There is a 4 letter word that provokes an almost primal response in people across the globe in recent times... G D P R – which I’m sure I don’t need to explain the meaning of to anyone here, but basically it stands for the new General Data Protection Regulation.
In my role as a BRM for the BMC Remedyforce product I regularly field questions from customers around the 'compliance' of Remedyforce with GDPR. So let’s clear one thing up, GDPR does not relate to specific applications and in fact Salesforce explains GDPR as follows:
'GDPR establishes rules for how companies, governments, and other entities can process the personal data of data subjects who are in the EU'.
For further information there is a great Salesforce Trailhead here: https://trailhead.salesforce.com/modules/european-union-privacy-law-basics
So, what is considered 'Personal Data' in Remedyforce terms, I hear you ask:
Personal data can include data such as name, phone number, email address, government ID numbers, locations, credit card numbers, IP addresses, and similar information that can identify an individual personally. This information comes from the user directly, from a database, or is imported from other external sources. The following out-of-the-box objects might have personal data and as a result the GDPR requirements need to be considered. In addition to these, there might be additional objects in your environment based on your customisations and configuration that need to be considered.
- Incident/Service Request
- Change Request
- Base Element
GDPR sets out various key requirements: https://www.eugdrp.org/
The above requirements are addressed by specific Salesforce features/processes, but one key item to mention is the Right to be Forgotten.
Your end users may request for deletion or removal of their personal data in situations such as the following:
- When the data is no longer needed for the original purpose.
- When an individual withdraws consent.
- When an individual objects to the processing of data and the controller has no overriding legitimate interest in the processing.
Based on the organisation's policies, administrators might choose to anonymise or delete the data by using the following methods:
- User records cannot be deleted. However, they can be deactivated to prevent further usage. The values in the required fields, such as email and username, can be changed to anonymise the data. If the organisation uses Contacts or Leads for storing data for individuals, then records can be deleted or anonymised.
- If records associated with an individual are to be deleted, then administrators can find the associated records, such as incidents, tasks, and change requests, and delete them. Deleting these records automatically deletes the related child records. For example, deleting an incident automatically deletes action history, service targets, notes, attachments, and chatter posts that are associated with this record.
- Additional steps might be taken to identify and remove any personal data in an unstructured data or free form text fields. Administrators can find and remove all references to an individual by performing a global search in Salesforce. After identifying the records, data can be replaced with generic information or can be manually removed.
For more information about data deletion, see
BMC has some great information on how our products can help you to minimise the impact of the new GDPR:
And finally, the following link provides information relating to GDPR and other regulations: