On May 25, 2018, the European Union (EU) implemented the General Data Protection Regulation (GDPR), a groundbreaking regulation built to safeguard privacy rights and regulate how businesses collect, store, process, and use personal data. From enhanced privacy rights and stronger data security measures to greater accountability and scrutiny on cross-border data transfers, GDPR has since reshaped global business operations and driven profound transformations in data practices.
To mark its fifth anniversary, Salesforce’s Ed Britan, Head of Global Privacy, and Stephanie Finck, Vice President of EMEA Government Affairs, reflect on the global impact of GDPR and how it may serve as a bellwether for future responsible tech regulation.
GDPR sets a strong precedent for ongoing digital transformation globally
- The EU’s regulations don’t just apply to the EU — they have global impact. Any company that does business in Europe must adhere to the GDPR and depending on the industry, other standards as well such as the Digital Operational Resilience Act (DORA).
- “As the regulatory environment becomes more complex, businesses should approach this as an opportunity to put their customers at the center of their operations. This means they should not only focus on what’s legally required for data privacy and security, but what’s required from a trust perspective. Every company should look at their data strategy and ask, ‘What do our customers expect?’ and work to achieve, if not exceed, that,” said Finck.
As the regulatory environment becomes more complex, businesses should approach this as an opportunity to put their customers at the center of their operations
Organizations control their data, including where it is stored and processed
- “Beyond regulations, businesses increasingly want to keep their data within certain jurisdictional boundaries to address their business objectives and regulatory risk. Customers should benefit from the best technology available, while maintaining appropriate control over their data,” said Finck.
- It is in this context that Salesforce announced the Hyperforce EU Operating Zone, a new way of combining the company’s industry-leading products on Hyperforce with 24/7 customer and technical support in the EU, and strictly controlled access to customer data by EU-based personnel only. This provides an enhanced level of data residency commitment, giving Salesforce customers the choice and control they need to keep their data within the EU.
Setting a baseline for responsible AI development
- The EU is relying on GDPR to regulate AI and generative AI and building on that baseline with trailblazing AI-specific legislation.
- Other regions are beginning to follow suit as they rush to catch up with the technological boom.
- “The potential of generative AI is immense, and so is our responsibility. Since AI is based on data, dialogue between regulators, businesses, and civil society is critical to ensuring the proper collection and protection of that data, while also helping to unlock the economic opportunities associated with these emerging technologies,” said Britan.
The potential of generative AI is immense, and so is our responsibility. Since AI is based on data, dialogue between regulators, businesses, and civil society is critical to ensuring the proper collection and protection of that data, while also helping to unlock the economic opportunities associated with these emerging technologies
Working together to promote sound technology policy
- Since GDPR went into effect five years ago, it has served as a model for other comprehensive privacy laws, including those passed in the UK, Japan, Brazil, Kenya, Thailand, and the U.S. states of California, Virginia, Colorado, Connecticut, Tennessee, Indiana, Utah, Iowa, Washington, Florida, and Montana.
- “We are actively advocating for the US to pass a national comprehensive privacy law that also builds upon, and is interoperable with, the current global privacy standard. Additionally, we applaud the efforts of the EU-US Trade and Technology Council (TTC) and the new EU-US Data Protection Framework to further strengthen privacy protections on both sides of the Atlantic,” said Britan.
Salesforce has a long-standing commitment to privacy and security and has embraced EU standards
- Salesforce was the first enterprise software company to achieve approval for its processor Binding Corporate Rules (BCRs) in November 2015.
- Salesforce incorporated the most recent Standard Contractual Clauses of the European Commission into contracts, along with industry-leading commitments around challenging government access requests and auditing Salesforce services.
- Salesforce is a member of Gaia-X and a founding member of, and has achieved, Level 2 compliance with the EU Cloud Code of Conduct, the first-of-its-kind Code allowing cloud service providers to demonstrate their compliance with GDPR.
Go deeper:
- Learn more about the General Data Protection Regulation (GDPR) and how to comply on Trailhead
- Review how regulations could potentially impact businesses on Salesforce’s privacy center and privacy regulations page
- Learn about the ways Salesforce is guiding the development of trusted generative AI