Salesforce and GDPR

As organizations running Salesforce find new ways to understand and connect with their consumers, they must also be mindful of a user’s right to privacy. And as more governments are stepping up and enshrining that right in far-reaching legislation, it’s more important than ever to make sure you’re handling private data in a transparent, ethical manner.

Luckily, Salesforce provides many robust tools and security programs to help accelerate compliance efforts.

What is GDPR?

The General Data Protection Regulation (GDPR) is a data protection law that governs how organizations can use the personal data of EU residents. GDPR applies to any organization worldwide that sells products/services to EU residents; it is also the model for similar North American legislation such as the California Consumer Privacy Act (CCPA).

At the heart of both GDPR and CCPA are what’s known as Data Subject Rights — the right of a user to exercise control over their personal data, including the right to review or delete any information a website or company has collected on them. 

For companies running Salesforce, this means that they must be able to respond to data subject requests to delete, review or restrict their data in a timely fashion.

Check out the official GDPR framework here

How does Salesforce help?

Salesforce offers several security and privacy tools to help organizations quickly satisfy data subject requests and maintain GDPR compliance. Take a look at some of the most important requirements and how the platform meets them below.

Data Deletion

GDPR requires organizations to be able to delete an individual’s information upon request. For Salesforce teams, this can mean several things — removing data for specific contact ID, removing employees who have left the company, or removing sensitive data from a Sandbox org or package version, for example. 

Data Portability

Similarly, users or customers may request a record of all the data that’s been collected on them, either instead of or in addition to deletion. This requires finding the data and exporting it; however, certain security settings and data models can make this difficult — the data you’re looking for may be stored in attachments or governed by export limits. 


Organizations subject to GDPR must have permission to contact, use or handle an individual's information. (Critically, the main difference between GDPR and CCPA is that this permission must be obtained in advance.) Salesforce complies with this requirement through things like do not call and opt-out preferences, which can be managed through your data privacy settings. 

Restriction of Processing

GDPR also allows individuals to pause or restrict how an organization processes their data. Typically this is done for legal reasons, or to correct inaccurate data. In either case, the main consideration is to export a copy of the data before deletion using the data loader. 

Data Classification for GDPR

Salesforce has a lot of resources in their user guide for GDPR compliance, but they’re all predicated around the assumption that you know where in your org PII is stored. The fact is that for most companies, especially those that are far along the maturity curve or running a heavily customized instance, simply finding the information is the hardest part of fulfilling a data subject request. 

That’s why we recommend starting your journey to GDPR compliance with a data classification project. After all, you can’t manage data effectively if you don’t know where it is. 

Strongpoint complements Salesforce’s native tools with intelligent, time-saving automation that reduces the time and cost of a data classification project. With it, you can quickly gain an extra layer of audibility over personally identifiable information stored on the platform. Learn how here