Walter Scott Exceeds GDPR Requirements for Salesforce Backups with Own
Walter Scott & Partners Limited (Walter Scott) was established in 1983 to manage long-term equity portfolios for institutional investors around the world. The firm is a non-bank subsidiary and 100% owned by The Bank of New York Mellon Corporation. All operations are based in Edinburgh, Scotland. Original research is at the core of the firm’s investment process, which is structured to identify companies capable of sustained high rates of internal wealth generation. This is the firm’s primary value-adding activity and is carried out by its own investment professionals.
Walter Scott stores core business data on Salesforce, including client personally identifiable information (PII), client communications, events attended, and internal gifts and event entertainment. This client data is fed into many other Walter Scott applications including their dealing, administration, and document management applications. Client mailings and key client correspondence are also stored in Salesforce. A weekly backup of all Salesforce data and configuration was taken and stored separately as a .CSV file on a corporate server in case of any restore requirements.
For any companies still not in compliance with GDPR, the consequences of such non-compliance can be expensive. GDPR fines typically range from 10 to 20 million euros or potentially 2 to 4 percent of an organisation’s total, worldwide revenue, whichever is higher. Violations can be deemed lower level, such as Article 32—security of processing, or upper level, such as Article 7—right to consent, Article 16—the right to rectification, Article 17—right to erasure, and Article 20—right to data portability.
Walter Scott prepared for GDPR by:
After assessing their preparedness, Walter Scott was comfortable that they could efficiently respond to Subject Access Requests (SARs) within their live Salesforce instance. They were not certain they would be able to respond to such requests within their Weekly Export .CSV files without a great deal of manual effort. With this backup method, the SARs response process for backed-up data would be challenging and time-consuming. If Walter Scott received a SAR for erasure or rectification, the process would include searching for each data subject within multiple .CSV files and editing fields for each of those subjects within each individual .CSV file.
Under GDPR, companies may only retain necessary EU Subject data. They must archive or remove anything else. Tracking and removing specific EU Subject data would be extremely manual with the Weekly Export. Walter Scott’s admin team would have to manually archive or delete data so that nothing would be kept past their set retention period.
The Weekly Export did not meet the data resiliency or encryption requirements of GDPR Article 32. In the event of a data loss or corruption, recovery could take days with .CSV files and they would not be able to restore to a specific point in time other than the end of the week. Furthermore, a data loss or corruption would interfere with Walter Scott’s real- time communication system, interrupt reporting, and waste business time and money.
With Own, Walter Scott can easily search within their backup archives to find PII and swiftly respond for Subject Access Requests. Unlike other cloud-to-cloud backup competitors, Own allows Walter Scott to maintain full control over responding to Subject Access Requests with their self-service interface. Additionally, full data retention controls enable their data governance team to align with internal corporate policies. Own aligns with GDPR Article 32, secure data processing of PII, by encrypting data in transit and at rest and ensuring immutable/unchangeable backups.
Own’s simple onboarding process allowed Walter Scott to begin backing up their Salesforce data in minutes. With Own, Walter Scott has been able to enhance their Recovery Point Objective (RPO) from one week, with the Weekly Export, to less than a day, with Own. Walter Scott also sped up their Recovery Time Objective (RTO) from five weeks, with the Weekly Export, to less than one day, with Own.
"With Own, Walter Scott can easily search within their backup archives to find PII and swiftly respond for Subject Access Requests...Own allows Walter Scott to maintain full control over responding to Subject Access Requests with their self- service interface."