This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Data Privacy

Salesforce & GDPR: What It Means for Your Company

DataGrail, September 14, 2018

With the GDPR (General Data Protection Regulation) in full swing and numerous regulations being drafted worldwide, it’s essential for businesses to incorporate practices that protect individuals’ data privacy. In addition to governments requiring more stringent privacy practices, users are also demanding greater privacy and transparency from vendors.

In fact, a recent article on Salesforce Research by Techcrunch1 found that “86 percent of respondents said they’re more likely to trust a company with their personal information if it explains how that information leads to a better customer experience.”

To better prepare your organization for improved data privacy and transparency, we’re providing tactical tips to help you work with the many different systems used to manage data. Our content is tailored for GCs and legal professionals, skipping over the traditional GDPR overviews and diving straight into actionable steps for sales, marketing, customer success, support, and operations teams to achieve GDPR compliance.

This week, we’re breaking down what you need to know about Salesforce GDPR compliance requirements, as well as other CRM systems.

What is a CRM?

Customer Relationship Management (CRM) systems are software platforms used by marketing, sales, customer success, and customer support teams that store and manage prospect and customer data.

A simple way to look at a CRM is as a detailed contact list. However, these platforms offer more than a list and often contain hundreds of complex custom fields used by sales and marketing teams. CRMs are also frequently used to store sales state, keep contact information, and manage the sales motion at your company.

Salesforce as a CRM

Salesforce is a cloud CRM, enabling employees to manage, track, and store information for sales and marketing through an online software system. As a CRM, it receives and stores an abundance of personal data, including contact names, email addresses, titles, phone numbers, and relationships. This can also include sales activity including emails and phone calls, and much more.

Many different departments use Salesforce CRM to store and organize user data, including sales, marketing, and support teams. If your company uses Salesforce or another CRM, there’s probably a wealth of personal data that’s subject to the GDPR.

What data does your company have in Salesforce?

Salesforce presents itself and is generally used as a system of record for sales. In practice, this means that Salesforce CRM contains the majority of customer contacts, prospect (lead in Salesforce parlance) profiles, product data, transaction data, and sales and marketing funnel information. The quality and quantity of data vary by organization. However, the Salesforce platform is also often a central repository for marketing data ingested from marketing systems, lead capture information, purchased mailing lists, company profiles, and purchased lead profiles (i.e contact information).

Contacts and leads typically include names, titles, email addresses, multiple phone numbers (cell, desk), title information, location, reporting chain / org charts, work history, previous purchases, etc. This may be supplemented by hundreds of custom fields purchased for various vendors — such as Account Based Marketing (ABM) systems or contact data providers such as ZoomInfo, DiscoverOrg, or Clearbit.

For every lead obtained in the Salesforce database, sales and marketing teams keep a large amount of personal information; this includes names, emails, phone numbers, titles, locations, and much more. In addition to standard fields, it’s likely that your sales team has to manually input or has used third parties to create up to 200 additional fields which could contain personal data.

For example, your sales representative may use an app that inputs lead information from their email client into Salesforce. The client’s personal data will be input as a lead in Salesforce and may later be associated with a contact or account — which could then be shared with other sales reps.

Personal Data in Salesforce 

Salesforce has several objects that can contain personal data, these include but are not limited to: Leads, Contacts, Accounts, and Opportunities.

Here’s an example of personal data within the Lead and Contact object:

Generally, Accounts and Opportunities do not include personal data, rather they have information on the companies and internal processes. However, if your organization uses Contact Roles, opportunities can be linked to a data subjects, and accounts can be linked to employees’ personal information.

What integrates with Salesforce and how does data get entered into the CRM?

Many third parties integrate with Salesforce, including data providers, marketing platforms, and communication systems. These integrated systems import and export data from Salesforce, and there are also products, such as LeanData, that access data to connect separate fields. Your sales team likely uses many different programs that work within Salesforce, in addition to manually inputting data for new clients.

How can data be exported or deleted from Salesforce?

Conveniently, each Salesforce record has its own unique option to be deleted or exported. Fields storing contact personal data will provide select users with permission to delete or export depending on their permission level.

Subject Access Request

  1. To begin a Subject Access request, you’ll need to contact an admin with permission to view all data and export that from your Salesforce database.

    It’s crucial to identify all of the fields which contain personal data — including the hundreds of custom fields your team may be using. You are required to send data in a machine-readable file to the data subject. Before sharing with the user, you should verify their identity, ensuring that the correct person is accessing the personal data.

  2. Finally, you should create a work diary and check that the requester actually accessed the data. If the requester didn’t access it, you should consider resending and escalating contact attempts.  An email accidentally flagged as spam or missed by a busy requester is a silly reason to annoy a requester or to be reported to a regulator.

Deletion Requests

  1. For deletion requests, a similar process occurs — with minor procedural differences. Again, be in contact with an admin with full permissions, but this time, for deletion.

  2. Identify all of the personal data in the database or mark which sets the user requested to be deleted. Further, keep in mind that some Salesforce data may not be deleted due to data security and protection reasons or specific regulatory requirements.

  3. Next, have your Salesforce administrator manually delete the tagged components of each record and provide a final check, paying close attention to any custom objects. Just as in an access request, you will want to create a work diary to ensure an audit trail for auditors, documenting the steps you’ve taken and paying particular attention to the Salesforce GDPR-compliant reasons for any data you retained.

  4. Finally, notify the user that their personal data has been deleted in line with their request. Again, it would be in your interest to create a log of the communication to the requester and to document repeated contact attempts if the requester doesn’t respond.

Most likely, your company has multiple accounts connected through Salesforce, with one or many admins managing the database. Based on which type of request was submitted and which fields will need to be accessed, permissions vary for the processes above. Speaking with your Director of Sales Operations or Salesforce administrator(s) is the best step to take in finding out where user, sales, or marketing contact data is stored and making sure it’s tracked across all managed accounts.

GDPR Implications

Most data fields in Salesforce are subject to the GDPR — except for business information that cannot be tied to an individual. Therefore, any Salesforce customers or leads must be capable of extraction or deletion. To effectively work with your sales and marketing departments, it’s important to communicate that any information manually or automatically put into Salesforce must be extractable.

With future GDPR-like regulation for the U.S. on the horizon, it’s essential to have access to data moving in and out of CRMs. Salesforce provides options for data deletion through the UI that is accessible through your administrator(s). And to effectively track data requests, both sales and marketing teams must be working with legal or compliance teams. Legal counsel needs to communicate the requirements for requests and be capable of providing instructions to sales and potentially marketing teams.

Enjoy this piece? Check out our previous piece in our Need to Know SeriesIs it Time for an American GDPR?

1. Ha, A. (2018, September 6). Salesforce research: Yep, consumers are worried About their data. Retrieved from

subscribe to GrailMail

Like what you see?

Get data privacy updates sent straight to your inbox.