Data protection and privacy regulations have been a key area of focus for most organisations over recent years. Such regulations are emerging – more so than ever before in 2023 – and non-standard across international boundaries, which for multinational businesses poses a real challenge in respect to compliance and risk. The penalties for non-compliance can be significant in both monetary and reputational terms.
This post provides an overview of data protection and privacy regulations across key Salesforce markets and highlights the key elements to be considered for multinational implementations. Please note that this overview is necessarily indicative in nature given the complexity of the subject area; organisations should always take expert advice in respect to their legal obligations. Further to describing the regulations, a summary is provided of the solution options available on the Salesforce platform natively or via the AppExchange for managing data protection and privacy compliance.
Key definitions:
- Personal Information (PI) : any information related to an identifiable individual.
- Sensitive Personal Information (SPI) : personal information related to race, religion, politics, sexual orientation, medical history, biometric or genetic data as examples.
- Data protection : regulations which govern how an organisation must protect personal information from unauthorised use.
- Data privacy : regulations which govern the use of personal information by an organisation in respect to the privacy level set by the individual who is the legal owner.
As the largest Salesforce market by most measures, the USA is a good starting point for the discussion of data protection and privacy requirements. At the national level, historically the collection of personal information has not been restricted or regulated, instead the regulatory emphasis has been on harms prevention in specific sectors such as healthcare (HIPAA) , finance (GLBA) and education (FERPA) and for the protection of children online (COPPA). The American Data Privacy and Protection Act (ADPPA) is a proposed federal online privacy bill that is yet to be enacted into law. 2023 sees a number of states introducing state level data privacy statutes which, as with the federal ADPAA, align to the general principles of the European Union’s General Data Protection Regulations or “EU GDPR” introduced in 2018.
In many respects the EU GDPR serves as a best-practice reference which is informing the direction taken by emerging data protection and privacy regulations internationally.
The EU GDPR defines the strictest and most comprehensive set of data protection and privacy regulations globally. The personal information of EU residents is regulated for all businesses (or data controllers) that sell products or services to the EU, whether EU based or otherwise. The term extraterritorial describes this broad geographic applicability. The EU GDPR mandates that businesses operate in a transparent and accountable manner and enable individuals to exercise control over their personal information. In respect to international data transfers (such as those to Salesforce servers in the US), the EU makes an adequacy decision on a country-by-country basis as to the level of data protection and privacy controls in effect. Data transfers are allowed to countries deemed to be adequate, however data processor legal contracts or similar are required. For countries without an adequacy decision (including the USA) the contractual basis is stricter; in mitigation, the Salesforce data processing addendum incorporates EU-approved mechanisms including Processor Binding Corporate Rules and standard contractual clauses.
The key principles of the EU GDPR can be summarised as:
- Fairness and Transparency – data subject (individual) should be notified about the personal information collected and its intended use.
- Purpose Limitation – data processing activities should be limited to legitimate use.
- Data Minimisation – only necessary personal information for the intended use should be collected.
- Accuracy – collected personal information about an individual (or data subject) should be accurate.
- Data Deletion – personal information should be retained only as required for the intended use.
- Security – appropriate technical and organisational security measures must be employed to protect personal information against unauthorised processing and accidental release, access, loss, destruction,or corruption.
- Accountability – data controllers must be able to demonstrate compliance (via record keeping, assessments etc.)
- Individual Rights – data subjects have the right to request that a data controller provide access (incl. portability), correct, restrict use, and remove their data,and also to object to its use. Such requests are referred to as Data Access Subject Requests.
The EU GDPR regulations remain largely in effect in the United Kingdom (UK) post-brexit. The UK’s data protection regime (the Data Protection Act 2018) encompasses the UK GDPR, which is a retained version of the EU GDPR. There are some differences in terminology and scope, however the passage of time has not yet allowed divergence of any significance.
The privacy regime in effect in Canada is the Protection of Personal Information and Electronic Documents Act (PIPEDA). The PIPEDA regulations are federal in scope with exceptions for provinces with competing legislation. Whilst similar in intent to the EU GDPR, PIPEDA is applicable to private entities only, allows both implied and express consent (as opposed to express only) and provides significantly less rights to the individual. The Australia Privacy Act 1988 has similar differences to the EU GDPR as PIPEDA; less individual rights, less specificity in respect to consent etc. In both cases the EU GDPR regulations are generally more all encompassing, detailed and stringent in nature.
The privacy regime in effect in Japan is the Act on the Protection of Personal Information (APPI). The APPI was originally adopted in 2003 as one of first data protection regulations across the Asia Pacific region. Subsequent revisions have aligned the APPI with the EU GDPR such that both Japan and the EU have reached an adequacy decision which allows personal information to flow between the respective economies. The same adequacy decision exists for both Canada and the UK. As noted earlier, for the USA this is not the case and contractual arrangements such as the Binding Corporate Rules provide an alternative legal basis for data transfers.
