How Salesforce Enables GDPR Compliance
The Right to be forgotten has taken the world by storm and European Parliament General Data Protection Regulation (GDPR) guidelines have marketers anxious and worried for months. GDPR has forced organizations to rethink customer data and privacy with a ‘Privacy by Design’ approach. This means consent from customers is required to hold their data.
Apart from posing as a burden for marketing and data professionals, GDPR also means a huge change in internal processes. Salesforce’s Spring ‘18 Release solved this to a large extent, containing essential components for data protection and privacy.
Managing Consent
GDPR brings the onus of responsibility towards ensuring that corporations have the right approval from there users on how to leverage the data that they have collected. Salesforce has configured privacy settings across the various roles in an organization, customers can leverage an amalgamation of Standard Objects and its settings, Custom Objects, and combine their own business workflows to configure their compliance requirements.
The ‘Individual’ object
A new standard object called ‘Individual’ was released in Spring ’18 Salesforce. It essentially registers a person’s data preferences – how they wish their data to be stored, used, and shared. ‘Individual’ records have a lookup relationship to a Lead, Person Account, Contact, and custom object, carrying extra contextual information. The User object can also be linked via Apex which means that an individual with any Lead, Contact, Person Account can relate all of them to a single Individual record.
The Individual object can hold a higher level of consent data. In the future, Salesforce is expected to launch Consent objects to control the type of consent, date of obtaining and expiry, as required by GDPR. Until they become available you can create these as custom objects.
The ‘Individual’ object can be enabled from Setup. It can be found under ‘Data Protection and Privacy. On clicking edit, you can check the box ‘make data protection details available in records’. On adding the ‘Individual’ field to the Lead and Contact page layouts, you can associate a Contact/Lead to their relevant ‘Individual’ record via lookup.
Out-of-the-box records are basic but functional. These are the fields ready for use, not necessary for you to create.
Checkboxes:
- Don’t Market, Don’t Process, Don’t Profile, Don’t Track
- Block Geolocation Tracking
- Export Individual’s Data
- Ok to Store Personally Identifiable Information Data Elsewhere, also known as data transfer
- Forget this Individual
Change Tracking:
- Created by/Date
- Modified by/Date
Creating Individual records
Instead of using Apex to create Individual records one by one, take a segmented approach. Start with records with the strongest consent.
- Create an Individual record related to every Contact that has a contract with the organization. Add the Privacy Permission record with a Privacy Source of “contract” to validate your contractual agreement to process data at the time an individual is a customer.
- Look at all Contact with open Opportunities. Before creating a new Individual record, check if it already exists and connects it to the Contact. Add the Privacy Permission record with a Privacy Source of “Legitimate Interest” to validate an individual is an engaged customer and can have a shared legitimate interest in your organization.
- Look at Contacts connected to campaigns and determine how long back the campaigns were held and if the person actually consented to you holding their data. If you have a record of them opting in, this consent may still be valid but still check with the legal team.
- Look at your Lead data and assess if you evidence of the individual actually consenting to you holding their data.
Enabling compliance
Storing customer information is important to enabling efficiencies and control to data processing. The Individual object can be used as the basis of workflows such as data deletion for data that has been kept for longer than is necessary. Salesforce users can leverage standard reporting to categorize and filter records before executing mass actions, such as sharing with third parties. Using Salesforce reports for campaign segmentation means one can be sure of excluding anyone who has opted out of marketing communications and who do not wish to be profiled.
A ‘Privacy by Design’ approach in Salesforce is sure to reap long-term benefits using the Individual object and adding custom consent objects. Using the Individual object as the basis of privacy data is important. If you want your organization to be GDPR-compliant, it is important to track consent data in custom objects.
Portability
In a GDPR regime corporations are required to share an individual’s personal data in an easy to understand format that they have acquired about a consumer. Salesforce enables corporations to export data in several of these formats, including CSV, XLS, JSON, and XML.
Data Security
Security is one of the key principles of the GDPR and measures are required to protect personal data. Some of the measures include user authentication and access controls. Corporations leveraging the Salesforce platform can rest assured about cloud security and can deploy access controls and other measures to secure their Data.
Wrapping Up
There are various solutions out there that enable corporations to become GDPR compliant, but if a corporation is looking at securing and complying with the regulations set forth by GDPR Salesforce can be one of the easiest solutions to implement.