Salesforce Trust


General Data Protection Regulation

Beginning May 25, 2018

How to Prepare for the GDPR

On May 25, 2018, a new privacy law called the General Data Protection Regulation (GDPR) will take effect in the European Union (EU). The GDPR expands the privacy rights of EU individuals and places new obligations on all organizations that market, track, or handle EU personal data. Salesforce is committed to helping our customers comply with the GDPR through our robust privacy and security protections.

I’m a Salesforce customer -  how can I prepare for the GDPR? 
Find everything you need to know to prepare for this law on the GDPR homepage.


Fast Facts About the GDPR

What is the GDPR?

The GDPR is a new, comprehensive data protection law in the EU that updates existing laws to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state.

The GDPR regulates the processing—which includes the collection, storage, transfer or use—of personal data about EU individuals. Any organization that processes personal data of EU individuals, including tracking their online activities, is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” is broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).

What security measures do I need to put in place as a result of this new law?

Organizations must use appropriate technical and organizational security measures to protect personal data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration. Depending on the specific use case and personal data processed, the use of data segregation, encryption, pseudonymization, and anonymization is recommended, and in some cases required, to help protect personal data.

Here are a few suggested measures that organizations can put in place to protect personal data:

  • Encryption: Although not required, the law encourages encryption as an effective way to help ensure the security and confidentiality of personal data.
  • Pseudonymization: The GDPR encourages organizations to use pseudonymization as a risk-based measure to protect data security and the rights of individuals.
  • Anonymization: One step up from pseudonymization, anonymizing data is the most secure way to protect personal data. To be considered truly anonymous, it must be impossible for any individual to be identified from the data by any further processing or by combining data with other information.
  • Accountability: Under the GDPR, a data controller is responsible for implementing measures to ensure that the personal data it controls is handled in compliance with the principles of the GDPR. This includes appointing a data protection officer, imposing contractual obligations on processors, and using the principles of “privacy by design” and “privacy by default.” Additionally, a data controller must be able to demonstrate compliance, including by keeping a record of processing activities and conducting privacy impact assessments.

     It is important to note that according to the GDPR, data controllers must report any data breach to their data protection authority as soon as possible, and no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in any harm to the data subjects. If there is a high risk of harm, data controllers must report data breaches to the data subjects as soon as possible. Data processors must also notify data controllers of data breaches as soon as possible.

European Union Privacy Law Basics