Salesforce's GDPR DPO preps partners, customers for compliance

With GDPR mandates in effect, Salesforce's senior vice president of global privacy and the product legal team, Lindsey Finch, is taking the reins as the company's inaugural GDPR-mandated data protection officer (DPO).

In this Q&A, Finch, Salesforce's new GDPR DPO, shares what the company has done to get ready for the transition and how it will support its customers and partners through the change. She also mentions the silver lining that GDPR compliance can bring to Salesforce and its customers.

What were you doing before, and how does that relate to your new role as the GDPR DPO at Salesforce?

Finch: I've been at Salesforce for about 10-and-a-half years, and I was originally hired as the company's first privacy lawyer. I have built out the privacy function at Salesforce, and I also lead the product legal team, which partners with our technology and products organization to review all of our products for a variety of legal issues, including privacy.

Lindsey Finch

My team's role has always involved making sure that Salesforce complies with privacy laws and to help our customers' compliance [when] using our services. The DPO designation is really a natural outgrowth of the program that we have built.

How is the designation of being GDPR DPO changing what you do?

Finch: It's a natural outgrowth of what I've already done. I think if there's any shift, it's really formalizing who the regulators contact to the extent they have any questions or concerns.

What are the special challenges for a large company's GDPR DPO?

Finch: Salesforce acts as both a controller and a processor. What makes us unique is that, like pretty much every company, we have employees, we have customers and we have prospective customers. We are, of course, engaged in processing personal data about those groups to have a business relationship with them. From a human resources standpoint, that includes recruiting and processing benefits -- making sure that our employees are paid.

In terms of our customers and prospective customers, that includes maintaining a business relationship with them about selling our products and services and being in touch with them about updates to our services. That's the controller side that pretty much every company is going to have to work through as it relates to GDPR. We have to ensure we are compliant in delivering our services to our customers.

But we also are partnering with our customers to make sure that they can use our services in a compliant manner and to make available to them technologies, as well as other resources, which we have many [of] on our GDPR website to help facilitate their compliance in using our services.

What's been the most important thing you've learned during the ramp-up process to GDPR?

Finch: As we've gone about getting ready for GDPR, there was a lot of work in terms of taking this incredibly rich text and boiling it down into principles that we can then partner with our technology team to essentially audit against to make sure that we are compliant.

What we found as we went through that process over the last couple of years is that all of the investments that we had made in our privacy and our security program over the years had very well situated us for the GDPR. We found that we were actually in really great shape.

How do you describe privacy? What exactly do you intend to protect?

Finch: When I think of privacy, or how we look at privacy at Salesforce, it's really about the protection and use of personal data and organizations being accountable. That's also really what's at the heart of GDPR. So, first, if we think about it from a protection standpoint, that's really making sure that only people who are authorized to access and use data have the ability to do so.

It's also about giving individuals rights around their data and how that's used. What information about them is collected? What choices do they have?

And then finally is organizational accountability. There are a lot of companies involved in processing personal data and they need to be accountable for how they're using that information.

What advice do you have for Salesforce customers struggling to create their own compliance plans?

Finch: We see the May 25^th date as an important bookmark, but it's really about the ongoing journey. This is not something that's going to have an end date in mind.

The first thing we recommend doing is building a cross-functional team and getting buy-in across the organization. Most programs that are successful do not say that privacy and GDPR are the responsibility of one or even two functions. It's really partnering across the business, whether it's human resources, sales or marketing.

We see the May 25th date as an important bookmark, but it's really about the ongoing journey. This is not something that's going to have an end date in mind.

It also involves having a candid conversation about the types of personal data that the company processes, and then really getting an inventory around that and figuring out what are the next steps.

The next step lies in completing a gap analysis. This involves exploring the complexity of GDPR, breaking it down in terms of what it means for a particular company's business and seeing where there might be weaknesses. A risk-based approach to that gap analysis is key because GDPR is incredibly long and complex, and it can be easy to get caught up in some of the details. I highly recommend that a company just starting out with this looks at it from a risk-based perspective.

