Power to the Individual

5th February, 2018


Identity

  1. The fact of being who or what a person or thing is.
    1. The characteristics determining who or what a person or thing is.
    2. (of an object) serving to establish who the holder, owner, or wearer is by bearing their name and often other details such as a signature or photograph.

Before exploring the Individual, It is best to take a step back and take a look at the trends in Identity over the last few years. It’s safe to say that Identity and Access Management(IAM) has moved forward leaps and bounds in its mission to abstract the user from a single tool or application.

This is demonstrated, in its most basic form, by the phenomenon that is Social Login – we can now, as users, register/login to an immense number of 3rd party websites using authentication from our Google or Facebook accounts.

A common theme around IAM is “giving the right people the right access to the right resources at the right time.” By abstracting the User from the platform, we are able to give the User the correct access to the systems they need, at the right time.

If you would like to learn more about Identity and Access Management, check out the Identity trail on Trailhead!

Abstracting the “Individual”

The Spring ’18 Salesforce Release brings a new standard object into our orgs, the Individual. This is used as a system of record for tracking a contacts personal data preferences and potentially Personally Identifiable Information. 

The individual objects is accessed via a Lookup Relationship with a Lead or Contact.

  • Personal Information
    • Name
    • Birthdate
    • Individual’s Age
      • 13 and over
      • 16 and over
  • Preferences
    • Ok to Store PII Data Elsewhere
    • Don’t Process
    • Dont Profile
    • Don’t Market
    • Don’t Track
  • Actions
    • Block Geolocation Tracking
    • Export Individual’s Data
    • Forget this Individual

In my opinion, relative to the progressing trends in identity, the individual is the first step in abstracting Personal Data from your contacts. The clear indicators of this are the fields for Birthdate & Age, as well as the preferences that it is Ok to Store PII Elsewhere. It would be my assumption that the idea is for you as an organisation to move any sensitive data away from the contact object and onto the individual.

How it works

The object is now available in Spring ’18 Pre Release and Sandboxes, but it is not enabled by default. You much navigate to Setup > Company Information > Data Protection & Privacy to activate the feature. Once enabled, you will have access to the Individual in your object manager as well as expose a lookup field on both the contact and lead objects. 

When you navigate to a contact or lead record, you can then create a new Individual via the lookup field. It is important to understand that this object is only used as a system of record. For example, by setting the “Don’t Process” field to TRUE, you are not activating some magic feature that will stop the processing of data. All that you have done is set a checkbox to TRUE, it is up to your organisation to define the the methods for which you manage personal data.

The Role of the Processor

While many organisations have been looking to Salesforce to solve all of your Compliance woes, that is not necessarily the obligation of the Processor. You must keep in mind that every organisation has it’s own means of managing compliance activities and will always have their own ways of working.

As a data processor, Salesforce has 3 key responsibilities to their customers.

Keeping themselves compliant
They have a responsibility to comply with the regulation internally, and as such large organisation, I can’t even begin to imagine the scope of work necessary to keep themselves in line.

Enabling their product
They have an inherent requirement to make sure their product is compliant. They are required to give their customers the tools and framework to keep themselves compliant while using their product.

Educating their customers
Lastly, they have the requirement of keeping their customers informed. As Salesforce is a tool that lets you process heaps of personal data with a few clicks, they must provide the proper information and training to their customers so that they are aware of the regulation.

A few examples of this available now are;

The European Union Privacy Law Trailhead Module
Data Protection & Privacy Documentation
Data Processing Addendum 

In theory, we are given the Framework(Individual Object), Tools, and Education to being building our compliance programme.

Limitations 

UPDATED for Summer ’18

While I believe the implementation of the “individual” is correct, there are a few standout limitations that I would like to point out.

  1. When activating the feature, the individual records are not created for the contacts in your org. While this is only a minor inconvenience, it is a bit crazy to think that I have to go backwards to create a a record for each contact that already exists.  
  2. Very similarly, after activation, you must create the individual record manually. The one aspect of this that I found quite annoying was having to type in a contacts First and Last name to the contact record, then manually have to retype the same name when creating the individual object seconds later. Obviously this can be sorted with process automation, but it is important to note that you must design this process yourself. 

One opportunity that point 3 poses, is the advantage that my come from relating an individual to multiple contacts. When working in government – it is often seen that a contact will have roles within multiple organisations. In this instances, it is now practice to enable contacts to multiple accounts and specify the primary account relationship.

With the individual, we can now approach this scenario in a different manner. If we use the individual as a hub for a contacts personal information, we can abstract that into the unique – shall we say, Identity – of the contact. In this use case, we can actually benefit from creating multiple contacts against the different accounts, that all relate back to the single identity – while currently this is just a theory, it will be very interesting to test in practice.

Summer 18 Update

  1. You can now use workflow and process builder! But I would suggest that you not automated things like the “right to be forgotten” until you have a tried and tested business process in place.
  2. You still can’t update the lighting page layout of the Individual.

Let us know how you’re using the Individual Object! 

I would LOVE to hear how you or your organisation plans on implementing the Individual! This really changes the way that we manage personal data and preferences and gives us the opportunity to be very forward thinking with our governance programmes.

<<< Home

About the Author

Stephan Garcia

Stephan's experience in data protection stems form early exposure to HIPPA in the medical space. Over the last 5 years, he has shifted his focus onto the Salesforce.com platform. Combining his experience of CRM and data compliance, he feels right at home when talking about the GDPR.