GDPR - General Data Protection Regulation
What is GDPR?
The General Data Protection Regulation (GDPR) (Regulation [EU] 2016/679) was adopted by the European Union in April 2016 and replaced the EU Data Protection Directive 95/46/EC. The regulation intends to strengthen and unify data protection for individuals within the European Union (EU), whether that organisation is based in the EU or not. The new regulation requires an individual's explicit consent to allow a company with their permission, to use private information for business procedures. The new law obligates companies to review their existing policies to ensure systems are compliant with the GDPR requirements and able to handle client requests like data deletion, requesting of data details, modifications etc. GDPR is effective starting May 25, 2018. Official information about GDPR can be found here.
While the GDPR is an EU regulation, it expands the territorial scope of EU data privacy law. The regulation affects:
- Organizations based in the EU
- Organizations outside of the EU offering goods or services to, or monitoring EU residents
How can Quality Clouds help with GDPR Compliance?
Even though full GDPR compliance procedures can run into the hundreds of pages, the one key point is that organisations can not be GDPR compliant unless they can show that they are making a best effort to identify every piece of Personally Identifiable Information they are storing about their customers and employees.
While Quality Clouds is not a full-fledged GDPR compliance solution, it can effectively help organisations close an often-overlooked gap in their inventory of how Personally Identifiable Information (PII) is used in their IT systems: Usage of PII information in their code and in their data storage metadata (table and field names).
Quality Clouds scans match the main PII and extra-sensitive PII keywords against the source code present in your SaaS instance, as well as against the custom table names and column names of the underlying data storage. Each match is raised as an issue in the scan results.
The matches are implemented by default in English, Spanish, German and French. Any other languages can be added on an ad-hoc basis via Custom Rules.
Impact and remediation of GDPR issues
As opposed to other issues which are raised when a violation of a standard best practice is detected, GDPR issues are raised whenever a matching PII keyword is found in code or field or table names. These do not necessarily have to be "remediated" in the sense of removing them, if they are legitimate uses of PII information. Instead, remediation should be understood as including the list of such elements in the global inventory of PII information being stored and processed by the organisation.
The GDPR issues are included in the Data Privacy dashboard with the following impact:
Area of impact
Covered by Quality Clouds
Covered by free scan utility
|3000||Possible PII usage in configuration element||Warning||Security||All CE types||Only for clients with GDPR add-on enabled|
|3001||Possible extra-sensitive PII usage in configuration element||High||Security||All CE types||Only for clients with GDPR add-on enabled|
|4000||Possible use of private data||Warning||Security||All CE types|
List of Personally Identifiable Information (PII)
The languages covered are English, French, Spanish and German. These tables have the option to export in .csv file.
Field names to look for
|1||Taxpayer Identification Number (Social Security Number)||SSS; social number; taxpayer; security number;||Sensitive data|
|2||Citizenship Number||National ID numbers ; Social security number ;ID Number; passport; passport number; IDNumber;||Sensitive data|
|3||Addresses||home; address; ZIP code; Post code;||Sensitive data|
|4||Home Phone||Phone number; land line;||Sensitive data|
|5||Mobile Phone||mobile number; mobile;||Sensitive data|
|6||email; email address;||Sensitive data|
Date of birth
|Date of birth; birth date;||Sensitive data|
|8||Place of Birth||birthplace; birth place;||Sensitive data|
Business telephone number
|13||Gender||gender; males female||Extra-sensitive data|
|14||Visa permits number||Visa; visa permit;||Extra-sensitive data|
|15||Driver's license number||Driver license; driver licence||Sensitive data|
Vehicle registration plate number
|sexual orientation; sex; sexual;||Extra-sensitive data|
Education and employment history
|education history; employment history;||Sensitive data|
Job position / title
|job title; job position;||Sensitive data|
|22||Photos||personal picture; photo||Sensitive data|
|23||Political and religious leanings and affiliation||religion; politics; politic; political party;||Sensitive data|
|24||Insurance details||insurance number;||Sensitive data|
|25||Medical information||medical record; medical status; health status; health||Extra-sensitive data|
|26||Criminal record||criminal record; criminal data;||Extra-sensitive data|
|27||Credit score / record||credit score; credit information; credit card; account number; bank number;||Extra-sensitive data|
|28||Mother maiden name||mother maiden name; mother name||Sensitive data|
Salesforce GDPR (General Data Protection Regulation) best practices