Breaking Down Personal Data

7th August, 2017

Over the last decade, the use of data has changed the way that we do business. When we look at marketers, they are using extraordinary amounts of data to provide real-time insights and very specific targeting. We have built tool an applications that give us the ability to build a 360 degree view of our customers. While this provides great benefit to the business, it is not necessarily beneficial to the customer. Some might even say that we are in an era of vulnerability and that we have lost control of our personal information.

One of the key roles of the GDPR is that it claims to give the power back to the individual by taking it away from the business. So how does this then fit in with your marketing strategy of lead generation and large scale analytics?

Well, it doesn’t. 

We are now at a place where we need to rethink our consumption of data and bring it forward into the next generation of business applications.

What makes the GDPR so forward thinking is that it takes the definition of Personal Data and widens it to include ANY data that could be used to identify an individual. Unlike most data protection rules, this also includes B2B data, like a work email address and job title.

Let’s take a look at the definitions within the regulation.

Personal Data

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;


Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;


Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

While these definitions may seem scary, let’s break these down into simple terms and identify what they would like like within Salesforce.

  1. Personal Data – any data that can be used to identify and individual. This can be a piece of information such as a name, email address, phone number or even someones IP address. This would generally pertain to your Lead & Contact records.
  2. Processing – any type of automated data processing. An example of this would be saving a Contact record and attaching it to an Account.
  3. Profiling – using the data provided and creating a profile that includes data not initially provided. This would be using a workflow rule to set a status or assigning a lead score.

At first sight this may seem like the end of CRM as we know it, but there are still a few things we can do to help. Thankfully, as a Salesforce user, you are in the best situation going forward as you have easy access to your personal data processing.

There are three roles that you must understand before you can truly understand the GDPR. They are the Data Processor, Data Controller, and the Data Subject.

Data Processor

Any entity that is responsible for processing personal data under the controllers instruction.

Data Controller

Any organisation that is responsible for the processing of personal data.

Data Subject

Any individual who is having their data proccessed.

Data Processor

Any entity that is responsible for processing personal data under the controllers instruction.

Data Controller

Any organisation that is responsible for the processing of personal data.

Data Subject

Any individual who is having their data proccessed.

Each of these roles plays a key part in the data lifecycle.

The Processor’s key responsibility is to make sure that their customer, the Data Controller, is aware of the regulation and assist them in making sure that their application is GDPR compliant.

The Controller’s  key responsibility is to make sure that they have the correct permissions to use the personal information of the Subject as well as keep them informed of your practice.

The Subject’s key responsibility is to keep the Controller accountable to their actions.

The Processor
It is the job of the Processor to make sure that the Controller has the knowledge to comply with the GDPR and to make sure that their product is also compliant. We are now starting to see many large organisations acknowledge the regulation and beginning to educate their customers – Read Google Cloud Platforms stance on the GDPR

Let’s take a look a Salesforce as the Processor;

Who is the Processor?

What is their relation to the GDPR?
The Salesforce platform easily allows it’s users to frivolously process personal data without any requirements on consent.

What steps are they taking?
Salesforce have taken a multi-layered approach to distributing their GDPR content

  • For the general customers, they have created a page on their website to store all of their GDPR resources. They have done a very good job of breaking down the language and making it easier to understand for their customers.
  • For the legal experts, they have published an addendum on data protection that will address more of the legal issues.
  • For Salesforce experts, they have released a module on Trailhead that walks through the general principles of the GDPR.

The Controller
It is the job of the Controller to make sure that they are compliant with the GDPR and have made clear to the customer, Unfortunately there is far to much for you to do to include it in a breakdown.

The first step you can take is to document your process, check out our blog on the first 5 steps that any Admin should be taking!

The Subject
You are the subject in many cases! It is your responsibility to keep the organisations you deal with accountable!

If you have any questions or would like to contribute content, please email us at [email protected]

About the Author

Stephan Garcia

Stephan's experience in data protection stems form early exposure to HIPPA in the medical space. Over the last 5 years, he has shifted his focus onto the platform. Combining his experience of CRM and data compliance, he feels right at home when talking about the GDPR.