If your organization is running on Salesforce.com Technologies, you are betting on the right horse in terms of platform security standards – but have you covered all necessary GDPR compliance principles since your initial set up?
An increasing number of businesses have reorganized their privacy efforts in order to comply with the GDPR regulation, which has been in place since May 2018. With fines up to 20 million € or 4% of annual revenue, non-compliance can be a costly pitfall.
However, it is not only the legal and financial repercussions that motivate companies to take a closer look at their privacy compliance program. It is also the market that pushes companies to see privacy as a strategic advantage to gain trust of customers and have an edge on their competitors. According to Parker Harris, Cofounder of Salesforce, “Nothing is more important to our company than the privacy of our customers’ data”. Salesforce’s Chairman and CEO Marc Benioff believes that trust is the critical currency for any company or institution and that CEOs must become an activist for their stakeholders to build trust. Looking at some of the Security, Privacy and Architecture Documentation, Salesforce definitely walks the walk in terms of Audits and Certifications.
It’s safe to say that Salesforce has built the Fort Knox of Data Security.
That being said, compliance does not end here. Protecting your customer data from breaches is just one of many requirements organizations have to adhere to. Unfortunately, you are not off the hook just yet.
By definition, GDPR provides a legal framework that sets guidelines for the collection and processing of personal information of individuals in the European Union (EU).
So why is GDPR compliance such an important issue for Salesforce end-users?
Because Salesforce is designed to do exactly that – collect and process personal data to provide your business with a 360 degree view of your customer and “connect with them in a whole new way” while also keeping an eye on the productivity of your sales and customer service employees.
Here are 5 areas you should take a closer look at when evaluating the level of GDPR-Compliance of your Salesforce Org:
1. Data Processing Agreement with Salesforce
Let’s start with the easy stuff.
Salesforce, by design, processes data on behalf of your organization. Transferring personal data to a third party (in this case Salesforce.com) is admissible under the GDPR as long as certain conditions are met.
Generally speaking, the data controller (your business) is obliged to ensure that your data host (Salesforce.com) is not using the transferred personal data for own business purposes.
In short: Salesforce is not allowed to leverage your contact and person account records for their own business purposes.
It is pretty obvious to say that they won’t, but to be on the safe side and for your own documentation, you should ensure that you sign a Data Processing Agreement with Salesforce.
Salesforce provides a template for this purpose available here. https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf
2. Access Concept – Record Access based on Need-to-know Principle
One of the first major fines under the GDPR (400,000.00 EUR) was issued against a hospital in Portugal that managed access rights for the internal hospital information system poorly. Sensitive patient data was exposed to significant amount of users without legitimate business purpose.
Over the past 4.5 years, I have been a consultant to dozens of companies running their business operations on the Salesforce platform. A consistent observation is that things can get messy quickly, especially for organizations with a high degree of customization and a significant user base. It’s always easier to quickly issue administrator rights to a user (who can then see, edit and export any record within the Org) than solve ad hoc visibility and access issues for individual users. This is especially true for companies that keep innovating and prototyping new business units within their existing technical setup.
The good news is that out-of-the box, Salesforce offers state-of-the-art functionalities within its Security Settings to administer, which active user can see, edit and export what within your Salesforce-Org, to a granular level.
The bad news is that you will need to invest some effort and discipline in defining and abiding by a Roles and Profile concept. This can be a tedious task, but a crucial step on the quest to GDPR compliance.
A basic role concept can start with assigning roles as:
- Management and Salesforce-Admins (extensive access rights)
- Middle Management (access rights to information relevant to their business unit)
- Employee (least extensive access rights restricted to information with regard to their leads/contacts/accounts)
My advice: Don’t over-engineer Salesforce. GDPR does not intend to complicate your business in a disproportionate manner, so long as you have a legitimate reason to assign reasonable access rights within your company. You are not obliged to stifle the information flow within your organization.
3. Appexchange ISV Applications
87% of Salesforce customers leverage ISV (Independent Software Vendors) applications that can be found, purchased and installed via the Salesforce Appexchange.
When it comes to the Build vs. Buy decision, the Appexchange is rightfully seen as a game-changer, tipping the scale in favor of Buy. I have encountered companies leveraging +40 individual applications to fulfill specific business purposes in a single Org.
