General Data Protection Regulation

Blue mountain landscape with two trees in the foreground

Salesforce remains committed to helping our customers comply with the General Data Protection Regulation (GDPR) through our robust privacy and security protections. Enacted on May 25, 2018, the GDPR privacy law expands the privacy rights of European Union (EU) individuals and places new obligations on all organizations that market, track, or handle EU personal data.

What is GDPR?

The GDPR is a comprehensive data protection law in the EU that updates existing laws to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state.

The GDPR regulates the processing—which includes the collection, storage, transfer or use—of personal data about EU individuals. Any organization that processes personal data of EU individuals, including tracking their online activities, is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” is broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).

Person wearing a blue shirt holding an ipad device
Person on a mobile phone at their desk

Security Measures and Reporting Requirements

Organizations must use appropriate technical and organizational security measures to protect personal data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration. Depending on the specific use case and personal data processed, the use of data segregation, encryption, pseudonymization, and anonymization is recommended, and in some cases required, to help protect personal data.

It is important to note that according to the GDPR, data controllers must report any data breach to their data protection authority as soon as possible, and no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in any harm to the data subjects. If there is a high risk of harm, data controllers must report data breaches to the data subjects as soon as possible. Data processors must also notify data controllers of data breaches as soon as possible.

What security measures do I need to put in place as a result of GDPR?

  • Encryption

    Although not required, the law encourages encryption as an effective way to help ensure the security and confidentiality of personal data.

  • Pseudonymization

    The GDPR encourages organizations to use pseudonymization as a risk-based measure to protect data security and the rights of individuals.

  • Anonymization

    One step up from pseudonymization, anonymizing data is the most secure way to protect personal data. To be considered truly anonymous, it must be impossible for any individual to be identified from the data by any further processing or by combining data with other information.

  • Accountability

    Under the GDPR, a data controller is responsible for implementing measures to ensure that the personal data it controls is handled in compliance with the principles of the GDPR. This includes appointing a data protection officer, imposing contractual obligations on processors, and using the principles of “privacy by design” and “privacy by default.” Additionally, a data controller must be able to demonstrate compliance, including by keeping a record of processing activities and conducting privacy impact assessments.

  • EU Trailhead: Learn About the GDPR and How to Comply

    Take the EU Privacy Law Basics module to learn the key principles of GDP and how to implement a GDPR compliance program.

  • US Trailhead: Learn About US Privacy Laws and How to Comply

    Take the US Privacy Law Basics module and learn about US privacy protection in healthcare, finance, and state law.

Person holding a mobile device with a blurred background

California Consumer Privacy Act

The California Consumer Privacy Act ("CCPA") is a comprehensive privacy law that took effect on January 1, 2020. While we believe a federal privacy law is necessary so that an individual’s privacy does not depend on their ZIP code, we welcome the CCPA as a step forward in shaping data protection requirements in the United States and as an opportunity for Salesforce to continue to strengthen its commitment to privacy and data protection.