GDPR and Using the Salesforce Individual Object

Free Salesforce business guides to help admins/developers, project managers, sales managers, and decision makers. Download the free PDF series now: Reinventing Your Business, Reimagining Your Salesforce®.

Whether your company is located in the European Union, sells to customers who are located in the European Union, or you would like your company to get ahead of the curve with respect to privacy acts as a best practice, Salesforce^® has implemented an Individual object to help you keep track of an individual’s data privacy preferences. This can be used for compliance with GDPR or other privacy protection laws such as The California Online Privacy Protection Act (CalOPPA).

Customizing and using the Individual object will help you on your journey to honor your customers' wishes regarding how their data is stored and used. For the sake of this blog, we will be focusing on using the Individual object in support of GDPR.

First, what is GDPR? GDPR (General Data Protection Regulation) is a regulation in European Union law on data privacy and protection for all individuals within the EU and the European Economic Area.

That said, we're not attorneys, and this article isn't a magnum opus on EU data privacy or legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, we'll be offering some resources where you can learn more about GDPR, and how using the Individual object in Salesforce may help you along your journey to honor an individual’s data privacy and preferences.

If you are just starting out your journey or haven’t done so yet, we recommend checking out Salesforce’s GDPR Overview page for some excellent training resources in Trailhead and videos. Another great resource that goes into more specifics is Sales Cloud Accelerate GDPR Readiness.

While there are many aspects of GDPR to consider like how to handle Data Portability requests or how to perform Restriction of Processing, this blog will focus on two of the most tricky areas: the Right to be Forgotten and Consent.

Right to Be Forgotten

When a customer no longer wishes for you to retain data about them, or when it’s no longer necessary to keep data, data protection and privacy regulations can require you to delete the customer's personal data. When this happens, you will need to either delete that data from your Salesforce org, or obscure it so that there isn’t any personally identifiable data according to their preferences. There are many reasons that a customer may want to be forgotten. For example, the customer may have decided to no longer do business with your company, or is no longer employed by your customer.

There are a number of ways to delete data from Salesforce, some of them have their limitations and some are more difficult than others.

Data Deletion Options

Data Deletion for Sales Cloud – Manually deleting records from Salesforce.
Salesforce’s Mass Delete Wizard – This is the native/web-based deletion wizard for Salesforce. Go to Setup>Mass Delete Records to access the tool. This wizard will allow you to delete Accounts, Leads, Activities, Contacts, Cases, Solutions, Products, and Reports. Currently, Mass Delete is limited to 250 records and is limited to the named objects, so while it will help you to delete some data, it will not be your silver bullet solution. This feature is available in all Salesforce editions (except for Database.com, where it's only available via the API and only for custom object removal).
ETL (Extract Transform Loading) Tools – Typically used for data migration, and these tools can also be used for data removal. One of the most popular ETL Tools is the Salesforce Data Loader (available in both Classic and Lightning and supports Enterprise, Performance, Unlimited, Developer and Database.com Editions). The Salesforce Data Loader also has the capability to delete data from Salesforce and can access all Standard and Custom Objects, and a .CSV file with the records to be deleted or a SOQL relationship query will be needed. There are other popular ETL tools such as Dataloader.io and JitterBit. Most of the ETL tools are paid and will require significant investment and evaluation to ensure they meet your requirements. Also, make sure that the ETL tool supports your edition of Salesforce.
Data Quality Helper – A freemium AppExchange app by Passage Technology (Lightning Ready and available for Salesforce Professional, Enterprise, Unlimited, Force.com, Developer, Performance, and Essentials editions) will enable you to define deletion criteria and preview records to be deleted. Once the criteria is defined, jobs can be manually run, run on a scheduled basis, or run after a Salesforce data backup.

Sometimes the data that needs to be removed may be linked to workflows or other related records, so you may choose to obscure the data rather than delete it. Salesforce recommends that you should consult with your company’s legal counsel before opting to obscure rather than delete records. One way that you can obscure the data is to delete the personal information in all fields, and replace the personal data with random or scrambled characters. You can also use generic data such as using, ‘Forgotten’ as an obscuring value for the last name field.

