‘Good Morning – this is your wake up call! Is there anything I can do to help you kickstart your GDPR Compliance Strategy?’
Have you been sleeping through the GDPR preparation whirlwind? Did you hit snooze and pull the covers over your head? That’s the thing with GDPR – it requires a customer data management culture change – “Privacy by Design” – that has implications across the organization, something that’s impossible to ignore.
There a number of reasons why companies have hidden their head in the sand, or hope that it that is not relevant. This series of articles will show how you can apply the Privacy by design principles and use it to your advantage, even if:
- Is not going to be able to hit the 25 May 2018 deadline
- Does not process EU resident data
- Is a smaller company that is unlikely to be targeted by the GDPR auditors
Why? GDPR will be in place for many years to come, so 25th May 2018 is just a milestone. It’s part of a general movement towards personal data ownership, and we will see that other countries around the world, the US included, will start introducing similar data privacy legislation. Then there’s ‘trickle down GDPR’, where large companies will require that their suppliers are GDPR compliant, who in turn will turn around to their suppliers and require GDPR compliance from them. You can hide from GDPR, but likely not for long.
GDPR is not impossible to implement. It is just that the 99 GDPR Articles (legal clauses) look scary and impenetrable. Digging into the detail, there are some specific requirements for managing customer data and data privacy permissions that will be new to Salesforce customers, which this series will cover in simple, practical terms.
This first introductory post will cover:
- The Beating Heart of GDPR: Three Key Areas
- What your Salesforce CRM needs – ASAP
- Where does the Individual Object fit in?
- Maximize the next 30 days!
The Beating Heart of GDPR: Three Key Areas
The EU Data Privacy legislation, known as GDPR, is forcing companies that are processing EU resident data to revisit their customer data management with a “Privacy by Design” approach – which means re-engineering your Salesforce org and processes to accommodate the GDPR expectations.
However, the heart of the GDPR really comes down to three key areas:
- Security/Data Protection: In other words, preventing unauthorized access to personal data
- Accountability: Being accountable and transparent as an organization on how you manage & protect individuals’ data
- Individual’s Rights: When delivering products and services, companies must ensure they preserve individual’s privacy and give individuals choice over how their data is used
What your Salesforce CRM needs – ASAP
With only a month to go until the milestone day, what should you be laser-focused on?
There are 2 areas of the GDPR legislation that mean you will need to extend Salesforce.
- Responding to Data Requests (Subject Access Requests), including the widely talked about — “The Right to be Forgotten”
- Tracking permissions or consents
First, let’s looks at the requirements, and then we will look at how, in detail, you can extend Salesforce.
Where does the Individual Object fit in?
The Individual object is a new standard object that was released in Spring ’18, part of Salesforce’s journey to providing more comprehensive compliance support. But, the Individual object alone will not satisfy the GDPR requirements, and it is not required to satisfy GDPR.
The benefit of the Individual object is that it links together any person who is recorded in Salesforce in their different roles. That means a person who has one or more Lead, Contact, Person Account and custom records could have them all relate to ONE Individual record. But this requires some of the current limitations of the Individual object to be addressed in future releases. The greatest is the inability to easily identify and connect/merge an Individual to multiple Leads and Contacts; if left unresolved, you will simply have one Individual record connected for every Lead and Contact which is a huge overhead with limited benefits.
Implementing GDPR does not require the Individual object. To fulfill GDPR, your Salesforce data model will require a custom data privacy permission object connected to the Lead/Contact/User Account.
Maximize the next 30 days!
Someone said “GDPR is not a crash diet. It is a lifestyle change” But it feels like it is a lifestyle change that starts with a crash diet as we only have 30 days!!
Think of 25 May as a milestone. So don’t make poor decisions just to get something done for that date that will take you off track for longer-term compliance. So let’s look at what is required and which must be done as a priority.
It depends what approach your business will take. There’s a choice to make, whether to go for the bare minimum compliance and be ‘fire-fighting’ Data Requests and Privacy Opt-in changes – or make the time to consider a longer-term solution that’s scalable, automated, and above all, compliant. Crash diets often work in the short term, but a lifestyle change is what makes it sustainable.
What’s coming up
This series will step you through what is practical and achievable, giving you a priority order – more importantly, it will help you avoid doing the work you don’t need to do.
I’ve pulled together GDPR best practice with Salesforce by immersing myself in reading GDPR Articles, documenting business processes implications, talking to lawyers, meeting with the Salesforce Product Teams, working with ISV partners, speaking on countless panels and webinars, and hearing the questions and concerns from the Salesforce ecosystem.
Note that the content of this series is my interpretation, and is not a statement of Salesforce Product Strategy – it is practical, not legalese. Nevertheless, I hope that the information will be of great value to the ecosystem.
Coming up next week: How to Manage GDPR Data Requests with Salesforce