GDPR (General Data Protection Regulation) sets strict rules for how you collect, use and store personal data for people in the EU. It’s one of the European Union’s most stringent set of rules on data privacy across the world, applicable to any company that stores data of EU residents.
Get GDPR wrong, and your company could face fines up to billions of dollars, like Meta having to pay $1.3bn for transferring personal data of Facebook users to servers in the US. GDPR fines can cripple a business — but with the right backup and archiving in place, you can stay protected, stay compliant, and stay operational.
Backing up your data is a key part of GDPR compliance — and it goes beyond just storing copies. You need to understand the regulations themselves, and the technical steps needed to protect and restore your Salesforce data properly. Do both, and you reduce risk while staying fully compliant.
In this blog we’ll look at some of the requirements for GDPR compliance, best practices to ensure your backups also comply with these and how Gearset’s Salesforce backup solution can take the stress out of GDPR.
What’s covered by GDPR?
There are 99 articles in the GDPR outlining the regulations that companies need to comply with if they’re holding data of EU citizens. Here are some of the key articles to be aware of:
- Data minimization and storage limitation — Article 5 states that businesses should limit the collection of personal information to only what is relevant and necessary, and only store the data for as long as it’s needed. A data protection impact assessment could be carried out to identify and minimize data protection risks.
- Right to erasure — Article 17 gives customers the ‘right to be forgotten’, by requesting that their data is deleted within a reasonable timeframe, stopping further distribution of their data.
- Data encryption and security — Article 32 requires data controllers and data processors to implement appropriate measures to secure data, including platform encryption of personal data, and these processes should be regularly evaluated to ensure effectiveness in case of a data breach.
- Data availability — Article 32 also states that the availability of personal data should be restored quickly if a physical or technical incident occurs.
London, UK
Agentforce World Tour London
Is data stored in Salesforce GDPR compliant?
Salesforce is committed to customer success and has taken steps to help their customers be GDPR compliant. The Salesforce data processing addendum (DPA) includes a strong framework on data transfer, to ensure data transferred to Salesforce data centers outside of the European Union is lawful and compliant with GDPR. For teams that need more control over data location, Hyperforce allows you to choose the geographic region where customer data is stored and processed — helping meet regional data residency and security requirements. Salesforce’s architecture, auditing, and certification processes are highly secure, with more detail available in their Trust and Compliance documentation.
Salesforce also offers Salesforce Shield, which is a set of security tools (platform encryption, event monitoring, Einstein Data Detect, and field audit trail) that help with compliance and governance — this is a paid add-on that comes with a high price tag. It also works alongside Data Classification, a native feature that lets you label and track sensitive fields. This helps you better manage data exposure and ensure the right protection is applied to sensitive data.
5 steps to GDPR-compliant Salesforce data management
Before diving into specific backup practices, let’s establish a framework for comprehensive GDPR compliance in your Salesforce environment. These five steps create the foundation for protecting EU citizens’ data while keeping your operations efficient:
Conduct a comprehensive data audit. Identify and classify all personal data in your Salesforce org.
Implement privacy by design. Configure Individual Object and data classification from the start.
Establish backup and recovery processes. Ensure data availability per Article 32 requirements.
Configure access controls. Limit data access based on legitimate business needs.
Document compliance activities. Maintain audit trails for regulatory inspections.
Each step builds on the previous one, creating layers of protection that work together. Gearset’s backup solution plays a crucial role in step 3, ensuring you can quickly restore data while maintaining compliance with all GDPR requirements. Let’s explore how to implement these practices effectively.
Data backup best practices for GDPR compliance
The data availability requirements in Article 32 mean you’re at risk of breaching GDPR if Salesforce experiences a major outage — that’s why relying on Salesforce to ensure your company is complying with GDPR isn’t enough. Without backups in place, companies would struggle to restore the accessibility of personal data if a major Salesforce incident occurred.
Although backups are key to help a company stay GDPR compliant, it can’t be forgotten that these backups are also a compliance risk too. Here are some best practices to keep in mind while configuring and managing your Salesforce data backups, to make sure you’re complying with the GDPR.
1. Use third-party backup solutions
Third-party backup solutions are external tools that create independent copies of Salesforce data and metadata. It’s a common misconception that Salesforce automatically backs up data — the shared responsibility model means Salesforce is responsible for the cloud services and infrastructure, but a company is responsible for making sure their org’s metadata and data are backed up.
While Salesforce provides backup as a paid add-on, those backups wouldn’t be accessible in the case of a major Salesforce outage, making it a good idea to keep backups separate with a third-party tool. This separation keeps you compliant with Article 32 — your data stays available even if Salesforce goes down.
Some teams opt for an in-house or self-built backup solution. Keep in mind that it takes a lot of work, time and money to look after self-built backup solutions to ensure they’re safe and GDPR compliant. A third-party backup solution can take this stress away.
2. Manage all data subject rights through your backups
While the right to erasure often gets the most attention, there’s a full spectrum of data subject rights that you need to consider when backing up your data:
Right of access: GDPR grants individuals the right to access their personal data. Backup solutions must enable quick data retrieval for access requests.
