Data Privacy

Salesforce & GDPR: What It Means for Your Company

Kyle Schryver September 14, 2018

With the GDPR in full swing and numerous regulations being drafted worldwide, it’s essential for businesses to incorporate practices that protect individuals’ data privacy. In addition to governments requiring more stringent privacy practices, users are also demanding greater privacy and transparency from vendors.

In fact, a recent article on Salesforce Research by Techcrunch1 found that “86 percent of respondents said they’re more likely to trust a company with their personal information if it explains how that information leads to a better customer experience.”

To better prepare your organization for improved data privacy and transparency, we’re providing tactical tips to help you work with the many different systems used to manage data. Our content is tailored for GCs and legal professionals, skipping over the traditional GDPR overviews and diving straight into actionable steps for sales, marketing, customer success, support, and operations teams to achieve GDPR compliance.

This week, we’re breaking down what you need to know about Salesforce as well as other CRM systems.

What is a CRM?

Customer Relationship Management (CRM) systems are software platforms used by marketing, sales, customer success, and customer support teams that store and manage prospect and customer data. A simple way to look at a CRM is as a detailed contact list, however, these platforms offer more than a list and often contain hundreds of complex custom fields used by sales and marketing teams. CRMs are also frequently used to store sales state, contact information, and manage the sales motion at your company.

Salesforce as a CRM

Salesforce is a cloud CRM, enabling employees to manage, track, and store information for sales and marketing through an online software system. As a CRM, it receives and stores an abundance of personal data, including contact names, email addresses, titles, phone numbers, relationships, sales activity including emails and phone calls, and much more.

Many different departments use Salesforce to store and organize client data, including sales, marketing, and support teams. If your company uses Salesforce or another CRM, it’s probable that there’s a wealth of personal data that’s subject to the GDPR.

What data does your company have in Salesforce?

Salesforce presents itself and is generally used as a system of record for sales. In practice, this means that Salesforce contains the majority of customer contacts, prospect (lead in Salesforce parlance) profiles, product data, transaction data, and sales and marketing funnel information. The quality and quantity of data vary by organization, but Salesforce is also often a central repository for marketing data ingested from marketing systems, lead capture information, purchased mailing lists, company profiles, and purchased lead profiles (i.e contact information).

Contacts and leads typically include names, titles, email addresses, multiple phone numbers (cell, desk), title information, location, reporting chain / org charts, work history, previous purchases, etc. This may be supplemented by hundreds of custom fields purchased for a variety of vendors — such as Account Based Marketing (ABM) systems or contact data providers such as ZoomInfo, DiscoverOrg, or Clearbit.

For every lead obtained in the Salesforce database, sales and marketing teams keep a large amount of personal information; this includes names, emails, phone numbers, titles, locations, and much more. In addition to standard fields, it’s likely that your sales team has to manually input or has used third parties to create up to 200 additional fields which could contain personal data.

For example, your sales representative may use an app that inputs lead information from their email client into Salesforce. The client’s personal data will be input as a lead in Salesforce and may later be associated with a contact or account — which could then be shared with other sales reps.

Personal Data in Salesforce 

Salesforce has several objects that can contain personal data, these include but are not limited to: Leads, Contacts, Accounts, and Opportunities.

Here’s an example of personal data within the Lead and Contact object:

Generally, Accounts and Opportunities do not include personal data, rather they have information on the companies and internal processes. However, if your organization uses Contact Roles, opportunities can be linked to a data subjects, and accounts can be linked to employees’ personal information.

What integrates with Salesforce and how does data get entered into the CRM?

Many third parties integrate with Salesforce, including data providers, marketing platforms, and communication systems. These integrated systems import and export data from Salesforce, and there are also products, such as LeanData, that access data to connect separate fields. Your sales team likely uses many different programs that work within Salesforce, in addition to manually inputting data for new clients.

How can data be exported or deleted from Salesforce?

Conveniently, each salesforce record has their own unique option to be deleted or exported. Fields storing contact personal data will provide select users with permission to delete or export depending on their permission level.

To begin a Subject Access request, you’ll need to contact an admin with permission to view all data and export that from your Salesforce database. It’s crucial to identify all of the fields which contain personal data — including the hundreds of custom fields your team may be using. You are required to send data in a machine-readable file to the data subject. Before sharing with the user, you should verify their identity, ensuring that the correct person is accessing the personal data. Finally, you should create a work diary and check that the requester actually accessed the data. If the requester didn’t access, you should consider resending and escalating contact attempts.  An email accidentally flagged as spam or missed by a busy requester is a silly reason to annoy a requester or to be reported to a regulator.

For deletion requests, a similar process occurs — with minor procedural differences. Again, be in contact with an admin with full permissions, but this time, for deletion. Identify all of the personal data in the database or mark which sets the user requested to be deleted. Further, keep in mind that some data may not be deleted due to security reasons or specific regulatory requirements. Next, have your Salesforce administrator manually delete the tagged components of each record and provide a final check, paying close attention to custom objects. Just as in an access request, you will want to create a work diary to ensure an audit trail for auditors, documenting the steps you’ve taken and paying particular attention to the GDPR compliant reasons for any data you retained. Finally, notify the user that their personal data has been deleted in line with their request. Again, it would be in your interest to create a log of the communication to the requester and to document repeated contact attempts if the requester doesn’t respond.

Most likely, your company has multiple accounts connected through Salesforce, with one or many admins managing the database. Based on which type of request was submitted and which fields will need to be accessed, permissions vary for the processes above. Speaking with your Director of Sales Operations or Salesforce administrator(s) is the best step to take in finding out where user, sales, or marketing contact data is stored and making sure it’s tracked across all managed accounts.

GDPR Implications

Most data fields in Salesforce are subject to the GDPR — except for business information that cannot be tied to an individual. Therefore, any customers or leads in the Salesforce database must be capable of extraction or deletion. To effectively work with your sales and marketing departments, it’s important to communicate that any information manually or automatically put into Salesforce must be extractable.

With future regulation for the U.S. on the horizon, it’s essential to have access to data moving in and out of CRMs. Salesforce provides options for data deletion through the UI that is accessible through your administrator(s). And to effectively track data requests, both sales and marketing teams must be working with legal or compliance teams. Legal counsel needs to communicate the requirements for requests and be capable of providing instructions to sales and potentially marketing teams.

Enjoy this piece? Check out our previous piece in our Need to Know SeriesIs it Time for an American GDPR?

1. Ha, A. (2018, September 6). Salesforce research: Yep, consumers are worried About their data. Retrieved from