GDPR Compliance and Your Salesforce Organization

Salesforce offers a lot of services to their clients, from Einstein Analytics to Mulesoft, to Data.com, and to their very basic Salesforce Cloud packages. Did you know that each of these services has its own Trust and Compliance Documentation?  These documentations contain the security and privacy-related audits and certifications a particular service has received.  So for a business or organization that will take multiple services, there are a lot of Trust and Compliance data that you need to be familiar with, and validate if it adheres to the General Data Protection Regulation or GDPR, and also with your own business requirements.

You can access this Trust and Compliance documentation for each of Salesforce Services here.

GDPR, on the other hand, is set in place to help regulate different businesses to make sure they follow appropriate technical and organizational security measures to protect customer data against unauthorized use, illegal disclosures, and access, as well as unauthorized changes.

Salesforce is working in partnership with GDPR to streamline data protection and adhere to legal requirements to help all their clients. However, Salesforce also encourages their clients who are subject to the GDPR to also assess how well they comply with data protection law.

The following are several key points in assessing compliance:

Know what record of personal data your organization has:

What are these data used for? How they are collected? Why do you store it? Do you also store sensitive information, e.g. Medical History? These data gathered must fit one of GDPR’s 6 lawful bases which is set on Article 6 of the GDPR. For more information on these lawful bases, click HERE.

Most of these lawful bases are set for you to process personal data lawfully, fairly, and transparently to the individuals involved.

Customer awareness of their data storage:

Does your customer or client know that their personal data are stored in your system and they understood how it is going to be used?

If so, you need to make sure that your privacy statements include all the below information:

    1. Business or Organization Name and the Point person for Data Protection
    2. Reason for holding the data in compliance with the lawful basis and what it is used for
    3. The location where the data was taken from
    4. Data sharing information
    5. Retention Period of Data Storage
    6. How individuals can request alteration, access, and deletion of their data
    7. Complaints channel
    8. If profiling is created
Data updates:

Does your company regularly check data for accuracy? How easy is it to update information? Data updates are important to make sure accurate data is stored and to prevent misuse of data or miscommunication.

Keeping data secure:

How do you keep data secure? The steps you need to do? Are electronic data follows encryption and are backed up? Salesforce has a security system in place from the Organization, User Access, Record and field security. Make sure that these security features are set correctly to meet your business requirements and the law.

Employee and User Access:

Are the users and/or the staff in your company comply with data protection responsibilities? A breach of data can have adverse effects on the individual affected by the breach but most especially with the company. A breach of data can result in loss and unlawful acts.

Knowing the Rights of your customers:

Does the subject to your data gathering have a way to exercise their rights regarding the data you have of them? These rights are imperative to be considered in setting up your CRM. Some of the customer’s rights are the following:

    1. Right to Know they know what data you have of them
    2. Right to Update being able to change incorrect data
    3. Right to Delete option for them to remove their data from your database.
    4. Right to Object they can stop you from using their information
    5. Right to Transfer they can request the transfer of their data to another business
    6. Right to Restrict they can restrict data used.

As a business, being able to handle information with the utmost regard for safety and privacy makes good business sense and will definitely result in great business customer service. Salesforce might have all the security protocols in place to abide by the law, but it is your responsibility to use these protocols and set these features correctly to make your customers feel secure and protected.