Data protection is essential to Salesforce as a business. The cloud computing giant handles an enormous quantity of data from more than 150,000 companies who use its Customer Relationship Management (CRM) platform, who trust that their data will be handled securely and ethically.
The Salesforce privacy model is centred on the idea that customers should own their own data, which empowers individuals to control how their information is used. The company has welcomed GDPR as it provides a blueprint for this, and Salesforce CEO Marc Benioff has called for a similar privacy law in the US
"GDPR really does a number of things," Lindsey Finch, Salesforce's first data protection officer, tells Computerworld UK.
"It's focused on ensuring that data is secure, that individuals have control of how their data is used, but also making sure that organisations are accountable for their privacy practices."
The Salesforce GDPR strategy
Salesforce broke down the 88-page regulation into four core categories: data portability, restriction of processing, consent management and data deletion, also known as the right to be forgotten.
“We went across all of our different products and services cloud-by-cloud in each of those areas to make sure that we are compliant as a data processor, but also looking at it from our customers' perspective, to ensure that our customers could comply with those principles in using our services," says Finch.
In February, Salesforce launched a GDPR website, which offers guidance, training modules, and other resources to help customers comply with the implications of GDPR on each Salesforce service.
The company has published a Data Processing Addendum that customers can fill out, sign and return to ensure that they continue to transfer data to Salesforce without interruption, Help Documentation on fulfilling data subject access requests, and guidance on Data Protection Impact Assessment (DPIA) issues.
Salesforce has also added new functionality to the platform. The Individual Object was introduced to consolidate privacy preferences across numerous Salesforce records, while the Salesforce DMP (Data Management Platform) was re-architected to help customers track and record the consents they've received at a granular level.
GDPR as an opportunity for Salesforce
Salesforce is positive about GDPR as the company sees it as an opportunity to enhance the customer experience and develop a stronger relationship with clients.
"A lot of the attention around GDPR right now is looking at it as a compliance headache," says Finch.
"We really see this as an opportunity, not only for us but for our customers, to build trust with individuals and to put individuals at the centre of our businesses so we can make sure that we are respecting their privacy."
Salesforce took a deep look at its privacy programmes and formalised a number of the practices that were already in place, such as implementing a comprehensive data protection impact assessment strategy.
Read next: How are companies preparing for GDPR?
To make everyone aware of their data protection responsibilities, Salesforce launched a "Trailhead" learning module on GDPR to help both staff and customers learn about the regulation and EU privacy law.
Finch says that embedding a culture of privacy across the company has been key to compliance, as this creates a collective buy-in and ensures every employee understands their responsibilities.
"Privacy can't just be the job the privacy team," she says. "This is really something that is everyone's role, and companies need to be building a culture of privacy. That's really going to set companies up for success to comply not only with GDPR but also any future privacy laws."
The GDPR journey
Salesforce is well-prepared ahead of the 25 May GDPR implementation date, but Finch describes GDPR as an ongoing journey rather than a race to a finish line.
Her plan is to review data protection practices and privacy policies on an ongoing basis to maintain customer trust.
"We really believe that when a company is putting their end customers at the centre of everything they do, that's actually a really great blueprint for complying with GDPR, because if you're putting an individual at the centre of everything you do you're going to respect their preferences," she says.
"If they say that they want to have their data deleted or they only want to be contacted about certain things, that's really going to lead to the customer's success and trust."