GDPR and the Remedyforce application
Remedyforce is an application that sits on the Salesforce platform. The Salesforce platform provides capabilities that can help administrators address the personal data protection and privacy requirements associated with the General Data Protection Regulation (GDPR). The GDPR is a set of rules and principles governing the handling of personal data of individuals located in the European Union (EU).
This BMC document provides general information about the General Data Protection Regulation (GDPR) and GDPR key requirements. It is not intended to provide any legal advice. The GDPR can be found at https://ec.europa.eu/info/law/law-topic/data-protection_en. Under this new Regulation, any organization handling personal data of European Union residents, regardless of its location, needs to understand which GDPR requirements apply to its organization and accordingly devise a plan for adjusting its systems and processes and for educating its people. Although BMC is not in the business of data privacy compliance software, some of the features of the Remedyforce product can help customers meet some requirements of the GDPR. For more information about how BMC solutions can help achieve the requirements of GDPR, see https://www.bmc.com/it-solutions/gdpr-compliance.html.
The GDPR introduces rights for individuals that includes the control, use, and protection of personal data and obligations for data controllers and processors in the EU and European Economic Area (EU/EEA). Under the regulation, regardless of the location of the company or the company’s service providers, the GDPR requires anyone processing, holding, or making decisions about the purpose and use of any personal data of EU citizens to:
- Ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
- Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- Demonstrate processes for regularly testing, assessing, and evaluating the effectiveness of these measures for ensuring the security of the processing.
The following sections provide more information about GDPR and provisions offered by Salesforce that caters to GDPR requirements:
Key requirements for managing personal data
The data by which an individual can be identified personally is referred to as personal data. The GDPR allows individuals to control and own their personal data. GPDR applies to the processing of personal data in the EU, regardless of whether the processing takes place in the EU. The following are the key requirements of the GDPR, but for more details, see https://www.eugdpr.org/:.
Personal data in Remedyforce out-of-the-box objects
Personal data can include data such as name, phone number, email address, government ID numbers, locations, credit card numbers, IP addresses, and similar information that can identify an individual personally. This information comes from the user directly, from a database, or is imported from other external sources. The following out-of-the-box objects might have personal data and as a result the GDPR requirements need to be considered. In addition to these, there might be additional objects in your environment based on your customizations and configuration that need to be considered.
- Incident/Service Request
- Change Request
- Base Element
Salesforce and data protection
Because Remedyforce runs on the Salesforce platform, the following requirements for data protection that Salesforce offers are also applicable for Remedyforce. For more information about the Salesforce readiness for the GDPR, see .
Right to be Forgotten
Individuals can also request for deletion or removal of their personal data in situations such as the following:
- When the data is no longer needed for the original purpose.
- When an individual withdraws consent.
- When an individual objects to the processing of data and the controller has no overriding legitimate interest in the processing.
Based on the organization's policies, administrators might choose to anonymize or delete the data by using the following methods:
- User records cannot be deleted. However, they can be deactivated to prevent further usage. The values in the required fields, such as email and username, can be changed to anonymize the data. If the organization uses Contacts or Leads for storing data for individuals, then records can be deleted or anonymized.
- If records associated with an individual are to be deleted, then administrators can find the associated records, such as incidents, tasks, and change requests, and delete them. Deleting these records automatically deletes the related child records. For example, deleting an incident automatically deletes action history, service targets, notes, attachments, and chatter posts that are associated with this record.
- Additional steps might be taken to identify and remove any personal data in an unstructured data or free form text fields. Administrators can find and remove all references to an individual by performing a global search in Salesforce. After identifying the records, data can be replaced with generic information or can be manually removed.
For more information about data deletion, see .
Right to Data Portability
Salesforce offers the ability to export personal data through several methods. Data can be exported through APIs or through reports or data management options under the Setup menu. Personal data can be exported to multiple formats, including CSV, JSON, and XML. For more information about data portability, see .
Right to Restrict Processing
Individuals can request to block or suppress processing of their personal data. Records can be identified, exported, and deleted upon receiving a verified request to restrict processing by any party. This might be useful if an individual wants to temporarily restrict processing operations until their records are updated or when a legal hold is placed on certain records. If the restriction is lifted at a later date, the records can be reimported. For more information about restricting processing, see .
Right to Access
Individuals can request a report of their personal data that is collected. An administrator can provide user records by using a data loader. If an individual needs a report of all tickets that they submitted, the administrator can create a report based on the Client ID field or use the data loader to export the incidents submitted by an individual.
Individuals can update their details by using the My Profile option in Self Service, and staff can also also update an individual's information by using the Salesforce User Details page.
When an Incident is created, the client name, phone, and manager details are copied into the following fields:
- Client Name
- Client Phone
- Client Manager
Any change that an individual makes to user details is not reflected automatically in these fields in existing records. However, an administrator can update these fields manually for the individual.
Salesforce uses appropriate technical and organizational security measures to protect personal data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration. Salesforce has security built into every layer of the platform. The infrastructure layer comes with replication, backup, and disaster recovery planning. Network services have encryption in transit and advanced threat detection. Salesforce application services implement identity, authentication, and user permissions. Salesforce also offers an additional layer of trust with Salesforce Shield, including Platform Encryption, Event Monitoring, and Field Audit Trail. For more information about Salesforce security features, see the
Common information-gathering tools such as cookies are used to store information about user preferences and personalize the user experience for Remedyforce. When users visit certain pages, we or an authorized third party place a cookie on the browser, which collects information about user preferences for the specific feature. Remedyforce does not store any personal data in cookies. Cookies allow the application to determine the user's preferences and improve the application experience for individual users in their next login.
The persistent functional cookies are used which remain on user's computer or device after they close the browser or turn off the computer. These functional cookies allow the application to remember the choices user makes (such as user's selection of columns to be displayed in a view or preferred mode of communication for emails, etc.) and helps provide enhanced personalized features. Users can manage the placement of cookies on the browser via their individual browser settings. However, choosing to disable or opting out of cookies might limit the use of certain features or functions on the application or degrade the user experience.
Social Media Features
Remedyforce may provide its users an the option to post information about their activities in Remedyforce to social media such as Facebook, Twitter, LinkedIn, and so on ("Social Media Features"). Using such social media, users can post information about their activities and share with others in their network. User interactions with Social Media Features are governed by the privacy policies of the companies providing the relevant Social Media Features.