GDPR + Salesforce

GDPR (EU Data Privacy legislation) represents the most critical change in data privacy regulation in the last 20 years.  Any company with EU resident information falls within scope.  Many US companies, therefore, are subject to GDBR and the May ’18 compliance deadline is fast approaching.

The Salesforce Individual Object

Salesforce published GDPR resources and recently released the new Individual object.  It’s a place to store certain data privacy preferences for your customers.

Salesforce Individual Object

  • It contains privacy fields and lookup relationships to lead and contact.
  • Admins should expose the new lookup field on Contact and Lead page layouts.
  • Add other object Relationships, if applicable, to person accounts, custom objects, etc.

Setup Challenges

While the object provides a place to consolidate PII, some common use cases still need to be addressed.

  1. Individual records do not auto-create for contacts or leads.
  2. No easy feature to connect lead and contact records for the same person.
  3. Record types and process builder are not supported.

An alternative solution is to build automation with code (APEX) to create and connect individual object records to its related contact/lead records.

Use Salesforce As A Consent Platform

The Salesforce Platform is a great fit for managing data privacy:  Salesforce is the source of truth for many companies already.  And, many of its features can handle key GDPR workflows.

Conditions of Consent

GDPR states that data can only be processed if one the following are met:  Consent, Contract, Legal obligation, Vital interests, Public task, Legitimate interests

Also, in Article 7  the Controller must be able to demonstrate that the data subject has consented to processing of personal data.  Each company should define its permission types and incorporate those elements either into the individual object, as either new custom fields, or a related list.  This is a great opportunity to leverage various Salesforce workflow automation to handle business cases.  For example, when a contract is signed, create a permission type, customer agreement executed, and associate to the individual object record automatically.

GDPR Requests

Data subjects can make a number of requests of the Processor, which require a response within 30 days.  Some examples include:  ability to update inaccurate data, right to be forgotten, ability to obtain details of their data held, etc.  Handle these requests via Cases.

  1. Create an email (e.g.,
  2. Configure the email-to-case feature, which converts the email into a Salesforce Case.
  3. Setup a record type along with various workflow automation to handle the case to completion.