At Salesforce, trust is our number one value, and the protection of our customers’ data is paramount. Lindsey Finch, our Senior Vice President of Global Privacy and Product Legal, is on the front lines of our privacy and data protection efforts. In fact, she recently added Data Protection Officer to her title. Lindsey brings an extensive background at the intersection of law and privacy to the task, including stints at the U.S. Federal Trade Commission, the Department of Homeland Security and General Electric.
Lindsey not only oversees Salesforce’s overall privacy program but also our work to ensure customer compliance with an understanding of the General Data Protection Regulation (GDPR), the comprehensive European privacy law that takes effect on May 25, 2018. Salesforce welcomes this law as an important step forward in streamlining data protection requirements across the European Union and as an opportunity for our company to deepen its commitment to data protection.
We caught up with Lindsey for an interview about her background, her data protection North Stars and what she considers essential to know about GDPR as the deadline nears. Following are her thoughts.
Tell us about your background and how you ended up at Salesforce. Have you always been interested in legal matters around security and privacy?
Privacy found me! In high school and most of college, I wanted to be a journalist. But that all changed after I interned at the U.S. Federal Trade Commission’s public affairs department. I was responsible for securing coverage of the FTC’s privacy and information security awareness campaign for kids, which featured a mascot named Dewie the Turtle. He was supposed to become the next Smokey the Bear. Alas, he did not.
But from there, I went to law school and became a privacy lawyer. During law school, I interned again at the FTC and then at the newly formed privacy office of the Department of Homeland Security. Then I was a privacy lawyer at General Electric before joining Salesforce.
Why did you join Salesforce?
Salesforce’s culture of trust and putting its customers at the center of everything it does were the key decision factors for me. It was really exciting to see a company that saw privacy as an opportunity and business imperative.
We are living in an era in which trust in institutions of all kinds and technology is eroding. How does Salesforce think about building trust and protecting the data and privacy of customers?
Trust is Salesforce’s number one value, and our privacy program has always been central to our business. Salesforce was born in the cloud—we understand trust, privacy and security issues intimately. Our privacy model is simple: our customers’ data belongs to them. We do not use it for any purpose and it is our job to do our best to protect it. We have a strong culture of privacy focused on putting individuals in control of their personal data, protecting personal data, and being accountable for our privacy practices.
You’ve just been appointed Salesforce’s Data Protection Officer. What is the scope of your responsibilities and how has the privacy team at Salesforce grown and evolved?
I’ve had the honor of leading Salesforce’s global privacy program for the last ten and a half years, and I’ve also led the Company’s product legal team for the past 4 years. My team’s role has always encompassed ensuring Salesforce complies with privacy laws and helping enable our customers’ compliance in using our services.
So the official DPO designation is a natural outgrowth of our existing program. My team and I will continue to partner across the company to foster a culture of privacy—designing, implementing, and ensuring compliance with our global privacy program, including ensuring that privacy is considered throughout the product development lifecycle. Additionally, Salesforce’s Privacy Working Group, which includes executives from the company’s Privacy, Legal, Product, Engineering, Distribution, Employee Success, and Security departments, will continue to make strategic privacy-related decisions.
How has Salesforce been preparing for the GDPR?
We started by kicking off a thorough review to ensure compliance across the company. The GDPR is an incredibly rich document—99 articles and 173 recitals across 88 pages! Our Privacy team broke this down into key principles and worked closely with our Technology & Products organization to review our compliance. We found that we were already in a really great place.
Since then, a lot of the work we’ve been doing has been to document how our customers can use our services to comply with some of the key GDPR principles, which we’ve published on our GDPR website, www.salesforce.com/gdpr. There is no finish line when it comes to GDPR compliance. While Salesforce currently offers the tools for our customers to comply with the GDPR, we will continue to release new innovations that help our customers achieve compliance success.
What else should customers know about getting ready for the GDPR transition later this month?
At Salesforce, our customers’ success is our success. We truly view this as a partnership. We’ve been proactively reaching out to customers to get their feedback on our plans, and to understand how we can better support them. From this dialogue, we learned that our customers wanted readily-available information to help them understand how they can use our services to comply with various areas of GDPR. For example, customers are asking, how can I export data to meet data portability requirements? How can I implement a right to be forgotten request? We’ve updated our publicly-available documentation to help guide our customers through how they can do these things using Salesforce.
What are you hearing from customers about GDPR compliance and other issues related to data protection and privacy?
One of the highlights of my role is that I get to spend a lot of time with our customers to learn about their needs and to get feedback on our program. The top theme I’m hearing is that our customers are using the GDPR as an opportunity to focus on their privacy practices and putting their customers—oftentimes end-consumers—at the center of their businesses. The GDPR is a complex law, but putting the individuals to whom the personal data relates at the forefront, and focusing on their expectations and preferences, is a great starting point for compliance with the GDPR and other privacy laws.
Do you expect that we’ll see more privacy regulation around the world?
That’s likely, yes. Whether we see more laws or not, individuals have greater expectations than ever about how their personal data is handled. Organizations need to meet or exceed those expectations to build and maintain trust.
The World Economic Forum describes the digital transformation we’re currently undergoing as the Fourth Industrial Revolution. With emerging technologies such as cloud computing, artificial intelligence, the Internet of Things, and more, we’re seeing an explosion of data. Individuals are expecting more personalized experiences than ever before—whether in retail, healthcare, or financial services—and at the same time, they are demanding that they are in control of how their personal data is used. Companies must demonstrate that privacy is a top priority to earn the right to deliver these experiences and earn customer trust.
Finally, what’s on Salesforce’s Data Protection Officer’s playlist?
I love early 90s westside rap, particularly Tupac and Snoop Dogg. I also listen to a lot of Duncan Sheik, Michael Jackson, and Fleetwood Mac. And, because I’m a privacy lawyer, you can throw in Rockwell’s “Somebody’s Watching Me” for good measure.