Tip

Ten tips to help Salesforce teams prepare for GDPR

The General Data Protection Regulation implementation date is closing in. Salesforce experts have some advice for companies tasked with complying with the EU guideline.

With the General Data Protection Regulation deadline rapidly approaching on May 25th, Salesforce users are working to ensure that their systems comply with the European Union mandates. Salesforce published a website full of tips, offering advice for users as they navigate the rules.

"We really welcome GDPR because it takes something we believe strongly in, which is companies trusting us with customer data, expecting us to secure it and making it available in a reliable way," said Salman Malik, chief operating officer of product organization at Salesforce, about the General Data Protection Regulation (GDPR). "GDPR asks every company to be a trusted custodian of their customers' data and is leveling the playing field in favor of companies that take that stewardship seriously."

With that in mind, Malik and Lindsey Finch, senior vice president of global privacy and product legal at Salesforce, offered the following 10 tips to help Salesforce users prepare for GDPR.

  1. Get buy-in and build your cross-functional team to implement GDPR policies and procedures. According to Finch, companies need to build a culture of privacy, not just delegate responsibility to individuals. The team should consist of stakeholders in technology, products, marketing, human resources and other teams across the organization.
  2. Assess your organization by completing a gap analysis. GDPR has 99 articles, 173 recitals and 88 pages. Conducting a gap analysis against existing internal controls can reveal where the program needs to be bolstered to ensure compliance, and can make sure customizations and integration can support GDPR compliance.
  3. Create a roadmap of necessary operational and technological changes. To prepare for GDPR, Salesforce has boiled the regulation down to four essentials across its entire product line. According to Malik, the vendor has audited its own products to make sure they can support the following essential tasks:
    • being able to capture customer consent before sending marketing messages or even storing data;
    • providing the customer with data portability;
    • enabling customers to restrict the use of their data; and
    • offering a mechanism for customers to delete their data from the system.

All these actions still respect companies' contractual relationships with customers, such as bank loans, according to Malik.

  1. Establish controls and processes. If you can simplify your systems or consolidate data, you may be in a much better place to comply with GDPR, Malik said.
  2. Conduct data protection impact assessments (DPIAs) for new and high-risk projects. The GDPR regulations introduce DPIAs for some high-risk processing activities, according to Finch. Salesforce is in the process of adding answers to DPIA questions to its GDPR compliance website, including questions that Salesforce's customers and prospects may ask about data protection.
  3. If you can simplify your systems or consolidate data, you may be in a much better place to comply with GDPR.
    Document your compliance, including what you are doing to prepare for GDPR. Documentation is always critical, but it's even more so in the event of an audit. Ensure that your policies and procedures are written down and accessible.
  4. Understand how GDPR requirements align with your organization's values on privacy and transparency. For example, use the opportunity to examine how privacy is affecting different processing activities and involve the team, Finch said.
  5. Align with your marketing department to ensure that you're only direct marketing to individuals interested in information about your products. Companies need to ensure that marketing knows how to prepare for GDPR to ensure that the department doesn't become the weak link in the compliance chain.
  6. Understand where personal data is located and confirm cross-border transfer mechanisms are in place. Salesforce has an updated Data Processing Addendum (DPA) that includes three mechanisms: Privacy Shield, Salesforce Processor Binding Corporate Rules and Standard Contractual Clauses. Companies need to understand where data is processed geographically, including where data centers are located, Finch said.
  7. Make a list of vendors handling personal data and execute or amend existing DPAs with GDPR-ready terms. Not only do companies need to know where data is located in order to prepare for GDPR, but they also need to know which of their vendors process data.

Additionally, companies will want to update agreements with these vendors to continue to ensure compliance, according to Finch.

"We often talk about and start thinking about GDPR as a compliance headache," Malik said, adding that Salesforce sees it as an opportunity for its customers to embrace data protection, which, in turn, can help differentiate them from their competition. "It's an opportunity to build greater trust with customers."

Purely from a compliance standpoint, companies can achieve that goal, Finch added.

"When companies embrace GDPR as an opportunity, become customer-centric, and put it at the center of their privacy programs, they can fundamentally change their business."

Dig Deeper on Customer data management