Salesforce is one of the most widely used customer relationship management platforms in the world. It stores and processes vast amounts of personal data across marketing, sales, and support functions. For organisations operating in the European Union or handling data from EU citizens, implementing GDPR requirements in Salesforce is essential for compliance.
This guide offers a practical overview of aligning your Salesforce instance with GDPR standards and protecting the personal data of your customers and leads.
1. Salesforce users are responsible for GDPR compliance
While Salesforce provides secure infrastructure, your organisation remains the data controller and must configure the platform to meet GDPR requirements.
2. Consent, purpose, and data minimisation must guide your setup
Every piece of personal data collected in Salesforce should have a clear legal basis and purpose. Only necessary data should be stored, and consent should be recorded and managed.
3. Salesforce must support subject rights and secure data practices
You must ensure Salesforce can handle access, correction, and deletion requests. Data access should be restricted, audit trails should be enabled, and breach response plans must be in place.
Salesforce stores names, email addresses, phone numbers, purchase histories, and other personal identifiers. Under GDPR, all of this is classified as personal data. If you are collecting or processing data on individuals in the European Union or European Economic Area, GDPR applies regardless of where your organisation is located.
Salesforce acts as a data processor. Your organisation, as the data controller, is responsible for how personal data is collected, stored, and used. You must configure Salesforce correctly and ensure that your use of the platform aligns with the principles of the GDPR.
Before capturing data in Salesforce, identify the lawful basis for processing it. Common options include:
• Consent from the data subject
• Fulfilment of a contract
• Legal obligation
• Legitimate interest, provided it does not override the individual’s rights
Each data point entered into Salesforce must have a clear purpose and legal basis. This should be documented and linked to the relevant contact or lead record.
Salesforce can hold an unlimited number of fields, but GDPR requires you to collect only what you truly need. Avoid collecting sensitive data unless absolutely required and clearly justified.
Include custom fields to track whether an individual has given consent for marketing communications, data sharing, or profiling. Ensure that consent is documented with the date, method, and scope.
Create policies that define the duration for which personal data will be stored. Use Salesforce’s automation tools to delete or anonymise data after a defined period.
Use Salesforce’s audit trail and field history tracking features to log changes to personal data. This ensures transparency and accountability, helping to demonstrate compliance during an audit.
Utilise role-based permissions and sharing rules to restrict access to personal data within Salesforce, ensuring only authorised users can view and edit it. Only authorised personnel should access sensitive or confidential information.
Ensure that forms integrated with Salesforce, such as web-to-lead forms or email sign-up forms, include GDPR-compliant language. Individuals must know what data is being collected, for what purpose, and how to exercise their rights.
You must be able to locate and provide a copy of the personal data stored in Salesforce when requested by the individual. This includes contact records, activity history, and any communication logs.
Individuals have the right to request corrections to their data. Ensure that data entry processes allow for easy updates and that changes are reflected across all integrated systems.
If a person requests to have their data deleted and you have no lawful reason to retain it, you must delete the data from Salesforce. Use built-in deletion tools and custom automations where appropriate.
Salesforce should be configured to flag contacts who object to processing or wish to be excluded from specific types of communication. This can be managed using opt-out fields and Process Builder flows.
Many organisations use third-party applications that connect to Salesforce. These tools must also be GDPR-compliant. Review their privacy policies, processing agreements, and data handling practices to ensure compliance.
If you use external vendors to process data through Salesforce, you must have a written agreement in place that defines their role and responsibilities under GDPR.
Enable multi-factor authentication, restrict IP ranges, and monitor logins to prevent unauthorised access. Utilise Salesforce Shield or similar tools for enhanced data protection as needed.
Conduct periodic access reviews to ensure that users only have access to the data they need for their roles.
In the event of a data breach involving Salesforce data, you must notify the relevant supervisory authority within 72 hours if there is a risk to individual rights. Prepare a clear plan that includes identification, containment, and communication procedures.
If your organisation handles large volumes of personal data or conducts systematic monitoring, a Data Protection Officer may be required. The DPO is responsible for overseeing GDPR compliance, advising teams, and serving as a liaison with regulators.
Assign clear ownership over Salesforce data management, including data entry, compliance checks, and subject access requests.
Salesforce offers powerful tools for managing customer data, but with that power comes responsibility. By implementing GDPR best practices in your Salesforce setup, you can mitigate legal risk, enhance transparency, and foster stronger relationships with your customers built on trust.
Data protection is not just a legal requirement. It is a competitive advantage in a market that increasingly values privacy and accountability.
Identify what personal data is stored in Salesforce, where it comes from, and how it is used.
Add fields and workflows to document consent for different types of communication.
Ensure all forms feeding into Salesforce are GDPR-compliant and provide clear privacy information.
Create standard operating procedures for locating, updating, or deleting data upon request.
Regularly evaluate system access, encryption, and incident response capabilities.
Is Salesforce automatically GDPR-compliant out of the box?
No. While Salesforce offers GDPR-supportive tools, your organisation is responsible for configuring the platform to meet GDPR requirements, including consent tracking, access controls, and retention rules.
How can I track consent in Salesforce?
You can create custom fields to record consent status, date, method of collection, and scope. Automations and workflows can help manage opt-ins and opt-outs across different communication channels.
What should I do if a customer asks to delete their data?
You must locate and delete their personal data from Salesforce, unless you have a valid legal reason to retain it. This includes contacts, leads, and related activity history, depending on the nature of the request.