Right of erasure: The right to erasure can be particularly difficult when it comes to backups. Supervisory authorities understand that it usually takes a lot of time and effort for companies to search through the mountains of backups for a specific customer’s data, and that it’s sometimes not feasible for companies to do so. But the guidelines for these situations are unclear. For example, France’s GDPR supervisory authority requires companies to provide proof that it isn’t possible to search through individual backups, and the company must outline how long the data backups will be kept. Meanwhile, the Danish GDPR supervisory authority says data must be deleted from a backup when it’s technically possible without specifying exactly what this means.
Given this ambiguity, it’s safer to have an easy-to-use system to be able to search through backups and delete records rapidly, rather than having to provide evidence that deletion isn’t possible and being stuck in a legal gray area. The same principle applies to other data rights too. Your backup systems need to support these obligations, not complicate them. This includes:
Right to rectification: Individuals can request corrections to their data. Ensure backup systems can update inaccurate information.
Right to data portability: Data subjects can request their data in portable formats. Choose backup tools that support standard export formats.
3. Limit and regularly review access to your Salesforce data backups
Even within a business, it’s important to make sure no one has access to personal data unless it’s absolutely necessary — the more people have access to data, the greater the level of risk. Setting up strict access limitations for Salesforce backups, and regularly reviewing permissions, helps minimize the possibility of data being accessible to the wrong people. Use Salesforce’s native permission sets and role hierarchies alongside your backup tool’s access controls. It’s the easiest way to lock things down properly, with layered protection that covers both your org and your data.
Depending on the backup solution in place, it can be a cumbersome process to check exactly who can view, edit, or even delete backups. Ideally, a backup solution should give easy visibility of all the permissions associated with a backup job, as well as showing the level of access each user has. The Individual Object in Salesforce helps you manage consent in one place and respond quickly to data subject requests.
4. Continually delete old backup runs
Although the GDPR doesn’t have a specific data retention policy dictating how long a company should or can keep personal data, the data minimization requirements mean data can’t be kept any longer than is necessary. So companies must justify the period of time they keep data not only in their orgs but in backups too.
When someone’s consent runs out, their backup data needs to go too. Keeping these in sync is key to staying compliant and avoiding unnecessary data exposure.
Deleting old backup runs on an ongoing basis helps ensure that you don’t accidentally keep data longer than is necessary. To make the process more efficient and less time-consuming, find a solution that will automatically delete backup runs after a specified period of time. Gearset automatically enforces the retention periods you define — reducing manual tracking and supporting compliance.
Make GDPR compliance simple with Gearset backup
Native Salesforce features lay the groundwork for GDPR, but Gearset’s backup fills the gap that matters: keeping your data available when you need it most. If you’re storing the data of EU citizens, then backups are vital for GDPR compliance — but it can be overwhelming working out where to start. Here are some of the ways that Gearset’s backup solution takes the stress out of GDPR compliance:
1. Easily delete records from your backup history
Gearset allows you to easily delete records from all backup runs, by selecting Remove records from backup history.
You can delete up to 10,000 records from the entire history of your backup job in a matter of clicks, making the right to erasure quick and simple.
2. Configure access permissions
Configure custom backup access for members of your Gearset team, to make sure no one has unnecessary access to your customer data. If you want to review and change user access down the road, go to Edit job > Edit settings > Permissions to quickly view and edit permissions for your backup job.
3. Customized data retention policies
Make data minimization straightforward with customized retention policies. Select exactly how long you want your data backups to be stored and Gearset will automatically delete the data when the retention window is reached.
4. Rigorous security standards
Ensuring our users’ information is secure at all times is our top priority; we’re ISO 27001 certified, carry out regular penetration testing and maintain 24/7 intrusion detection. All backups are securely hosted on AWS servers, meaning your data is safe in the case of a Salesforce incident. And data is encrypted in transit and at rest — you can set up BYOK too.
GDPR compliance checklist for Salesforce
Ready to make sure your Salesforce setup ticks every GDPR box? Use this checklist to track your progress:
- Data Processing Agreement signed with Salesforce
- Individual Object configured for consent management
- Data Classification enabled for sensitive fields
- Third-party backup solution implemented
- Retention policies defined and automated
- Access controls configured and documented
- Data subject request process established
- Regular compliance audits scheduled
Find out how Gearset can help you be GDPR-compliant
GDPR compliance comes down to trust — showing customers you handle their data responsibly. Salesforce gives you a solid starting point with tools like Individual Object and Shield. But real compliance means covering the full picture: consent tracking, backups, retention, and recovery.
Gearset’s backup tool helps close that loop — keeping data available, retention policies tight, and subject access requests easy to handle.
Speak to our team to hear more about how Gearset can help you back up your data in a GDPR-compliant way. Check out our backup ebook for more information on securely backing up your Salesforce data and restoring effectively.
Frequently asked questions about Salesforce GDPR compliance
Q: How do backups relate to GDPR data minimization?
A: Backups must follow the same retention rules as production data. Delete unnecessary backup data according to your retention policy.
Q: What happens to encrypted data in backups?
A: Encrypted data remains protected in backups. Gearset maintains encryption at rest and in transit.
Q: How quickly must I delete backup data after a GDPR request?
A: GDPR requires deletion within 30 days. Gearset enables deletion across all backup runs immediately.
Q: Do I need to backup consent records?
A: Yes. Consent records prove GDPR compliance and must be included in backup strategies.
