From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Innovation day Oslo FSI breakout
1. Compliant by Design
Roundtable discussions on how to deal with GDPR compliance
jhaugen@salesforce.com, @pumato
Jon Haugen, Salesforce Platform Lead Nordics
GDPR
READY
2. This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any
of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking
statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or
service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for
future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts
or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our
service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth,
interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible
mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our
employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com
products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of
salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most
recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information
section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be
delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available.
Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Statement under the Private Securities Litigation Reform Act of 1995
Forward-Looking Statement
3. A Proven History of Ensuring Data Privacy and Trust for All
Salesforce's privacy program meets
highest industry standards
October 2015 November 2015 August 2016
Response to Safe
Harbor Invalidation
EU-U.S. Privacy
Shield Certification
Binding Corporate
Rules Approved
4. Overhaul of EU Privacy Laws
Effective on May 25, 2018
Replaces Patchwork of National Laws
Single set of rules across the EU
Increased Scope and Global Reach
Applicable to EU companies and certain non-EU companies interacting with EU data subjects
Increased Individual Privacy Rights
Expanded control over personal information
Transparency and Accountability
Increased penalties: up to 4% of worldwide annual turnover
EU General Data Protection Regulation (GDPR)
5. GDPR Compliance is not a «Walk in the Park»
Parts of the GDPR like Data Portability and the Right to be Forgotten, impact you as
companies because such rights need to be accommodated in your internal processes.
The GDPR is very process driven. For instance, a Data Protection Impact Assessment (PIA) is
mandatory. Privacy-by-design and by-default principles. Organizations are expressly
encouraged to certify their data processing with a supervisory authority or an approved
certification body.
GDPR also imposes very concrete measures. For instance, the GDPR imposes an obligation on
companies to have an App Inventory and to keep internal records of their data protection
activities. Data breaches must be notified without undue delay and be documented. A Data
Protection Officer (DPO) is mandatory in some industries.
Some of the challenges we hear from customers:
6. Your GDPR readiness journey so far.
What is the biggest challenge(s) you see?
7. Defining Roles and Responsibilities
This is a partnership between you and us
Data Subject
Individual the
Personal Data
relates to.
Data Processor (We):
Act upon instruction of Controller;
also responsible for
Privacy compliance.
Data Controller (You)
Primarily responsible for Privacy
Compliance
GDPR
READY
Consent Management
Event Monitoring
Field Audit Trail
(Encryption at rest)
Salesforce External
Identity (CIAM)
8. Salesforce GDPR Compliance Support
The Right to be Forgotten - Data Deletion for the Salesforce Platform
https://help.salesforce.com/articleView?id=data_deletion_platform.htm&type=5
Data Portability - Data Access and Export for the Salesforce Platform
https://help.salesforce.com/articleView?id=data_portability_platform.htm&type=5
Consent Management for the Salesforce Platform
https://help.salesforce.com/articleView?id=consent_management_platform.htm&type=5
Restriction of Processing
https://help.salesforce.com/articleView?id=restriction_of_processing_platform.htm&type=5
Accountability/Transparency – Salesforce Data Processing Addendum
https://www.salesforce.com/content/dam/web/en_us/www/documents/data-processing-
addendum.pdf
Spring and Summer ´18 releases include major improvements in GDPR support
9. Defining Roles and Responsibilities Can Be Hard
No organization has only one system on one platform
Data Subject
Individual the
Personal Data
relates to.
Multiple Data Processors:
Act upon instruction of Controller;
also responsible for
Privacy compliance.
Data Controller (You)
Primarily responsible for Privacy
Compliance
Data Protection Officer
Data Protection Impact
Assessment
App Inventory
Data Processing
Agreement
Sub-DPAs
11. Your GDPR readiness checklist.
Data Processor Certifications?
Are You Working to Consolidate Data Processors?
Data Protection Officer?
Data Protection Impact Assessment?
App Inventory?
Data Breach Processes?
…
12. What is the most commonly used tool
by DPOs today?
What is the most common tool to do a
DPIA today?
What is the most common data store to
keep and manage an App Inventory?
13. Standardize information and make it more useful in object format
Data is More Valuable in Salesforce than in Spreadsheets
Spreadsheets Objects
Rows
Records
Columns Fields
14. Create Custom Objects Specific to Your Needs
Across every organization, department or team
Flights
Property
Inspections
Vehicles
Events
Contracts
Evaluations
Applications
Applicants
Consultations
Shipments
Equipment
Lightning Platform