In terms of going through that process, the GDPR uses the term data protection impact assessment, or a DPIA. This is mandated by the GDPR for certain types of processing of sensitive personal data or certain types of large-scale processing. But even where a DPIA is not required by the GDPR, it can be a helpful methodology to be considering one's privacy practices around processing personal data.

We have published template DPIAs for each of our products on our GDPR website to help our customers as they are looking at their Salesforce implementations. But these templates can also be used as a baseline for any other business process, as well.

How are you interacting with AppExchange partners to confirm that they are GDPR compliant?

Finch: We have been closely partnering with them on GDPR. For example, last week I was in London, and we had a partner forum where we addressed GDPR. We've also had several webinars working through with partners how we are going about GDPR. What is our responsibility? What's their responsibility? And sharing tips and best practices. So, it's been a very important part of our program overall.

Do you have a formal process in place? Or you're just having conversations about it and getting GDPR awareness into the business ecosystem around AppExchange?

Finch: Depending on the type of partner that they are, whether they've built something on the AppExchange or if they're an OEM, there are some legal complexities in terms of whose obligations are whose under the GDPR. We've been working with each of these types of partner groups to help inform them around their responsibilities and truly set them up for success.

What verticals do you think are going to be most impacted by GDPR and how?

Finch: Every one of our products is used by our customers to process personal data. Some definitely more so than others, but our GDPR program has encompassed every one of our products. Each of them has been through a very rigorous review by my team, our compliance team, and our technology and product organization.

We found that we were in great shape overall, but we have some exciting announcements that we have made around specific product functionality that we've made available.

The first is related to Salesforce Platform and Sales, Service and Community Cloud, which is called the Individual object. Right now, any given customer of ours could appear in that customer system as a lead, an opportunity or as a contact, and those might not relate to one another. The Individual object allows our customers to correlate those other different objects into one object. This makes it possible to manage your requests around how you're contacted and what's done with your data in one place.

On the data management platform or DMP side, we are introducing a very granular consent model that our customers can turn on either across all their use of the DMP or as it specifically relates to EU contacts to ensure that [we] are capturing and honoring consent where they would like to.

What's the history of GDPR? Who put the idea in place and why did it start in Europe versus the U.S. or some other country?

Finch: Europe has had a very different view than the United States in terms of privacy, viewing it as a fundamental human right that largely stems [from] some of the misuse of personal data that happened during World War II.

The idea of data protection and privacy as a human right has been enshrined in various EU laws. When the EU came together in the 1990s, the 1995 EU Data Protection Directive was the first Pan-EU requirement. Many countries, such as France, already had privacy laws in place from the 1970s. But the EU Data Protection Directive set a floor in terms of what each of the EU member states needed in their own national privacy laws.

A lot has happened from the technology standpoint since those times around areas such as cross-border data transfers and security and the types of rights that individuals have around their personal data or would expect around their personal data. The GDPR has been in the works for over five years now around updating the existing EU Data Protection Directive with the goal of harmonizing the requirements across the EU and strengthening individual rights, considering everything that's happened from a technology standpoint since 1995.

What do you see as the silver lining of GDPR for companies?

Finch: A lot of companies, unfortunately, are looking at this as a compliance headache. We see it as a huge opportunity, not only for us at Salesforce, but also for our customers. The World Economic Forum talks a lot about what they're calling the fourth industrial revolution and all this innovation that's coming from it.

Individuals have very high expectations in terms of very personalized journeys with the companies with which they do business. But, at the same time, they have higher expectations than ever before around how companies are handling that data.

When you think about being a very customer-centric company, you absolutely want to delight that individual. A key part of that is building a trusted relationship with that person and making sure that you are respecting their wishes in terms of how their data is used.

By really stepping away from the complexity of GDPR and thinking about that individual to whom the personal data relates and the rights and expectations that they have and want, you're actually going to be really well on your way to complying with GDPR. It's a great blueprint for not only customer success, but also compliance.