GDPR Overview for Salesforce Admins & Developers
- AUTHOR Robert Watson
- May 10, 2018
- 1 Comment
Disclaimer: Any concerns over data that you or your company collects should be discussed with a lawyer. This blog post is meant for informational purposes only and should not be relied upon for legal advice.
With the European Union’s GDPR (General Data Protection Regulation) enforcement date of May 25th fast approaching, it is important to understand how Salesforce is supporting companies in their GDPR readiness efforts. There are several resources available on Salesforce’s Data Protection and Privacy page including guidance on data deletion, tracking customer consent, and processing personal data that are not only relevant to the new GDPR regulations, but to other privacy regulations such as HIPAA as well.
Salesforce’s Individual Object
Salesforce introduced the Individual object in the Spring ‘18 release. This object does not exist in all orgs – a Salesforce administrator must first enable it from the Data Protection and Privacy configuration page.
Upon enabling this feature, administrators and developers can start using the Individual object. Additionally, a lookup to the Individual object is added to the lead, contact, and person account objects.
The Individual object represents a person’s data collection preferences – such as whether or not they wish to be tracked, if they want to be forgotten, or if they want to be processed, etc. These preferences are all represented by checkboxes on the record, as shown in the example below. An individual record is not limited to being associated to only one lead, contact, or person account record; this means that if a lead and contact record both exist for the same person, this person’s preferences can be tracked in a single individual record that is linked from both the lead and contact record.
What are some of the limitations of the individual object?
Salesforce provides its customers with the ability to utilize the Individual object, but you must use and maintain this object based on your company’s own business processes. Enabling the object simply makes it available to you.
- Individual records are not automatically created for every new lead, contact, or person account
- Workflows and process builder cannot yet be used on the Individual object
- Using the Individual object does not automatically mean that your company is GDPR compliant – it is merely a mechanism for making it easier to implement compliance.
What additional functionality is coming in the future?
In the immediate future, Salesforce has a few improvements pertaining to GDPR coming in the Summer ‘18 release, including:
- Better merge support when both the lead and contact are associated to unique individual records
- Providing missing standard Salesforce functionality for the Individual object, such as the ability to create record types and validation rules for the Individual object or use it in workflow and process builder
- The capability to scramble user’s personal information data (remember: your Salesforce users are people too – GDPR regulations also apply to individuals employed or formerly employed by your organization)
“Where is all of our data stored?”
GDPR compliance can certainly seem daunting, especially if personal information is stored on multiple databases. Having Salesforce as a consolidated CRM with fewer databases of records to maintain is certain to limit GDPR headaches.
Most of all Full Circle Insights products are all native to the Salesforce platform. This month we announced our new Digital Source Tracker product, a solution to understand the effectiveness of digital marketing tactics and their impact on revenue. Digital Source Tracker interacts with a database outside of the Salesforce platform, but we utilize the Individual object as the source of truth for whether or not an individual’s digital information should be tracked and stored. We hope this will make your efforts to ensure GDPR compliance is as quick and painless as possible. Cheers!