How the cloud makes GDPR compliance easier
By now, most companies have experienced the complexity of achieving compliance with the General Data Protection Regulation (GDPR). One of the biggest GDPR headaches for many companies? Identifying where their data actually resides.
Many companies use disparate IT systems that have been sitting idle for years. It’s a woeful tale—and mind-boggling task—for the privacy officer tasked with recording all the systems in which personal data is stored and/or processed.
When I joined FinancialForce last year and asked about our own systems, I expected to spend the next three months holed up in a room with the IT crowd. But the conversation surprised me:
“We predominantly run everything on one platform, along with a few other applications such as Gmail and Google Drive.”
“Ok, so where is that data?”
“For the most part, it’s on the Salesforce platform – we have all the information about where the data is located.”
Of course, when a company grows as quickly as FinancialForce, systems and processes can change fairly quickly. I knew we’d still face complexity throughout our GDPR compliance process but I immediately recognised how the company’s data architecture—built on a single platform—would vastly simplify an area of the GDPR which otherwise could be a minefield of complexity: data mapping.
Data mapping with a single platform
Mapping data is tough enough when you must consider individual assets, processing activities, and the links between the two. But it becomes even more complex when data can be shared across systems or when changes can be made without being logged. Data mapping in these environments can be a thankless, laborious task.
The beauty of a single platform like the Salesforce platform is that everything is automatically logged and saved. Even when you use third-party systems (e.g. Marketo, Outreach), everything still routes back to the Salesforce platform—your single source of truth.
A decade ago, relying heavily on the cloud might have given lawyers and privacy professionals anxiety. Today, however, experts in our field widely accept that cloud solutions enable businesses to benefit from the most advanced infrastructure and technology without the burden of managing, securing, and updating it yourself. I have long believed that complex tasks should be undertaken with expert support, so it’s difficult for me to imagine tackling a task as complex as GDPR compliance without the help of the Salesforce platform.
Built-in security and more
Security is an important part of GDPR. With the tremendously sophisticated security built into the Salesforce platform, we (and our customers) are able to punch above our weight. Many businesses would struggle to independently invest in the level of security that can be attained through Salesforce.
Don’t get me wrong: GDPR can’t be solved by technology alone. Compliance requires the right mix of process, procedure, documentation, technology, and the people to manage it.
But when it comes to managing complex data sets, a robust cloud platform is hugely beneficial. Soon after kicking off the GDPR project at FinancialForce, we were able to concentrate on mapping our processing activities, reviewing and adapting our stance on data subject rights, improving security, developing and adapting policies and procedures, and generally getting into the meat of the GDPR—true data management.
In my year long journey at FinancialForce, I’ve been thoroughly impressed by the willingness and eagerness of our global team to embrace this important regulation. They’ve accepted and adapted to the changes to our processes and business to meet it and, I am proud to say, this positivity and great cooperation continues. We know that GDPR is for life, not just for May 25th.