Yes, the GDPR will change your obligations. Here’s how to keep up

We have another acronym for you to contend with – it’s GDPR – the European General Data Protection Regulation (

Chances are, ‘GDPR’ is already in your company’s lexicon. The 25 May 2018 implementation date is just around the corner, and the GDPR is being widely discussed in the media and among government leaders, and leading companies like Salesforce are breaking down the issue and helping show the way forward.

GDPR is more than just adding another acronym to the discussions – it’s bringing real changes to your organisation. Wired magazine put it succinctly:
“Yes, GDPR is going to affect your company.” Elizabeth Dunham, the UK Information Commissioner, urges businesses not to see the new policy as big and scary, although she admits it’s a serious change in practices.

It’s manageable.

We have a solution for you. In fact, this is an opportunity to step up and lead your sector.

Let’s have a look at how this could play out.

Does the GDPR apply to you?

The GDPR protects the personal data of EU individuals, and it doesn’t matter where your organisation is located. If you market to, track or handle EU personal data, the rules apply to you.

And before you jump ahead and claim a “Brexit exemption,” let’s just say plainly that the GDPR will almost certainly apply to firms in the UK.

All the momentum is taking us there.

Just consider the business environment:
  • The UK will still be in the EU when the law takes effect on 25 May 2018
  • The UK government has stated its intent to align our national rules with the EU standard
  • If your company is processing data for customers in other European countries, then you’re captured

The bottom line is: Companies that fail to achieve compliance before the 25 May 2018 deadline will be subject to penalties and fines.

What are your obligations under the GDPR?

The GDPR regulates the “processing” – including the collection, storage, transfer or use – of personal data about EU individuals.

With more than 99 articles, the GDPR is a thick stack of requirements. We’ve broken the GDPR down by its fundamental principles to help identify the key areas your organisation should understand.

They are outlined here:

Fairness and Transparency – Organisations can only collect personal data for specified, explicit and legitimate purposes.

If you collect someone’s personal data to maintain their account, you cannot sell his or her information to another company unless you disclosed that from the outset.

Data Minimisation – Organisations can only collect data that’s adequate, relevant, and limited to what’s necessary for the intended purpose.
For example, if a person downloads your app and sets up an account, you can only collect information that’s relevant to service that customer.

The app cannot do things like record the person’s location, access their contacts or collect information about other apps on the phone.

Accuracy – Personal data must be accurate and kept up-to-date. The tricky part comes when you have multiple systems.
E.g., separate lists for customer, sales prospects, marketing campaigns – and you will be required to keep the data up-to-date across these different lists.

Data Deletion – You may keep the personal data for only as long as it’s needed to fulfill the original purpose.

If a customer closes their account, you must delete all the information held in that account. This will give people the right to erasure, where they can ask you to “forget” them by erasing their data.

Security – Security is a big part of GDPR. As the controller of personal information, you must use appropriate security measures to protect against unauthorised processing, accidental disclosure, access, loss, destruction and/or alteration.

GDPR requires you to publish notifications of any data security breaches. At the same time, it encourages “pseudonymising” data – replacing a key value so the data subject cannot be immediately identified – as a way of protecting the information.

Accountability – As a data controller, you are responsible for implementing measures to ensure the personal data handling complies with GDPR principles.

Staying accountable includes appointing a Data Protection Officer to oversee the compliance activities, and putting contractual obligations on your suppliers and partners to meet the GDPR standards

Salesforce is a compliance tool

As the world’s leading Customer Relationship Management (CRM) platform, Salesforce has been leading the way in delivering effective solutions that meet the changing data privacy requirements.

We’ve seen in the past couple of years, Salesforce has made some significant achievements on the data privacy compliance front.

  • November 2015, Salesforce became the first top-ten software company to achieve approval for binding corporate rules for processors from European data protection authorities.
  • In August 2016, Salesforce became one of the first companies to certify compliance with the EU-IS Privacy Shield Framework.

Also, as a growing company, there is personal data contained in your customer information, mailing lists, campaigns, sales forecasts and industry data.

Furthermore, It’s your responsibility to meet the GDPR compliance standards and make sure your company is using the latest data protection practices.

Ceterna can help

To learn more, visit the Salesforce GDPR page, or contact Ceterna today.