The Salesforce Individual Object and GDPR: Thoughts from a Salesforce Admin
With the GDPR deadline for compliance quickly approaching on 25th May, how is your business feeling about the changes it will bring? Uncertainty is not likely to end once live, but things should certainly start to become clearer.
Consumers are going to be the best test for your GDPR readiness
Once the legislation can finally be enforced there will be a period where we will see the law be tested in practice, with the potential for some companies to be made an example of during this time. Also, consumers will realise and start to enjoy their new rights and no doubt test companies that continue to send unwanted email and/or hold information on them with no legitimate purpose.
Many businesses we are speaking with have embraced GDPR and in fact can see many opportunities it brings – the incentive to finally sort out their contact databases and to really target those people that are genuinely interested in what they are doing.
Of course, GDPR is not only about ensuring marketing emails are sent to the right people, it also includes rights for a person to be forgotten and therefore it is necessary to have the correct processes around this in place in Salesforce.
Don’t forget, GDPR applies to your Users too
The law does not only apply to customers, but also to employees, so it is also worth looking at information on HR systems and Salesforce user records – this may provide a specific challenge as it is not possible to delete User records!
Enter the Salesforce Individual Object
After much speculation over the last two years, in the Spring ’18 release Salesforce have come up with their solution to help store the privacy and contact preferences of customers. With the new ‘Individual’ object data privacy records can be created and associated to Leads and Contacts.
The object comes with some standard, mainly check box fields to track preferences such as ‘Don’t Process’ and ‘Forget this Individual’ and in the documentation a couple of sample Apex triggers are provided to create Individual Records against all existing Contacts and Leads. It would be useful to have a sample trigger to create a new Individual record when Leads and Contacts are created, as this will currently be a manual process.
It is also possible to create up to 300 sharing rules on privacy records which will help with who has access to personal data, however at this stage it does not have some of the key features of other standard objects like Record Types, and as a disappointment to Admins, Process Builder cannot be used.
Despite limitations, it is definitely good progress and the lack of Salesforce led functionality is perhaps right in terms of strategy, because every business needs to take responsibility and work internally, or with a Salesforce partner to develop a solution they have ownership of.
There’s more to come…
During the recent London’s Calling user event Salesforce presented on GDPR and detailed possible future improvements coming up in the next releases, such as flags to initiate soft deletes, reporting on soft deletes and then restoring or hard deleting data. Also expect help with scrambling first and last names as well as nullifying and anonymising fields on users.
In the meantime, if you’d like to talk to us now about how we can work with you to prepare, then please do get in touch.
James Harbutt works with a range of Desynit clients, providing Salesforce services and support. He is a Certified Salesforce Administrator and Service Cloud consultant.
The Individual object is a great start, but it is not sufficient for GDPR compliance. Also the implementation is not straightforward.
Which is why we wrote this article based on conversations with Salesforce https://medium.com/@Q9ELEMENTS/gdpr-compliance-and-salesforce-individual-object-bf41e04e7fa3
Thanks for the comment and link Ian, a really great article diving into more of the detail!