Previous GDPR Blog: GDPR: Getting Data Privacy Ready
Emails are a big component of most marketing campaigns. Marketing automation systems like Marketo, Pardot and Eloqua, or CRM’s like Salesforce, make it easy to send mass amount of emails to customers and prospects. With the GDPR compliance deadline quickly approaching, companies must be aware of, and prepared for, the regulations and that will soon be put in place. If you send an email to a citizen in one of the 28 countries in the European Union (EU), you have to remember that those citizens have a right to request their personal information be deleted from your database.
Companies are now legally responsible to delete a customer or prospects personal information from their marketing automation and CRM systems if asked to. This includes every third-party integration that has a copy of the companies customers and prospects personal information, including their email addresses, phone numbers, birth date and name.
Every Salesforce integration will now require your immediate attention.
Click-to-dial apps, data enrichment apps, or any sales performance apps, must be considered and evaluated to verify where the information is sourced from. If any application touches personal information that is not permission-based, such as Salesforce Leads or Contacts, you are responsible to make sure the Salesforce partner deletes all of it.
In order to make sure that your company is 100% compliant with GDPR, you will first need to identify all of your Salesforce vendors and partners. There are three ways Salesforce partners can connect to your Salesforce, and retrieve and provide personal data relevant to GDPR.
1) Installed Apps with Apex Callouts and Remote Sites which send data to an external server outside Salesforce.
When installing a Salesforce app from the AppExchange, you should be prompted with a popup window to “Add Remote Site”. This allows the installed app to send data to a remote server.
Once added, these Remote Sites are shown in Salesforce Setup:
2) Connected Apps via Oauth which have access to personal information in Salesforce.
3) API Access for web applications which call Salesforce APIs to retrieve data.
It is recommended that your company have a dedicated Salesforce User for each API connection. You can search your Salesforce Users to find all API users.
Now that you have all the Salesforce Partners identified, document which ones have access to personally identifiable information (PII) such as Leads and Contacts.
My next blog on GDPR, Salesforce Partners, will help you determine if your Salesforce partners are GDPR compliant.
Next Blog: Email me to be updated on my next blog Steve@RingLead.com