Company data stored in Salesforce orgs must be protected - whether you’re dealing with sales records, sensitive business information or customers’ credit card and social security numbers. In our recent series of blog posts on data backups for Salesforce, we explained some of the many technical reasons why backing up Salesforce data and putting a robust data recovery process in place is both essential and an important DevOps tool for Salesforce teams. But particularly when it comes to customers’ personal data, a backup solution is not only necessary as a technical precaution for many companies, but effectively a requirement under data protection regulations too.
In this post, we set out some implications of the GDPR and CCPA for your Salesforce backups, and give you a brief outline of how a backup tool like Gearset can make it easier for you to comply with data protection requirements.
Backup requirements for personal data
General Data Protection Regulation (GDPR)
The European Union’s GDPR is the most far-reaching set of rules on data protection and data privacy worldwide. That’s because it applies to companies whether or not they are based in the EU. If your organization is responsible for storing or processing personal data, including personally identifiable information (PII), of employees, customers or anyone else resident in the EU and European Economic Area (EEA), you must comply with the GDPR.
The GDPR states that companies must make sure that they have a level of security appropriate to the risk of the personal data being compromised. They must also restore availability and access to personal data in a timely manner in the event of a technical incident (Article 32). In other words, if an individual requests access to data you hold on them, you must be able to do so.
So, if you’re using a cloud-based platform like Salesforce to store personal data, you’re probably going to need a backup solution to stay compliant with the GDPR. That way, if Salesforce goes down, your customers’ data will still be accessible from your backups. Finally, individuals can instruct almost any company - including companies based outside the EU - to purge any data on them from the company’s records within 30 days under what is known as ‘the right to be forgotten’ (Article 17 of the GDPR).
California Consumer Privacy Act (CCPA)
Effective as of the start of 2020, the CCPA awards similar rights to the residents of California as the EU’s GDPR. The scope of the CCPA is smaller than the GDPR; companies must meet certain thresholds before they are liable to take action on requests made under the CCPA. But like the GDPR, the CCPA allows for individuals to find out what data a company holds, and request that it be deleted. Most companies will need to comply with either the CCPA, the GDPR, or both. So it’s worth thinking about how your backups will remain compliant with data protection legislation.
Other proposed state privacy laws
Other states in the US are starting to follow California’s example, with state privacy laws proposed in New York, Maryland, Massachusetts, North Dakota and Hawaii. So, increasingly, companies will need to make sure their data and backups are compliant no matter where their customers are based.
Implications for your Salesforce backups
What do the regulations mean for your Salesforce backups? First and foremost, data must be kept secure. If you were thinking about managing your own backups, note that you’d be taking responsibility for compliance onto yourself - you’d have to demonstrate your data is secure, regularly backed up, and that you have the ability to purge records.
For most companies, backups in the cloud are now the norm. While certain companies might want to hold backup data on-premises, most are happy to back up their data to a virtual drive. This is especially true for those in the Salesforce ecosystem who by definition have already embraced cloud technology.
Of course, the data on virtual drives is still being physically hosted somewhere. And so the questions for storage security are about how the third-party backup solution you choose complies with the relevant regulatory requirements.
- Where is the data being hosted?
- How is it physically protected?
- How is the data encrypted?
- Who has access to that data?
In Gearset’s case, your data is stored on our secure servers with multiple layers of encryption. We use Amazon Web Services - the same industry-leading data centers trusted by Salesforce and Heroku. Your data is encrypted both in transit and at rest, and you hold a unique encryption key.
Data retention and deletion
Many companies prefer to retain protected data indefinitely in order to secure their data for the foreseeable future. Others have a particular reason for holding data only for a certain period of time if, for instance, they have their own data retention policy with consumers that needs to apply to their backups. Limiting the period of time backup data is held for is also a way of keeping the cumulative size of backups from ballooning. Generally, the more space required for backups, the more expensive they become. So there is often a financial motivation for setting data retention limits too.
To comply with the data protection regulations, you need to be able to locate records within your backups and purge them. In Gearset, you can delete single records, download your backup data, or choose when individual records need to be purged for compliance. Gearset shows you a complete audit history of all your deletions within the app. If you need to render all of your backup data unusable, just delete your unique master encryption key at any time to make your backup data completely irretrievable.
Want to know more about Salesforce backups?
For more information on the causes of Salesforce data loss and process of backup and restore, download our free Backups for Salesforce ebook.
Gearset’s backup solution incorporates industry best practice to offer you enterprise-grade information security. If you’re a Gearset user, try out the backup solution yourself from within the app, or start a 30-day free trial.