With a focus on alignment to the EU GDPR regulations, the table below provides a high-level, indicative comparison of data protection and privacy regulations across key Salesforce markets.
| USA 1st & 2nd States by enforcement date | EU | UK | Canada | Australia | Japan | |||
| Regulations / Key Elements | California – CCPA & CPRA | Virginia – VCPDA | EU GDPR | DPA 2018 / UK GDPR | PIPEDA | Privacy Act 1988 | APPI | |
| Data Protection (Data Controller Obligations) | Privacy by Design & Default | – | – | X | X | – | – | – |
| Record Keeping/Transparency | X | – | X | X | – | – | – | |
| Data Minimization | X | X | X | X | X | X | – | |
| Security Controls | X | X | X | X | X | X | X | |
| Informed Consent | – | X (SPI) | X | X | X | X | – | |
| Legitimate Use | X | X | X | X | X | X | X | |
| Data Processor Legal Contract | X | X | X | X | X | – | – | |
| Breach Notification | X (no timeline) | – | X (72 hours) | X (72 hours) | X (no timeline) | X (no timeline) | X | |
| Data Protection Officer | – | – | X | X | X | – | – | |
| Data Protection Impact Assessment | – | X | X | X | – | – | – | |
| Data Privacy (Data Subject Rights) | Access | X | X | X | X | X | X | X |
| Correction | X (CPRA) | X | X | X | X | X | X | |
| Portability | X | X | X | X | – | – | – | |
| Deletion | X | X | X | X | X | – | X | |
| Consent (sale/sharing) | X | X | – | – | – | – | – | |
| Consent (direct marketing) | – | X | X | X | – | X | – | |
| Consent (profiling) | – | X | X | X | – | – | – | |
| Consent (processing) | – | – | X | X | – | – | X | |
| Consent (for SPI) | X | – | – | – | – | – | – | |
| Object / Appeal | – | – | X | X | – | – | X | |
| Private Right of Legal Action | X | – | – | – | – | – | X | |
| Non-discrimination | X | X | – | – | – | – | – | |
| Extraterritorial | X | X | X | X | X | X | X | |
| Applicability | Businesses operating in California with >$25M revenue or, 50% revenue from selling/sharing PI or, buy/sell/share 100K California residents p.a. | Businessees operating in Virginia who control or process 100K consumers p.a. or, 25K consumers p.a. and >50% of revenue is derived from the sale of that PI. | Entities offering products or sevices to the EU, or monitoring EU citizens. Some exemptions for SME. | Entities offering products or sevices to the UK, or monitoring UK citizens. Some exemptions for SME. | Canadian businesses that collect, use or disclose personal information in the course of a commercial activity. | Businesses operating in Australia incl. Australian businesses with > $3M AUD revenue or trade in PI or provide health services or opted-in. | Businesses that handle the personal information of individuals in Japan. | |
| Public/Private Entities | Private | Private | Both | Both | Private | Both | Private | |
Salesforce as a platform for customer data management provides tools and capabilities to help organisations manage compliance. Standard platform features enables consent to be recorded alongside the personal information which drives the typical operational processes supported by Salesforce i.e. marketing, sales and service. More sophisticated, perhaps multi-stage or multi-cloud, consent management processes can be implemented using the rich declarative and programmatic customisation options offered by the Salesforce platform. Where prefabricated, or industry-specific solutions are required the AppExchange provides a wealth of options; this is true also for the data quality and data management tools which can be imperative in delivering the unified view of the customer that is critical to compliance.
The table below describes the solution options (tools and capabilities) to consider when managing data protection and privacy compliance on the Salesforce platform.
