The General Data Protection Regulation (GDPR) has served as the data privacy and security gold standard since its adoption in 2016. And the stakes are only getting higher. With social media giant Meta’s recent record $1.3B fine for mishandling EU data, organizations can’t ignore the consequences that await on the wrong side of GDPR compliance.
Given that certain GDPR articles have significant data protection and security implications, your SaaS third-party data protection solution must do more than check compliance boxes; it should make the processes to achieve it easier, too. In this article, we break down several important GDPR regulatory articles you need to know and how Own supports compliance through all products: Recover, Archive, Sandbox Seeding and Secure.
Article 5—Storage limitation principle
Article 5 states that personal data should be kept as long as it's being utilized. In other words, if you don’t use it, lose it. Personal data might be stored for a specific period of time, like 180 days, or until a trigger event prompts its deletion, such as a user unsubscribing from all communication channels. Regardless of the parameters, you’ll always want to have a good reason to keep personal data and a strong management system to support it.
With Own, you don’t have to limit your data compliance capabilities–even when dealing with the storage limitation principle. Our backup and recovery solution, Recover, enables users to edit backup retention periods and their frequency. Whether you choose to conduct backups daily, weekly, monthly, or yearly, your data protection efforts stay consistent and adaptable, without risking your compliance.
Having a firm grasp on your storage limitations doesn’t stop there. Our security solution, Secure, helps manage the retention policies for Shield Field Audit Trail information. This way, your field change history is only kept as long as it needs to be.
With our archiving solution, you can trust that your data’s past won’t dictate your compliant future. Archive allows users to define, automate, and manage their archiving policies. These policies include what specific data is archived, how frequently data archiving activities occur, and how long that archived data is retained.
With all these granular storage capabilities, you can make choices that fulfill your unique data needs and GDPR’s strict regulatory requirements.
Article 15—Right of access
Providing your data is one thing; knowing what’s being done with it is another. Under GDPR Article 15, EU citizens (known as Data Subjects) are allowed to access information collected about them by companies, or Data Controllers, or by those who process the data, called Data Processors. And this information covers more than just the data itself; it discloses the data’s journey, from collection to storage to usage. Data subjects can obtain this information by submitting a Data Subject Access Request (DSAR).
Per GDPR, businesses are required to respond to a DSAR request in 30 days, making timeliness—and organization—an integral part of the compliance process. DSARs apply to all the data containing the Subject's information, whether in historical backups, archived records, or even in testing data living in sandboxes.
Recover’s Find functionality lets customers quickly and easily find a Data Subject’s information and process DSARs. This capability streamlines the sourcing and response time–a benefit for business compliance and the organization’s reputation.
With Secure, a timely DSAR response doesn’t have to elicit a scavenger hunt. Data classification, compliance categorization, fill rates, and export capabilities all help enable quick and efficient DSAR responses, starting by identifying fields that will be part of a subject request.
And Data Subjects aren’t the only ones who will want access to their data’s footprint; admins will need it to help provide a DSAR in 30 days. Archive makes it easy for admins to search and find archived records through the Global Search Functionality. And if granted permissions, front-end users can also view and export (or unarchive if needed) archived records directly from Salesforce. This way, admins can help accelerate the request process, working with data from the past without stalling efficiency.
Article 16–Right to Rectification
Whether it's an updated address, new email address, or name change, Data Subject information is constantly changing; what isn’t changing is their right to rectify it. Under Article 16, Data Subjects can replace incorrect data with accurate information or complete incomplete data. The Data Controller must rectify the data or make the dataset whole upon request.
The precision and accuracy valued in Article 16 are crucial for more than just Data Subjects; it’s important for data backup and restoring capabilities, too. With Recover, you make changes–big and small- to your vast, complex data, thanks to bulk editing capabilities. Once a record is rectified, it will be updated in all the backups (and future backups) under the same service. You can have peace of mind that your data protection efforts are equipped with the most up-to-date information without jeopardizing your compliance.
Article 17–Right to Erasure
The Right to Erasure, or the right to be forgotten, says that Data Subjects have the right to have personal data erased. It also mandates that the Data Controller erase the data if it’s no longer being used for its original purpose or if the data was unlawfully processed.
Erasing data everywhere that needs to be erased doesn’t have to add to your workload if you have the right solution. With Archive, you can easily satisfy Right to Erasure requests in several ways. With the Right to Be Forgotten software development kit (SDK), users can configure the SDK to send a Delete request based on the following criteria: Record Type, Field Name and Value. You can also create a Purge Policy to immediately delete a group of records and submit a ticket to Own Support to assist with the request.
The Right to Erasure is also honored with Recover. Recover enables you to forget specific data from your backups. With a simple search, you can locate all occurrences and forget them all. Through swift, accurate action, you can rest easy, knowing that you’re honoring both Data Subject’s rights and your organization’s compliance.
If you’re working in a sandbox, Sandbox Seeding anonymizes data from production or any other sandboxes. This keeps data protection efforts intact while encouraging experimentation and creativity in this unique environment.
Simplify GDPR Compliance with Own
If you’re capturing and storing personal data of European Data Subjects—regardless of your organization’s location—GDPR must be top of mind. While GDPR compliance isn’t optional, you have a say in how smooth your data compliance journey will be, starting with your third-party data protection solution. With Own, you can trust that GDPR regulations and your unique data needs are being supported across all products in all environments.
To learn about other GDPR principles and how Own supports customer compliance across all products, download ‘The GDPR and Your SaaS Data’ now.