Marketers / Marketing Ops

5 Essential Salesforce CRM Additions to be GDPR Compliant

By Peter Connell

The GDPR (General Data Protection Regulation) has been a topic pre-occupying marketers, and urgency is rising with the enactment date fast approaching. By the 25th May 2018, organisations will need to have GDPR-compliant processes in place that justify any personal data processing, in order to avoid the penalties associated with breaches.  

The headline requirements have sent many into a frenzy, as they are unfamiliar, strict, and above all, difficult to manage. The reality is that countless organisations wish there was a way to accelerate their journey towards compliance, but often, roadblocks exist at the foundation: the CRM. This post will talk about what is required on top of the core Salesforce CRM – the essential new functionality – in order to become compliant with the new requirements of GDPR.

Salesforce Individual Object

The new Individual object in Salesforce CRM is a good start towards fulfilling the requirements of GDPR. Individual records are related tightly to any person record in Salesforce, be it a Lead, Contact, or Person Account. It is designed to hold personal data preferences and details for processing.

A number of fields come out of the box with this object, for example:

  • Don’t Profile
  • Don’t Track
  • Block Geolocation Tracking
  • Ok to Store PII Data Elsewhere

Although the Individual object is a good start, many organisations will likely find its out-of-the-box functionality insufficient. As different teams across the whole organisation move towards working in compliance with GDPR, data processing needs to become more controlled, clearer, and above all, user-friendly. Now, this piece will go on to talk about the essentials that need to be considered and built into Salesforce, to manage data processing beyond the Individual object.

1. Lawful Basis

To process personal data, you will need a ‘Lawful Basis’ for doing so. There are 6 pre-defined categories, and you must match the Lawful Basis most appropriate to your relationship to the person and what you plan to do with their data. The categories are:

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests

The ‘Lawful Basis’ that marketers will leverage most will be ‘Consent’. Consent is the most widespread Lawful Basis, relevant to any pre-purchase prospects (that is, before someone signs a contract and becomes a customer). There has been plenty said on how Marketing activities will have a strong dependency on consent, if you want more information, check out what the reputable ICO say. Remember to focus on what is suited to your marketing; while consent will mostly be used for B2C, it is likely that Legitimate Interest will be widely used for B2B.

GDPR-proofing your CRM

The Lawful Basis must be disclosed in your Privacy Policy, the cornerstone document regarding personal data processing. Organisations have been actively reviewing customer-facing documentation, but have been hesitant about deciding how this information will be stored in the CRM. A record of Lawful Basis will need to be produced on demand, that will confirm you have the right to process the personal data of every person record stored in your CRM.

It doesn’t stop there. There is added complexity when we consider that some Lawful Basis have unique requirements, such as ‘Consent’, which decays over time, and ‘Legitimate Interest’, which demands additional details. Data is constantly changing, which means that someone needs to be monitoring the state of record data – a taxing responsibility without the right built-in CRM functionality.

2. Processing Reasons

Processing Reason is simply what your organisation uses data for. You could think of it in terms of your business functions, such as marketing, executing a contract, analysis, customer service. Clearly, you need to cast your consideration across the whole business when defining these reasons.

That’s the high-level processing reasons, but it’s not enough – you need to get more granular.

Processing Reasons will apply to a particular product, product group or service. Now, you could describe them as categories; examples here could include: pet insurance marketing, or car insurance marketing.

3. Channels

We live in an age where we can no longer count the number of marketing channels on two hands, as product suites become more sophisticated and make multi-channel marketing possible. Classic examples include phone, email, SMS, direct mail. However, think beyond marketing – what channels are sales, customer service, and other departments using to communicate with individuals? The list could grow faster than you initially thought.

GDPR-proofing your CRM

Individuals can decide which communication channels they prefer per Processing Reason (point 2) category. As you can imagine, this will create a complex matrix that matches the Processing Reason, the channel, and whether they consent to this channel being used for that reason. The below image shows an example matrix come to life on a contact record in Salesforce.

4. Privacy Details Search

As mentioned, data processing needs to become user-friendly as teams move towards working in compliance with GDPR. Sales and marketing teams need to quickly identify which records are available for a marketing campaign.

This can get tricky and time-consuming when we consider all the new obligations related to GDPR. Searching for the relevant people in the database, based on their privacy details, will be very important.

GDPR-proofing your CRM

What the smartest organisations will do, however, is use this insight to drive communication. For example, a phone campaign could be based on all the people with consent expiring next week for Pet Insurance; for this, you will need to identify records that have an active Lawful Basis “next week” for a certain category. Clearly, this requires robust Privacy Criteria Search functionality to filter with ease.


5. Deleted Records

The new regulation outlines several ‘Individual rights’ which give people additional rights to see and amend their personal data. Organisations must be prepared to act on such requests, one of which is the ‘right to erasure’.

GDPR-proofing your CRM

Simply put, if an individual requests that you delete their data (and it is a warranted request), it must be done in a timely manner. Not only that, it is even better to be able to show proof relating to the deletion. Having a log of deleted record is beneficial for both the data subject (contact) for confirmation, and internally for cross-referencing data in the future.


With the GDPR enactment date fast approaching, many wish there was a way to accelerate their journey towards compliance with the stricter regulation. Your CRM is the foundation of your database, and overcoming common roadblocks with this invaluable tool will support the rest of the changes required across the organisations.

This post has covered what is required on top of the core Salesforce CRM in order to become compliant with the new requirements of GDPR, and become the solid foundation for GDPR-proof personal data management.

About DataPro Tools

DataPro Tools is a Salesforce app that has been created so that users can have General Data Protection Regulation functionality within their CRM system. This includes, among other things, management of lawful reasons and permissions, right to be deleted, extensive filtering and preference management. DataPro Tools is part of QSS (Quality System Solutions), who provide market-leading software solutions dedicated to helping customers thrive and grow. They have been established in the CRM industry for  27 years with customers in over 30 countries.

Visit the website for more information on the application’s features:

The Author

Peter Connell

Peter runs DataPro Tools, an expert when it comes to tracking and managing Data Privacy in Salesforce CRM with over 20 years experience in the CRM industry.

Leave a Reply