What is GDPR and how is it affecting businesses all over the world? What exactly do we mean by “Personal Data” and how do they differ from “Sensitive Data”? What is the role of Salesforce in all that and how can Salesforce Admins help their clients to comply with this regulation?

GDPR stands for General Data Protection Regulation that unifies data protection laws across all European Union member states and regulates the processing of data, including the collection, storage, transfer or use, of personal data about EU individuals. This does not mean that companies that are not physically within European Union are not affected. Any organization that processes personal data of EU individuals, despites its physical location, needs to comply with this regulation by May 25th, 2018.

Personal data is any information regarding a person, from which this person could be identified. Such information could be, for example, a name, an identification number, cultural or social identity of that person, etc. GDPR expands this definition to include location data and online identifiers, such as IP addresses as well. Organizations should take measures to minimize the amount of personal information they store, and make sure that they do not keep this information for longer than necessary.

Sensitive data, on the other hand, is a more sensitive sub-category of personal data which holds extra consideration in GDPR as they may give discrimination in society. Such data is, for example, any data about the race or ethnic origin, financial status, political opinion, philosophical belief, religion, sexual orientation, etc. GDPR also expands the concept of sensitive personal data to include genetic data and biometric data, etc.

The truth is that GDPR is more about policies and not so much about technology. However, since GDPR expands the rights of individuals, Salesforce Admins are called to help customers to meet the new requirements and protect the expanded rights the best way possible and more importantly, ON TIME! You can find more information about GDPR here.

More precisely, the new requirements for Salesforce consultants are to find a way to deliver a solution that includes the following (Salesforce GDPR-Fact-Sheet):

  • Marking fields that include personal data, so that your customer can identify and assess those fields accordingly. The reason for this is that any person has “the right to be forgotten”, meaning that he or she can request the deletion of such data if they are no longer necessary. In addition, people can even agree on keeping it, but without the permission to process it any further.
  • Providing portability of Personal Data. Organizations should be able to provide their customers an overview of the personal data of any individual, upon request in a commonly used and machine-readable format.

The best practices so far are the following:

1. Individual Object

In the Spring ’18 release Salesforce have come up with their solution to help store customers’ preferences when it comes to their personal data.  With the new ‘Individual’ object data privacy records can be created and associated to Leads and Contacts. The Object comes with some standard checkboxes as shown in the picture below, that specify whether the Individual should be forgotten, tracked, etc., and can have lookups to Contacts, Person Accounts and Leads, as well as to custom objects. In order to use this object, Data Protection and Privacy should be enabled in your org and it is not taken into account when it comes to system storage.

Once enabled, you can create a new individual during the creation of a contact and in the documentation, there are a couple of sample Apex triggers provided to create Individual Records against all existing Contacts and Leads. The biggest limitation of this object so far is that it does not support Record Types and Process Builder cannot be used, but it is definitely a good progress to help Salesforce Admins to implement a solution towards GDPR.

2. Elements.cloud for GDPR

Elements.cloud is a powerful cloud platform that provides Integration with Salesforce by installing a Managed Package and connecting your Org (Production or Sandbox). All you need is an Elements user account and a Salesforce Org (Enterprise or Unlimited). You download the Managed package from the AppExchange and sync it with the Elements Account. You can find more information on how to install and sync your org here.

Once your setup is ready, you can select the fields you want in Elements and assess them there, by changing their status on the right panel, as shown in the picture below:

GDPR Reporting is also possible within Elements.cloud:

The biggest limitation here is that your customer needs to pay after the 14 days of free trial and the biggest advantage is that the support line responds within minutes and they are very helpful.

3. Mark your fields using Custom Metadata Types

Flagging fields is not a standard Salesforce functionality yet. In case you need more flexibility, and less limitations, you can always use Custom Metadata Types. Once you create a new Custom Metadata Type from Setup à Custom Metadata Types à New Custom Metadata Type, you can create a new custom metadata type Object especially for GDPR purposes and provide the necessary information (Label, Object Name, etc).

In this Object, you can create fields, connecting them to the Salesforce fields that contain personal information mentioning them with their API name. This way, the fields are “flagged” in Salesforce and you can retrieve their data using APEX and even report on them. The main limitation with this solution is that it is not possible to be done by only point-and-click configuration and therefore, you need an APEX developer to be involved.

Of course, there is no perfect GDPR implementation available out-of-the-box, but it is in our hands to configure it in such a way to become perfect! Furthermore, given the fact that this regulation is new, I believe that the practices mentioned above are the best options available so far and I consider them as a big step on helping Salesforce Admins implement GDPR solutions and help their clients become compliant before May 25th.