Salesforce is a Customer Relationship Management platform that has more than 150,000 Salesforce customers. According to the SalesForce Annual Report, Salesforce has a total subscriber base of 3.75 million, and is a tool that is implemented by hundreds of businesses across the globe. Naturally, Salesforce obtains, processes and stores mass amounts of personal data – after all, it is a cloud CRM platform. However, if your business is in the European Union (EU), or you’re a company that works with EU citizens, you need to make sure you’re acquiring, handling and keeping data in an ethical and GDPR compliant manner – even if you are outsourcing the process to a third party platform such as Salesforce.
What is GDPR?
GDPR is the acronym for the General Data Protection Regulation that is coming into place on May 25th 2018. This digital privacy regulation is being put in place in order to combine and simplify privacy legislations across the EU into a singular set of rules that all companies must follow. It is important to remember that May 25th 2018 is not a deadline, but organisations should have clear evidence that they are taking the necessary steps to become GDPR compliant by this date. Accidental breaches will be made, naturally – however, it is important that you tell the ICO about any breaches within 72 hours of them being made.
To remain GDPR compliant, companies must seek clear permission to obtain, process and use customer data, clearly state what the data is going to be used for, and they must give users an easy way to ‘opt out’ and revoke access. Companies who are not following GDPR will face fees of up to €20 million or 4% of their annual global company turnover.
Why Does Salesforce Need to be GDPR Compliant?
You’re probably thinking ‘Salesforce is an American CRM system’ or ‘my business isn’t even in the EU, why do I need to follow this legislation?’ However, if you’re an international business outside of the European Union doing business with any citizens or companies inside the EU, then you must comply with these regulations. Salesforce confirmed that they have 20,000 customers in Europe, which means they will be processing and storing substantial amounts of personal data about EU citizens. With 18% of their revenue coming from Europe, ensuring they remain GDPR compliant is crucial. However, whilst Salesforce must (and are) taking steps to follow the new data protection regulations, it is up to your business to ensure that you are using Salesforce ethically and also remaining compliant.
What is Salesforce Doing to Become GDPR Compliant?
Salesforce have stated that they will comply with GDPR in the “delivery of our service to our customers.” Their statement also says that they are “dedicated to helping our customers comply with the GDPR. We are working to make enhancements to our products, contracts, and documentation to help support […] our customers’ compliance with the GDPR.” (Salesforce) Their GDPR page also features Trust and Compliance documentation that discusses their service’s certifications, applicable administrative, technical, and physical controls, sub-processors and much more.
This public statement informs all of their customers about their stance on GDPR for each individual service they offer, letting consumers know exactly what personal data they need, who will access it, why they need it and how long they are storing it for. These are the clear and transparent guidelines needed to become GDPR compliant.
How Can I Use Salesforce Ethically?
According to the Salesforce Code of Conduct, Salesforce “values transparency, trust, respect, and communication. When you enter into a partnership with Salesforce, it’s important that you and your company uphold these values. By behaving in an ethical manner, you’re building a foundation for a strong relationship between Salesforce and your organization.”
It could be argued that any business using Salesforce and not making any effort to become GDPR complaint will be violating the terms and conditions of Salesforce, as the new regulations have the aim of giving users transparency in terms of what their data is being used for, and how they can get their personal information wiped from the business’s database.
In theory, this is aligned with Salesforce’s code of conduct and ethics. This means that if you are intentionally breaching GDPR regulations or not even trying to comply, you are not using Salesforce ethically.
- Take steps in becoming GDPR compliant.
- Align your company’s ethos and ethics with that of Salesforce and GDPR.
- Take steps to keep the information you use and store from Salesforce safe.