Blog: GDPR & Salesforce Privacy by Design and Accountability

Posted by Pete Thurston
Pete Thurston”


This blog is based off of our webinar, "GDPR & Salesforce Part I," that we held earlier this year. You can watch the highlights above.


The General Data Protection Regulation (GDPR) is a law on data protection and privacy for European Union citizens that came into effect on May 25, 2018. GDPR impacts a vast number of businesses, regardless of what products they sell, how big they are, or where they’re located. Compliance is mandatory, and the penalties are severe. Companies that have Salesforce, however, have a bit of a leg up on the rest of the lot. Salesforce has some powerful features that can be applied to comply with different elements of GDPR. 


In this post we’re going to look at some specific GDPR articles and what they mean, then outline the Salesforce features that can be used to help achieve and maintain compliance with each.

Before we get into detail around some of the more pertinent articles let’s start by taking a high-level look at GDPR. 

There are three strong themes that emerge from within GDPR:

  1. Privacy by Design
  2. Data Protection and Accountability
  3. Individual Rights and Control

Privacy by Design: Prioritize privacy and security when designing a system. 
Accountability: Take responsibility for the privacy of other people.
Individual Rights and Control: Consent management, the right to be forgotten, and data portability.

In this post, we’re going to focus on Privacy by Design and Accountability—don’t worry though, we’re not forgetting about Individual Rights and Control—that will be the topic of our next post.

So, if you’re impacted by GDPR and you have Salesforce, where do you even start? 

Simple answer: Salesforce Shield. 

Why Shield? Because Salesforce Shield has three components that align very well to GDPR, specifically:

  1. Platform Encryption: Natively encrypts sensitive data at rest
  2. Event Monitoring: Detailed data and activity monitoring
  3. Field Audit Trail: Prevents data loss, provides auditability and ability to recover information that might have been modified incorrectly

Now let’s take a look at some specific GDPR articles and explain how these 3 Shield components can support compliance.


Articles 25 & 32 - Basics

Article 25: Data Protection by Design and by Default
When you’re designing or implementing a system or a way to store information, you should be thinking about privacy first, and by default, making the system as secure as possible.

Article 32: Security of Processing
Covers the general protection of data, technical security, data access control, change control, and oversight.

Salesforce Shield vs. Article 25 & Article 32:

  • Platform Encryption: Encrypts data at rest, which helps by de-identifying personal information. Allowing you to store it but while having it anonymized at the database level.
  • Event Monitoring: Allows you to keep an eye on general security measures. If suspicious activity is detected, this will allow you to identify it as early as possible, which will and prevent possible further negative impacts. It also increases visibility and control over how users are interacting with company data.
  • Field Audit Trail: Data Retention Policies/ Data resilience—understand what has happened to your information and retrieve damaged information.
  • Platform Encryption: Encrypts data at rest, which helps by de-identifying personal information. Allowing you to store it but while having it anonymized at the database level. 


Articles 33 & 34 - Breaches

Article 33: Notification of personal data breach to the supervisory authority
Responsible for telling authorities about a breach.

Article 34: Communication of a personal data breach to the data subject
Responsible for telling impacted individuals about a breach.

Salesforce Shield vs. Article 33 & Article 34:

  • Platform Encryption: Minimize the impact of a breach by using Platform Encryption to make the data useless. Encrypting personal data makes it unintelligible—so even if it is accessed in certain types of breaches, you may not need to notify individuals.
  • Event Monitoring: Understand the severity of a breach through forensic research to know if it should be elevated to the individual or authority. Event Monitoring also allows you to monitor and identify suspicious activity early to contain or eliminate potential threats.


Article 5 - Retention

Article 5: Principles relating to processing of personal data
What data can and should be stored, and for how long?

Salesforce Shield vs. Article 5:

  • Field Audit Trail: Defines detailed history retention policies to control and archive information history at an object level. Supports a key GDPR principle that personal data must be retained for “no longer than is necessary”—so it allows you to keep data long enough to provide evidence of what has occurred, but also knowing when it’s OK to delete.


Article 24 - Controller and Processor

Article 24: Responsibility of the controller
If you’re using the data to do business, then you’re a “controller”. If you’re helping a controller do their business, you’re a “processor”. As a controller, it is your responsibility to know what data you have and be able to demonstrate your compliance with written policies.

Salesforce Shield vs. Article 24

  • Field Audit Trail: Allows you to prove and demonstrate that you have Historical Data Retention Policies both defined and implemented, and helps you know what you have in the system.
  • Encryption Statistics: Prove that for a given field, 100% are encrypted at rest, in the data tier, with the most current key.


There’s much more to GDPR than was covered in this post, and it’s certainly here to stay. Our advice? Continue to educate yourself on the regulation and become more aware of how it specifically impacts your business by identifying your risk areas. For companies looking to enhance their Security and GDPR compliance, Salesforce Shield is a powerful solution that addresses some of the core aspects of GDPR: Privacy by Design, Data Protection and Accountability.

Let us know if we can help. We’re a team of Salesforce Security & Privacy experts. We’ve built AppExchange products and offer services that help with Shield implementation and maintenance.

Salesforce Security & Privacy - Resources CTA-08-08-1

Topics: Privacy

Subscribe to the Blog