Close this search box.

Salesforce & GDPR

Salesforce & GDPR

This is how you make Salesforce GDPR-proof

Monday morning, 9 am. Your manager wants to know if Salesforce has been made GDPR-proof already. As the application manager, of course you want to show that this has already been arranged properly. And this blogpost will help you in getting there!


Explicit consent


The Spring ‘18 edition of Salesforce introduces the ‘Individuals‘ object. You can link this to leads and contacts, as it contains a couple of handy selection boxes. You can use it to register if an individual’s information may be shared, for instance. The object can be activated via the setup, and triggers are added in to update existing contacts.


Right to access

Mayday, a customer wants an overview of all their registered data! This can be easily organized via an app like Conga, which combines data from different sources in an accessible format. Furthermore, you can use a workflow to automate the mailing of this data. Another option would be to make use of Community Cloud, which gives control to the client where registered data is concerned.


Right to be forgotten

This is potentially the most tricky aspect of GDPR. Personal data form the cornerstone of your CRM system, of course, and is linked to a large number of objects. The last thing you want is to corrupt your statistics by throwing away accounts and contacts. An alternative could be to anonymize or pseudonymize personal data. AppExchange has apps that help you do this, such as Odaseva or DataPro Tools, that are used by one of our customers. Furthermore, did you know that deleted contacts are kept in your recycle bin for fifteen days? While handy, it is also a potential violation of the law!

Privacy by design


The starting point for GDPR is that you have to handle personal data carefully, and that this diligence is built into information systems from the start. Salesforce is a solid choice where this is concerned! Thanks to profiles, roles and permission sets, you have a solid tool at your disposal to properly handle protection of data. You can start of right by designing permissions as tightly as possible at the organizational level. Additional permissions can later be added per person or per function. Lastly, do not forget to pay attention to data minimisation. Only retain data that are necessary to operate your business, and stick to the retention periods as agreed upon internally. Do not forget to document which technical measures you have taken and why.

Let the manager ask his questions about GDPR now. You are ready for it!

Should you still struggle with a question, please contact g-company for advice.

Curious for more?

g-company continues as Xebia!

As of April 1, 2023, g-company continues as Xebia. Consequently, the content on this website will no longer be updated. For the most recent content, please visit the 'Cloud-First Workplace' section on the Xebia site.