On the one hand, this is obviously great in terms of time to market and liquidity planning as companies will not have long and expensive development cycles to build custom applications. On the other hand, in regards to GDPR, every ISV application actively consuming personal data from your Salesforce Org may pose a compliance risk to your organization. Assuming Salesforce is used for its set purpose of managing all of your customer interactions, the vast majority of Appexchange applications are designed to process personal data in one form or another.
Remember what was stated about transferring your personal data to third parties (see above under Point 1). Yes, you will need a Data Processing Agreement with every single one of your ISV providers. This will be time consuming and tedious if you are using numerous applications. To make things even more complicated, I have seen many Data Processing Agreements of ISV providers that do not comply with the GDPR requirements set out in the law.
Unfortunately, Data Processing Agreements are not a compliance magic ‘potion’. You will also need to assess whether the ISV provider is solid when it comes to IT-Security. A good indicator for a proper IT-Security level of a SaaS provider is an ISO 27001 certification which can be seen as the current international IT-Security gold standard.
A high level process recommendation to summarise:
If you have identified an ISV product that will solve a specific business challenge for your organisation, first check for Information regarding the current IT-Security Standards of the provider. In case there is no information available publicly, request it from the provider. If satisfactory, request the Data Processing Agreement prior to signing any contract or installing into your org (this is also valid for freemium or demo accounts). Always have your GDPR Consultant review the Data Processing Agreement for loop holes and inaccuracies. If everything is legit, go for it.
Remember to enforce this with every new ISV application. If you have applications live already, work backwards.
4. Privacy by Design
Every day, new customers move their business operations to the Salesforce platform while existing customers leverage the agility of the technology to innovate and prototype new revenue streams.
Whether you are doing a fresh implementation or iterating on your existing Salesforce Org, you are advised to follow the principle of ‘privacy by design’. This principle requires you to consider data protection aspects in the early stages of development that will be used to process personal data within your business operations.
Your business is obliged to develop ‘privacy-friendly’ technology by including features that consider the risks to individuals’ data. but what does that mean in practice?
Have these things in mind from the get-go:
- Is my data protection officer/privacy lawyer involved in the system implementation?
- Is personal data processed safe in terms of IT-Security (implementation of technical and organizational measures)?
- Are we only processing the personal data that we really need (‘data minimisation’)?
- Can we delete personal data that is no longer needed (‘storage limitation’)?
Take a look at this guideline drafted by the European Union Agency for Network and Information Security (‘ENISA’) for further practical information. https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design
5. Data Subject Rights
The main objective of GDPR is to strengthen the rights of data subjects within the commercial world. A data subject is any human being whose data is collected, irrespective of the purpose of data collection. This can be any customer, partner or employee, and so in Salesforce terminology, we are talking about lead, contact or person account records.
As a result, GDPR grants data subjects the following (but not limited to) rights when it comes to their personal data:
- Right to access – individuals have the right to access the data collected on them by a data controller. The data controller must respond to that request within 30 days.
- Right to rectification – individuals may request the rectification of false data in the system. Are you able to change relevant data fields that may be incorrect?
- Right to erasure – individuals may request data to be deleted. Do you have a retention policy in place?
- Right to data portability – individual can demand the extraction of personal data in a machine readable format under the GDPR. This is quite a novelty under the new regulation and was meant to facilitate the switching of service providers (originally it aimed to break the data monopoly of Facebook but now every data controller is required to be able to act on such a request).
Whether you run a B2B or B2C model, you will definitely want to figure out how you can automate specific data subject right processes within your Salesforce Org in order to stay efficient in your day-to-day operations.
If you are only using Salesforce core products (i.e Sales Cloud, Service Cloud), this can be straightforward. If you are using +40 ISV applications that are processing personal data outside of Salesforce, there’s a high chance it won’t be simple.
If you find yourself in the second situation, I would strongly recommend that you speak with your implementation partner and GDPR consultant to draw up compliant processes and have them implemented ASAP.
GDPR and CRM are deeply entwined, and this article only scratches the surface. You will probably still have a long way to go on your quest to GDPR compliance – but don’t forget: Rome was not built in a day. As long as you actively work your way towards GDPR compliance, you are on the right track; just ensure that your business has the aforementioned areas covered when you are in the process of implementing, iterating or extending your Salesforce landscape.
You are completely lost or have a specific question? Do not hesitate to reach out to us directly on the Simpliant Website.
Stay tuned for Part 2, where we will reveal 5 more area you should target to set you up on your way to GDPR Compliance.