage large amounts of customer data, and it is crucial to keep in mind that privacy rules apply. Many regulations, such as the GDPR, require the ability to purge customer data from your systems. We understand that it can be difficult to ensure compliance while also performing your day-to-day tasks.
We can make things easier for you with our Heroku archiving solution. This solution will give you peace of mind as it has been built to perform purging and archiving tasks. It’ll benefit your organization in multiple ways:
· Efficiency: automated archiving and purging of customer data
· Risk mitigation: no need for a manual process and human error risks
· Compliance: robust and protected solution, meeting current standards
In addition to solving the “right to be forgotten” issue — also known as right to erasure — with our purge feature, our full solution includes an archiving function. The solution is based on using Salesforce and Heroku application components to help manage the Salesforce data across both the multi-tenant platform environment and Heroku data storage in Postgres. The main features of the full solution include:
· View archived data via Salesforce Connect and a Heroku connect OData endpoint.
· Archive, unarchive, or purge data based on business and compliance requirements.
· Schedule recurring batch jobs for archive, unarchive, and purge processes.
· Maintain relationships between Salesforce objects and archived records.
· Support for both standard and custom objects in Salesforce.
· Intuitive UI to manage object configuration, job configuration, and scheduled batches.
If you want to learn more about how our archiving solution works or how to apply this tool to the “right to be forgotten” challenge, visit our website at https://mycervello.com/get-in-touch/. We look forward to hearing from you and creating something big together.
About Cervello, a Kearney company
Cervello, is a data and analytics consulting firm and part of Kearney, a leading global management consulting firm. We help our leading clients win by offering unique expertise in data and analytics, and in the challenges associated with connecting data. We focus on performance management, customer and supplier relationships, and data monetization and products, serving functions from sales to finance. We are a Salesforce partner and help our clients implement, customize, and optimize the platform into the best solution for their needs.
