In May 2018, the European Union’s General Data Protection Regulation comes into force. Most businesses are already in the process of complying; if you haven’t yet, you should consider taking steps to do so now. Despite the referendum to leave the European Union, the Queen’s Speech in June announced that the UK would adhere to GDPR.

At present, there is no single set of guidelines or laws on data protection in the European Union. That changes on 1st May when the GDPR simplifies and synchronises the disparate and complex national laws.

What Data Qualifies Under GDPR

The brief answer is that any data or data set that could lead the holder of such information to identify a person. It covers such things as:

  • Anything that could potentially help you identify a living person
  • Data related to any living person
  • Any data that could influence the decision of any living person


This last point is pertinent as it may include information you may not think qualifies such as social media sign-up information. If in doubt, assume any information in your Salesforce system is covered by the GDPR and treat it as such.

GDPR and Data Collection

Data collection is the process of gathering the information that we use as part of our business process either through explicit methods (asking for demographic data, email address, postal address) or through implicit methods (looking up IP addresses).

All data must be up-to-date so take care to ensure that your Salesforce data syncing will not override new data. Using PardotSalesforceas an example here, you will need to set field sync to the option ‘Use the most recentlyupdated record’.

You will need to look at four main data areas to ensure GDPR compliance:

  • Visitor tracking: recording visitor activity on your site(s). Pardot enforces compliance with the opt-in cookies
  • Forms: GDPR pushes web administrators from an opt-out to an opt-in system. Your web forms should utilise one checkbox for each relevant privacy policy
  • Privacy notices: Always seek consent for data harvesting no matter the source; this will include permission to transfer data and to process it
  • Double opt-in: This is now the web standard for most sites. It should never be enough simply to add an email address. Develop the habit of sending an email to the user to confirm


GDPR and Data Storage

The new General Data Protection Regulation covers many issues with data storage. It’s important you understand it now to ensure compliance from May 2018:

  • The stored data must be relevant to the nature of the business between the customer who owns it and the person to whom it pertains. You will also need to store consent data with a date and time stamp
  • Where you are storing it needs to be more thorough than “Our Cloud”. GDPR states that data must not be transferred to any facility outside of the EEA. This shouldn’t be a problem with Salesforce as, in line with GDPR, it is presently in the process of ensuring data is stored legally in a localised area
  • The permitted time limit for storing that data is vague and related to usefulness. You should delete information that is out of date, information pertaining to customers that have gone out of business, and should assume no consent on everything else. It will be against GDPR to keep it. Used properly, Salesforce Workflows can help regulate this


It’s also important to note that under GDPR, customers have the right to access the data you hold on them (and you must send this over in a commonly used format within one month of the request) and the right to request you delete it. This second issue is tricky and something Pardot is presently working on to deliver in time for May 2018. At present, if data is deleted from Salesforce, it is not automatically deleted from Pardot.

GDPR and Data Usage
Finally, and perhaps most importantly, the purpose for which your collected the original data must be the only reason for which you hold it. You are not permitted to hold onto it or use it for any other purpose or retroactively change the terms of the agreement. If you want to use that data for something else, you must once again seek permission. This also includes using information for a different brand, even when part of the same organisation.

This will require more stringent permissions and employee awareness. You can achieve this through Salesforce add-ons such as Pardot Engage. It allows for the creation of email templates for marketers to use to avoid potential breaches.

What About Data Breaches?
Even with all the high-tech security in the world, data breaches are possible. Any such breach must be reported to the relevant authorities within 72 hours. Using Salesforce is a great insurance policy against this with its top-notch encryption and data security. Contact Nadcoms now so we can help you adapt to GDPR as it rolls out in 2018.