5 Steps to take now!

7th August, 2017

As a Salesforce Admin, you are often the fearless leader of personal data in your organisation. You are the admin, developer, change manager, trainer and standalone superhero! While IT may have security rules and regulations, it is very easy for organisations to let Salesforce slip outside of those. Through discussions with Admins all over the UK, I have put together this list of my top 5 tips that Admins can start using now!

Do you have any GDPR tips or experiences to share as an admin?
Tweet us using his link and share how you’re getting #GDPRReady

1. Map out where personal data exists within your organisation

It’s very important that you have a solid understanding of where personal data may sit within your organisation. The GDPR requires you to be able to provide or remove all personal data that you store about an individual at their request.

Refer to our breakdown of data in order to understand what is considered personal data.

While your business may be running multiple programmes in relation to the GDPR it is important that as a Salesforce Admin, you are prepared.

You can begin by taking all of your objects and categorising them into these three categories.

  • Non-personal data
    • Data that does not trace back to a living person
  • Personal data
    • Data that traces back to a living person
  • Sensitive personal data
    • Data about a living person, which contains information about their ethnicity, political opinions, and medical information.


You must then communicate this information with your Data Protection Officer or anyone in charge of security at your organisation.

2. Create a Data Story

The GDPR enforces much stricter governance when it comes to the ways that you store and manage Personal Data. Two of the main aspects to this are understanding where the data has come from and when it is no longer needed. It is safe to say that most organisations will create Contacts within Salesforce and just leave them there to go unattended for years on end, a process that could cause serious financial damage to your organisation if you do not do something about it. 

Start with the entry point of the data
You must be able to fully dictate where the data has come from and why you have it in the first place.

Here is some of the data you can use to track the origin of the data:

  • Source
    • If this is a website, I suggest also storing the URL that the registration was created from
  • Date/Time of Creation
  • Opt-in Status
  • Purpose of this Record
    • Are they a potential customer? Newsletter subscriber?

The Customer Journey
Now that you have acquired the data, every business will have a separate use. Some business are trying to sell you a product, some are trying to recruit you, and each will be unique. Though, no matter the type of business, you will have an internal understanding of whether or not someone is a lead, a customer, or just dark data.

Plan your exit
Identify at what point in the lifecycle that the personal data is no longer needed.

A few examples of where the data should be deleted are when:

  • Their contract has ended
  • They have declined to speak to you
  • They are repeatedly not opening your newsletters

Warning: your Chief Marketing Officer CMO may try and convince you that the data is required for reporting, but I can guarantee you that the ICO would not agree!

3. Review your Privacy Policy

It is very important that you review both your websites Terms and Conditions and your Privacy Policy with your organisation. The more and more people that I speak to, the less they know about where or who actually wrote these, more so for small/medium business than large.

I challenge you to sit down with your legal team and understand where your data processing practice should be included in the Privacy Policy.

Privacy Notices Guidance provided by the ICO

4. Start a Discussion

Sit down with your manager and explain the need for your organisation to start taking the GDPR seriously. If they are already aware, then consider yourself very lucky! Security is a very important topic, yet it is sometimes a very difficult topic to broach.  As members of the organisation try to understand the impact that the GDPR has, they will almost go through the 5 stages of grief!

The first of those being denial, it is becoming very common practice to just dismiss the regulation. A friend of mine recently came to me and mentioned that all of her clients had just assumed that due to Brexit, the GDPR was no longer relevant to the UK. I have also heard horror stories about organisations taking a stance of ignorance.

It also instils anger into marketing teams everywhere! I was once shouted down while speaking at an event because the person just didn’t understand why the changes are coming.

While there are many more stages, eventually they will make it to acceptance. Once you have really broken through, you can have very meaningful discussions and finally get on with planning and preparation. It is quite exciting to see the transformation from trying to do anything to avoid it through to understanding and problem solving within it.

5. Plan your training

Sadly, there is no silver bullet to making sure that your Salesforce org is compliant, it is going to come from the actual usage of Salesforce in your organisation. Make sure that you as the Admin you understand the basics of the GDPR and can educate your users on them too. It is very helpful for you to break down the regulation into words that your users will understand in relation to Salesforce.

Some things you can get together are:

You would be surprised how far a bit of education can go!

About the Author

Stephan Garcia

Stephan's experience in data protection stems form early exposure to HIPPA in the medical space. Over the last 5 years, he has shifted his focus onto the Salesforce.com platform. Combining his experience of CRM and data compliance, he feels right at home when talking about the GDPR.