Why privacy must be an early priority when implementing Salesforce

And with good reason. When your customer does business with you, they are trusting you with their data, not your vendors. And that trust is delicate: 46% of consumers feel they’ve lost control over their own data,¹ and just 10% of consumers feel they have total control over their personal information.² If there is a data breach, there is serious risk to your reputation: 80% of consumers in developed nations will defect from a business because their personally identifiable information is impacted in a security breach.³

With your brand’s reputation on the line, it’s clear you must handle your customers’ data with exceptional care, in order to build true trust and loyalty. And if brand reputation isn’t a compelling enough reason to prioritize privacy, there are also state and global privacy regulations to adhere to. 

Read on to understand how and why you should be proactive about privacy during your Salesforce implementation and then forward it to your Chief Privacy Officer.

Privacy by design
The key is to be thoughtful about the way you’re going to handle privacy and security at the very beginning of your Salesforce implementation. It should be intentionally incorporated during the design phase of implementation, whether it's a product, process or system. 

There are tools to help you do this, such as Consent Management Objects by Salesforce, which can help you manage your customers’ privacy and consent by easily tracking and storing certain data privacy preferences. These can include your customer’s preferences for: 

• Collecting, storing and sharing their personal data 
• Packaging their personal data so they can take ownership of it
• Deleting records and personal data related to them
• Solicitation of products and services
• Tracking their geolocation and web activity 

Data lifecycle management 
Your CRM contains a significant amount of sensitive data, which may include: 

• Transaction information
• Personally identifiable information
• Purchase history information
• Purchase contract information
• B2B and B2C commerce information 
• Behavioral information 
• Demographic information

The process you develop to honor your customer’s privacy must account for and secure their data through its entire lifecycle: point of collection, use, storage, processing, retention and eventual destruction or archival. 

Therefore, you must inventory and map the flow of your data from collection to destruction, connecting the upstream and downstream systems. You can approach data governance within Salesforce: 

• Data classification: Track and categorize the data in your organization to help you better understand your privacy landscape. Hone in on where the sensitive data lives within your system so you can prioritize it. Salesforce allows for field-level data classification.
• Data retention: Define rules and move data that meets regulations for removal from the organization. Salesforce’s Privacy Center helps create scheduled policies and an off-platform data store.
• Data access: Limit access to data based on the principle of least privilege, so each user only has access to the data which is essential to perform their job. This is necessary to remain compliant with regulatory requirements including GDPR, CPRA and others. Salesforce allows for granular access controls, down to field-level security.
• Data inspection: Take a thorough inventory of data within your organization and look for potentially sensitive information. Salesforce’s Einstein Data Detect helps with finding and surfacing sensitive data within your Salesforce organization so you can take action.
• Data residency: Understand the data residency requirements your country has for collecting, processing and storing data inside the country and develop solutions to remain in compliance. Options may include using a third-party service to encrypt and store data in the country of your choice, or hosting data in the country in question and surfacing that data to Salesforce as an external object. 

Information security
Information security forms a critical component under GDPR and other privacy regulations. 

Salesforce Shield has a feature called Event Monitoring which helps with performing real-time data monitoring. Shield also allows you to categorize your data fields, so you can use Salesforce’s Transaction Security tool to prevent sensitive data from being exported. Platform Encryption provides encryption for sensitive data at rest, with customer-managed keys (including BYOK).

Individual rights management 
GDPR, CCPA and other privacy regulations give individuals the right to control their own data. Salesforce offers tools for you to help remain in compliance with individual rights management, including its Preference Center for consent management. And with Salesforce’s Privacy Center, you can define repeatable rules. This helps you avoid responding to customer requests manually, which is time consuming and introduces the risk of data being missed. Privacy Center has additional features to help with rights management, including Right to be Forgotten, Right to Portability, preference management, and others. It also assists with data retention.

Business leaders take note
It is critical that the C-suite understands where and how data is stored within its organization, and take accountability for privacy issues. Contact us today and we will help you develop a privacy compliance roadmap and continue to build trust with your customers.

PwC’s Trust by Design solution helps to design and implement an effective model to address both privacy and security risks during a Salesforce implementation. Contact us today to begin your journey.

_{¹ Salesforce, State of the Connected Customer, 2019
² PwC’s Cyber & Privacy Innovation Institute
³ IDC, 2017}