What is GDPR?
The GDPR is a comprehensive data protection law in the EU that updates existing laws to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state.
The GDPR regulates the processing—which includes the collection, storage, transfer or use—of personal data about EU individuals. Any organization that processes personal data of EU individuals, including tracking their online activities, is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” is broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
Security Measures and Reporting Requirements
Organizations must use appropriate technical and organizational security measures to protect personal data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration. Depending on the specific use case and personal data processed, the use of data segregation, encryption, pseudonymization, and anonymization is recommended, and in some cases required, to help protect personal data.
It is important to note that according to the GDPR, data controllers must report any data breach to their data protection authority as soon as possible, and no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in any harm to the data subjects. If there is a high risk of harm, data controllers must report data breaches to the data subjects as soon as possible. Data processors must also notify data controllers of data breaches as soon as possible.
What security measures do I need to put in place as a result of GDPR?
Although not required, the law encourages encryption as an effective way to help ensure the security and confidentiality of personal data.
The GDPR encourages organizations to use pseudonymization as a risk-based measure to protect data security and the rights of individuals.
One step up from pseudonymization, anonymizing data is the most secure way to protect personal data. To be considered truly anonymous, it must be impossible for any individual to be identified from the data by any further processing or by combining data with other information.
Under the GDPR, a data controller is responsible for implementing measures to ensure that the personal data it controls is handled in compliance with the principles of the GDPR. This includes appointing a data protection officer, imposing contractual obligations on processors, and using the principles of “privacy by design” and “privacy by default.” Additionally, a data controller must be able to demonstrate compliance, including by keeping a record of processing activities and conducting privacy impact assessments.
Take the EU Privacy Law Basics module to learn the key principles of GDP and how to implement a GDPR compliance program.
Take the US Privacy Law Basics module and learn about US privacy protection in healthcare, finance, and state law.
California Consumer Privacy Act
The California Consumer Privacy Act ("CCPA") is a comprehensive privacy law that took effect on January 1, 2020. While we believe a federal privacy law is necessary so that an individual’s privacy does not depend on their ZIP code, we welcome the CCPA as a step forward in shaping data protection requirements in the United States and as an opportunity for Salesforce to continue to strengthen its commitment to privacy and data protection.
Report a Security Concern
As a leading software-as-a-service and platform-as-a-service provider, Salesforce is committed to setting the standard in safeguarding our environment and customers’ data. Partner with us by reporting any security concerns.