| Compliance Solutions | ||
| Standard Features | Hyperforce | Hyperforce enables the public cloud deployment of Salesforce apps and services in mulitple global regions. For example, the Hyperforce EU Operating Zone enables Salesforce customer data to be securely resident within the EU. Compliance requirements in relation to international data transfers are largely mitigated. |
| Privacy Center | Privacy Xenter is a suite of data management tools installed by a managed package with secure off-platform storage via a Heroku Private Space. Heroku Data Retention Store data can be exposed in Salesforce core via External Objects. Features: (1) Automation of Customer Data Retention Policies. Mask; anonymisation/pseudonymisation, library replace or, Delete; move to Heroku storage or hard-delete. (2) Right to be Forgotten (RTBF) Policies. Specify the related records to be deleted as a single action. (3) Data Subject Requests / Portability Policies. Portability Policies define the location of PI across Salesforce objects. The Portability API is used to collate data for a policy and generate a file and secure download link. (4) Data Subject Requests / Privacy Requests. Track DSR recorded in Privacy Centre via the PrivacyRequest object. $$ Additional cost; license includes add-on credits to provision Heroku resources for the Data Retention Store. | |
| Preference Manager (Privacy Centre) | Create and publish Preference Forms (Apex or Template based) for secure self-service preference/consent capture via Experience Cloud or external website. | |
| Data Protection and Privacy Settings | The Consent Data Model introduces standard objects for the purpose of managing consent at multiple levels of granularity (global, engagement channel, contact point and data use purpose) plus the legal basis where applicable. Global consent is recorded on the central Individual record; which can be related to a Lead, Contact, Person Account or User; or any combination thereof. Global consent includes privacy attributes such as: Don’t Process / Profile / Solicit / Track Forget this Individual Export this Individual’s Data With Data Protection and Privacy Settings active, Email Privacy can be enabled to prevent the send of both Commercial and Non-Commercial emails via Salesforce email tools, where the related flags above are set or the associated person record (Lead, Contact, Person Account) field Email Opt-out is true. The “Send Non-commercial Emails” user permission overrides the non-commercial send restriction however the user must confirm that the email being sent is non-commercail at send time. Note, there are difference in the above statement in respect to Classic versus Lightning email tools. | |
| Consent API | A REST API which aggregates consent for a specific action (e.g. process, email) across all available records for the individual and returns the most restrictive permission found. Either the Salesforce record Id or a contact point such as email address can be used to query consent. The Consent Write API enables external systems to push consent changes which potentially update multiple records across the Consent Data Model. This API can also generate Individual records where required. | |
| Consent Event Stream | An aggregated stream of change events that cover all objects in the Consent Data Model and also person obejcts such as Lead and Contact. Use this stream to push notifcations of consent changes to external systems. | |
| Data Classification | Salesforce provides metadata fields (Compliance Category, Data Owner, Sensitivity Level and Field Usage) which are used to classify data on all standard and custom objects. The Compliance Category picklist field can indicate the effective regulation i.e. GDRP, CCPA, PCI, HIPPA, PII. Einstein Data Detect can be used to expedite the classification process using actual data. Data Classification settings can guide decisions on Transaction Security and Shield Platform Encryption. | |
| Sandbox Data Mask | Data copied to Full-copy and Partial-copy sandboxes can be automatically masked to ensure compliance. Field values can be randomised, replaced from a library or deleted. Salesforce Data Mask is installed as a managed package. The masking process can have a usability impact on the data; for example the library address data is US only. $$ Additional cost. | |
| Shield Platform Encryption | Field-level data encryption at rest. It is common for regulations to require data to be secured at rest via strong encryption. Shield Platform Encryption supports probablistic and deterministic encryption schemes. $$ Additional cost. | |
| Export Data | Salesforce APIs and data loader can be used to extract customer data in response to a Data Access Subject Request. | |
| Data Policies for Einstein features | Standard features exist to enable exclusion from Einstein related maching learning models. | |
| (Example) Custom Solutions | Right to be Forgotten (RTBF) Anonymisation and Pseudonymisation | Organisations without access to Privacy Centre may develop custom solutions to automate the handling of requests to be forgotten. Techniques such as anonymisation and pseudonymisation can be applied in preference to record deletion. |
| Consent Data Model Automation | With consent recorded on multiple records across the Consent Data Model it can be necessary to implement custom solutions which aggregate consent to an ulitmate yes/no decison or cascade down global consent changes. Data archiving of consent changes (with reasons) to a Big Object is also a common custom solution. | |
| Consent Synchronisation with Marketing Cloud | The Salesforce Solution Kit Respect Consent Preferences in Marketing Cloud with the Consent Data Model describes the business use case and related custom solution approach for the synchronisation of consent between the Consent Data Model and Marketing Cloud. | |
| AppExchange Categories | Compliance Management | Typical Features: (i) Compliance process management (e.g. policy definition & automation plus procedure templates) (ii) Data Subject Request management and automation. (iii) Scanning and data masking. |
| Data Archiving | Typical Features: (i) Customer data retention policy automation. (ii) Secure, immutable data backups with restore functionality. (iii) Sandbox data anonymisation. | |
| Data Management | Typical Features: (i) Customer data de-duplication. (ii) Policy based mastering of consent data. (iii) De-duplication / aggregation of consent data. (iv) Enforcement of regulatory requirements / corporate standards. |
The Salesforce platform provides myriad options for the management of data protection and privacy compliance across international boundaries. For some Salesforce customers the completeness and automation offered by Privacy Center will be compelling. In other cases a combination of the solution options described above will be more appropriate. As an example solution approach, the Consent Data Model could be implemented to record consent and legal basis with a Custom Object and Flow for tracking of data access subject requests and AppExchange solutions for customer data de-duplication and retention policy automation.
In an increasingly regulatory international environment a clear understanding of the general principles of data protection and privacy regulation is imperative to delivering a secure, compliant Salesforce environment.
Resources: