Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


Using Salesforce Analytics for GDPR Compliance

Compliance & Regulation

illustration of salesforce GDPR

272 Million Euros.

That is the total amount in fines imposed by the European Union on businesses for non-compliance to GDPR, data infringement, and breaches on data protection since the launch of the GDPR act in May 2018. It should come as no surprise that businesses, big or small, have been setting aside enormous time and investment in their IT systems to ensure that they have been able to satisfy the strictest of GDPR regulations. A bulk of these investments are allocated to secure and manage their source of truth for customer data across their IT landscape. Considering the state of the market in 2020-2021, that happens to be on Salesforce.

If you use Salesforce as your CRM and are looking for guidance on bolstering your GDPR compliance in 2021, this guide is for you. We will ensure that we show you how Salesforce Analytics can provide your customers the right assurances on responsibly handling and processing their data.

Is Salesforce GDPR Compliant?

Short Answer – Absolutely.

As a designated processor of customer data, Salesforce provides comprehensive controls to handle data requests and securely manage data for all these business processes throughout the customer lifecycle. In addition to this, Salesforce also provides a robust data processing addendum covering data transfer frameworks for EU-approved data protection policies.

But although Salesforce as a platform offers all these assurances to conform with GDPR, it is ultimately up to you as a business to be responsible for treating customer data as sacrosanct. It also means that your responsibility extends to all your IT systems and how your different partners and customer-facing teams manage their business process dealing with this data.

Let us take a detailed look at understanding the various aspects of GDPR compliance about customer data across their journey interacting with a business. There are three aspects of a customer’s online journey that businesses might need to maintain customer data, namely:

As a Visitor

This phase is when the customer is an intent visitor looking to understand more about a business. GDPR stipulates that we comply with the following regulations:

Consent: Ensure that there is a formal way of requesting and recording consent from a customer for collecting and recording customer data

Security and Transparency: Ensure that there is an honest disclosure on the purpose, approach, and the nature of customer data being recorded with secure methods to access this data

As a Customer/Returning Visitor

This phase is when the customer is engaging as a regular visitor, a prospect, or an existing customer to this business. GDPR stipulates that we comply with the following regulations:

Access to information: Customers should have the right to access their data and see what is being recorded and stored within a 30-day window

Data objections and changes: Customers can raise objections on how their data is used and can request that inaccurate information be corrected

Notifications: Customers need to be notified if their data is exposed as part of a security breach within 72 hours of confirmation.

As a Past/Dormant Customer

Right to be forgotten: Customers would want to delete their customer data as part of their voluntary request to be disassociated with the business.

Data portability: Customers could request the business to export all their data in the form of requests.

GDPR customer

How to Use Salesforce Analytics for GDPR Compliance

In the previous section, we looked at the various aspects of GDPR compliance to access, store, and manage customer data across their journey. We will now look at how Salesforce Analytics helps us conform to GDPR regulations in each of these steps.

Managing Consents in Salesforce

Salesforce enables you to honor people’s requests about how you as a business would use their data. The Salesforce platform supports GDPR and nation-specific data protection laws like CCPA in the United States or CASL in Canada. The most common use cases are implementing data privacy preferences to manage customer privacy in the form of Consent Management Objects.

These objects allow us to establish authorization audit details and manage communication methods for customers to provide consent authorization and record communication preferences, respectively. For example, these objects can enable customer preferences to prevent sending emails or prevent referring customer data.

consent capture options within a salesforce flow

Restrict Data Processing for the Salesforce Platform

Salesforce Analytics can help you restrict the number of actions you can perform to protect and preserve customer data to comply with GDPR. As a business, you can export, backup, and annotate customer data to hold processing any changes to such data when situations require you to do so. The Salesforce platform enables this in the form of Data Export options and also programmatically in the form of Restrict Contact APIs.

RESt API example to restrict processing of specific contact IDs

Example use cases may include legal proceedings and inaccuracies in captured data from the customer’s end, which might prevent us from acting on that data until they have been resolved.

Modifying and Deleting Customer Data

Salesforce enables you to comply wherever you are required by mandate to modify and delete data when customers request it or when you are no longer needed to maintain it. Typical use cases include past user or employee records, old session details, logs, and recommendation data.

Salesforce can help your business comply with these scenarios by enabling REST APIs to find all these contexts, orchestrations, and recommendation reactions from customer data and act on it by exporting this data or deleting it. Salesforce provides a wide range of actions to modify and delete data in scenarios like:

  • Deletion of all sensitive data from production org and sandbox
  • Letting Community or Chatter users deactivate their accounts on demand
  • Deletion of orchestration instances that contain customer data
  • Enabling deletion of all data associated with a customer or admin

REST API example to get and delete recommendation reaction data

Enabling Data Portability in Salesforce

GDPR requires businesses to enable customers to export their entire data. The Salesforce Platform provides data portability in the form of a Portability API, which detects and displays all objects connected to the customer, including objects representing Personally Identifiable Information (PII) data. Once we activate this policy, this API provides links for your customer to download and export their information securely.

Example to show and select identifiable fields on the contact object

To enable automatic deletions through policy enforcement, the latest platform release (Spring 2021) would also allow you to get timely reminders and automatically delete customer data generated by this API after 60 days.

Salesforce GDPR Compliance: A Proactive Responsibility

Enabling these controls on the Salesforce platform is just one of the many activities you would have to undertake to safeguard your customer data privacy. We understand that complying with the strict regulations in GDPR compliance can be stressful. However, these controls are an essential step to ensure compliance and protect your business’s core: your customers.

In a world where data breaches happen every day, and the cost of customer data theft can cause millions of dollars in damages, ensuring data privacy is an absolute necessity. At Varonis, we are at the forefront of enabling data protection and security and have deep expertise in providing comprehensive GDPR compliance solutions.

Renganathan Padmanabhan

Renganathan Padmanabhan

Renga is a product manager and a digital experience leader with 15 years in tech. He writes exclusively on product, design, technology, and content on The content and views expressed are his own alone and do not necessarily reflect the views of his employer.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.