Salesforce's GDPR Journey

At Salesforce, Trust is our #1 value. Nothing is more important than earning the trust of each of our 150,000 customers and protecting their data — privacy has always been core to our business. And our privacy model is simple: our customers’ data belongs to them.

Salesforce’s robust privacy program meets the highest standards in the industry, and we have consistently reinforced our commitment to protecting our customers’ data — including becoming the first top-10 software company to achieve approval for Binding Corporate Rules for processors from European data protection authorities in November 2015.

We see the EU General Data Protection Regulation (GDPR) as an important step for our industry and the protection of data and individuals. The GDPR provides a blueprint for companies to put the customer at the center of their privacy programs — empowering individuals to control how their data is used.

Salesforce’s preparation has been focused on ensuring we comply with the GDPR and documenting how our customers can use our services to comply with key GDPR principles. We’ve also worked with a cross-functional team across our Legal, Technology and Product organizations to deliver intuitive tools to help our customers comply with the GDPR.

Ahead of the GDPR’s May 25th enforcement date, we want to share a few updates on our preparation:

New Data Protection Officer:

As required by the GDPR, we’ve appointed a Data Protection Officer (DPO), who will be responsible for compliance and serves as a point of contact between the company and supervisory authorities. Our DPO is Lindsey Finch, Salesforce’s SVP of Global Privacy and Product Legal. Lindsey joined Salesforce more than 10 years ago and currently leads our privacy and product legal teams.

You can read more about Lindsey here: Q&A: Salesforce’s Data Protection Officer on Trust, GDPR, and How Privacy Found Her

New Customer Resources:

In February, we launched a GDPR website and posted the following resources for our customers:

New Help Documentation that outlines the steps for customers to consider for data subject access requests.
A publicly posted GDPR-ready Data Processing Addendum that customers can fill out, sign and return to us.
The European Union Privacy Law Basics Badge on Salesforce Trailhead that anyone can earn to learn more about the GDPR and EU privacy law.
Informational papers on our resources website including: FAQs, Data Protection Impact Assessments, and Key Facts.

We’ve also hosted a dozen customer events to discuss the GDPR and given presentations at Dreamforce, Salesforce World Tours and the IAPP Privacy conferences in Washington, D.C. and London. In addition to these in-person events, we’ve hosted numerous webinars targeted to specific audiences including ISVs, app developers, EMEA customers and more.

New Product Functionality:

When the GDPR was introduced, our cross-functional team kicked off a thorough review to ensure compliance across the company. The GDPR is an incredibly rich document — 99 articles and 173 recitals across 88 pages! When we broke down the information, we found that we were already in a really great place. Since then, a lot of the work we’ve been doing has been to document how our customers can use our services to comply with some of the key GDPR principles.

In July 2017, we were the first company to publicly commit in its Data Processing Addendum that all products will be compliant with the GDPR before May 25, 2018.

Here are two examples of new functionality we’ve introduced as a result of our review:

Salesforce Platform: The Individual Object

In our Spring 2018 release, we added the Individual Object. This new object is a way to consolidate an individual’s privacy preferences that may be referenced across many Salesforce records — including contacts, leads, personal accounts and custom object records. This new object is now available in both Salesforce Classic and Salesforce Lightning. (See the top image found below this post.)

Read more: Individual Object documentation.

Marketing Cloud, DMP: Granular Consent Model

Many people are interpreting GDPR as requiring more granular consent than ever before. As a result, we’ve re-architected Salesforce DMP with a new consumer rights framework. We have built functionality that enables our customers to track and record consents they’ve received at a very granular level — giving customers greater control, flexibility and adaptability.

See Below for Images: