Once a company is on the path to compliance, the team can focus on documenting compliance efforts. The organization may compile copies of privacy notices and consent forms, data inventory and record of data processing activities, written policies and procedures, training materials, internal company data transmission agreements, and supplier contracts. If necessary, the organisation may appoint a data protection officer and designate the competent EU supervisory authority. It is also useful for organizations to conduct periodic evaluations or audits of the data protection program to ensure that everything is working as intended. Salesforce provides a template for this. www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf Once an organization has set up its multi-function team, the team can analyze the Organization`s existing protection and security efforts to identify key priority areas. An important part of the analysis is understanding where the organization stores personal data. Many organizations learn that they have dozens or even hundreds of different databases and systems that store personal data. Personal data may come from staff, candidates, people who fill out forms on websites, participate in contests or loyalty programs, make purchases, fill out discount or warranty cards, participate in events or contact after-sales service teams by email, phone or social networks.
Whether you`re implementing a new implementation or your existing Salesforce org, it`s recommended that you follow the “Privacy by Design” principle. This principle requires that you take into account data protection aspects in the early stages of development used to process personal data in your company. Incident response: Processes must be put in place to detect and respond to security breaches, including redress for the breach and notification to all necessary parties. As a general rule, the data controller (your company) is required to ensure that your data host (Salesforce.com) does not use the personal data transmitted for commercial purposes. When an organization identifies where it stores that data, the team can build a data inventory showing, for each storage system, what type of data is stored there, where it comes from, what it is used for, who has access to it, how it is secured, to which third parties it is transferred, and how long it should be retained. . . .
Categorised in: Uncategorized