An introduction to the most radical changes to data protection in the last 10 years. Stephan Chandler-Garcia from Digital Catapult gives you an overview of the General Data Protection Regulation and how you can stay ahead of the curve as a Salesforce user. We will be looking at new ways of thinking about your customers data and new ways of managing consent.

1. What is GDPR and why does it
matter to me?
stephanwgarcia@gmail.com
@sgarcia421
​Stephan Garcia
CRM Manager, Digital Catapult

2. So what is the GDPR…
​The General Data Protection Regulation
25th
May, 2018
The GDPR is characterised as wide-sweeping data reform
that brings power back into the hand of the individual.
• Awareness
• Consent
• Control
• Responsibility
​…and why does it matter?

3. Data Protection
​Data Protection Through the Years
1984 – Data Protection Act
1987 – Access to Personal Files Act
1995 – EU Data Protection Directive
1998 – Data Protection Act (DPA)
2001 – Windows XP
2003 – Privacy and Electronic Communications Regulations (EC Directive)
2008 - iPhone
​A Brief History
(1997)

4. The BIG Difference
​B2B vs B2C
Historically, it has come down to interpretation as the enforcement in the B2B world has always been lacking.
​Personal Data
Personal data means data which relate to a living individual who can be
identified –
(a) from those data, or
(b) from those data and other information which is in the possession of, or is
likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication
of the intentions of the data controller or any other person in respect of the
individual.
Source: ico.co.uk

5. The Problem
​CRM is DRIVEN by Personal Data
How do you fight the theory that “If it doesn't exist within salesforce, it doesn't exist”
​Customer Relationship Management
As Salesforce Professionals, we must start
changing the way that we think about data.

6. The Problem
​“Personal data shall be adequate, relevant and not excessive in
relation to the purpose or purposes for which they are processed.”
​Customer Relationship Management

7. Awareness
​There are two things every website has in common, a Privacy Policy and Terms & Conditions
It is imperative that your data processing is outlined in both of these! Salesforce is not exempt from this!
​Make sure that your customers know how and why you are using their data!
When asked why you’re collecting any piece of information, you need must be able to provide a reasonable
explication.
What can I do?
• Gather your stakeholders together and review your Privacy Policy & Terms & Conditions
• Create a “Data Story” that enables you to explain the way that data travels through your organisation
• BONUS TIP! Make sure that that this story has an ending!
​Transparency is Key!

8. Awareness
​Transparency is Key!
More Info: http://bit.ly/DigicatPDR
​POC: Personal Data Receipts
Treating personal data submissions as transactions
• Increased visibility of data practice
• Multi layered opt-in
• Accessibility

9. Consent
​Pre-ticked checkboxes are a thing of the past
This is defined in the regulation, you must have explicit consent from the individual
​Recording of Consent
You must keep a thorough record of when/when consent was obtained
What can I do?
• Get rid of any pre-ticked checkboxes!!!
• Make sure you store the source of the opt-in and date on every level of opt-in.
• Review your data and make sure that you have a general idea of the source of opt-in as you aren’t required
re-request this information as long as you are comfortable that it was not obtained illegally.
​“Explicit Consent”

10. Control
​The Right to Be Forgotten
​The broad principle underpinning this right is to enable an individual to request
the deletion or removal of personal data whether there is no compelling reason
for its continued processing.
​The Right to Be Forgotten

11. Control
​The Right to be Forgotten
Any Individual has the right to have their data erased, without undue delay. This applies when the use of the
data is complete(eg. ending of service agreement) or when was collected or processed unlawfully.
​Subject Access Requests
Similar to the Freedom of Information Act, this requires you to promptly disclose any information you have on
an individual. This must be via electronic communication and completed within 30 days. This has existed in
the past, but was at a cost.
What can I do?
• Make sure you know where all personal data sits within Salesforce as well as discuss with your team where
other data might sit around the business.
• Create a checklist that enables you to track the deletion of data
• Create an easy way for your customers to request their data and/or erasure
​The Right to Be Forgotten

12. Responsibility
​The Data Processor, eg. Salesforce, is equally responsible as the Controller(you)
The processor must provide guidance and education to their users to make sure that best practice is being
followed.
​Protection Impact Assessments
The ICO has a right to request proof that an PIA has been completed
​Protection Impact Assessments
Infringement of the following GDPR provisions are subject to administrative fines up to €20,000,000 or in the
case of undertakings, up to 4% of global turnover, whichever is higher.
​“But Salesforce made me do it!!!”

13. Resources
​The ICO – 12 Steps to Prepare Yourself for the GDPR
http://bit.ly/ico12steps
​ICO – Guidance for Consent (more to come)
http://bit.ly/icoConsent
​ICO - GDPR Overview
http://bit.ly/icoGDPRoverview
​Trust the ICO

14. Thank Y u