Consent

Customers may have specific preferences in the ways that you use their data, which may include using their data in cookies, communication preferences, and the use of their social profiles to name a few examples. Regarding communication preferences, Salesforce provides Email Opt-Out and Do Not Call fields on Contact and Lead that are available in all editions to assist with honoring such customers’ requests, but with GDPR, this is not sufficient to track all the possible channels and communication preference options. Enter the “Individual Object.”

Individual Object

A few years ago, Salesforce implemented a standard object, named “Individual,” that became available in All Editions. This object allows data privacy preferences to be tracked for any objects (including custom objects) on the Salesforce platform that contain personal information. Think of this object as a way to save an individual’s data privacy preferences that can be used when communicating with Leads, Contacts, and Person Accounts. By using this object, Salesforce is helping us to honor customers’ wishes. You can track and store preferences for:

Collecting, storing, and sharing their personal data
Packaging their personal data so they can take ownership of it
Deleting records and personal data related to them
Solicitation of products and services
Tracking their geolocation and web activity

Additionally, you can add custom fields to Individual for any additional preferences or processes that you may need for your organization.

Salesforce GDPR, Individual record with Contact field

Getting Started With the Individual Object

The Individual object must first be enabled in your org.

To enable the use of Individual: Setup>Data Protection and Privacy>Edit>Make data protection details available in records>Save

Once you have saved, add the Individual field to Lead, Contact, or Person Account page layouts.

Salesforce GDPR, data protection and privacy setup setting to enable Individual object

Visibility

To make the Individual object tab available to your users, go to Setup>Profiles>Select a Profile>Object Settings>Individuals>Tab Settings>Default On>Save

From here you can also customize object and field permissions for the profile. Repeat this process for all profiles that will need access to Individuals.

Salesforce GDPR, enable Individual page layout for User Profiles

Once you have the Individual object enabled and visible to the appropriate users, you will want to customize the object along with flows and reports, to support your unique business processes. While each business will use the object in different ways, there are some commonalities and complexities to introducing a new object into an organization that should be considered. These include saving users time, improving data accuracy by automating the creation and updates of Individual records, as well as using flows to drive business processes. Also, the Individual object has some limitations in functionality where typical tools like Process Builder are not currently supported.

Using the Individual Object

Once enabled, Individual records need to be created and then related to Contact, Lead, Person Account, Community User, and/or any relevant custom object records. As a customer’s preferences change, the Individual records will need to be updated, and action taken by your organization to honor the new preferences.

Salesforce GDPR, Contact record with Individual field

Known Limitations Impacting an Individual Object-based Solution

Requirement	PROCESS BUILDER	FLOW	APEX	PASSAGE TECHNOLOGY "ADMIN APPS"
Create Individuals Automatically	YES	YES	YES	YES
Link Lead, Comtact, etc. To Individual Automatically	NO	YES	YES	YES
Minimizes Duplication of Individual Records	NO	YES	YES	YES
Can Trigger Cascading Deletes on Child Objects?	NO	YES	YES	YES
Easy to Use!	NO	NO	NO	YES

Creating, Relating, and Maintaining New Data Privacy Records

There a few different ways for new Individual records to be created, related to other records, and maintained:

Manually
Using Apex

This creates new data privacy records for Leads and Contacts, if a record already exists, this will create duplicates.

Using Lookup Helper – Freemium AppExchange app by Passage Technology

Use Lookup Helper’s “Create new category records” feature to automatically create new data privacy records without duplication as long as the criteria is an exact match.

Populating the Individual Lookup Field

While you may use Process Builder or Flow Builder to create Individual records when a Contact is created, you cannot update any Individual object field without an error. These tools also do not work when attempting to update the Individual field on a contact, which may be required when deduping or correcting contacts associated with their correct identities.

However you create Individual records, they should be related to the appropriate Lead, Contact, Person Account, Community User, etc. The lookup field can be populated to relate these child records as follows:

Manually
Using Apex

While Apex will automatically relate the records, the code does need to be written and maintained to handle various scenarios such as lead conversions, duplicate record processing, etc.

Using Data Loader or the Data Import Wizard tool

Using Data Loader requires less manual effort than updating records manually, but still requires a resource to upload data on a regular basis.

Using Lookup Helper – A freemium AppExchange app by Passage Technology

Declarative solution to automatically populate a lookup field that can be run in batch, but will also keep records up to date in real time as new records are created/modified.

To ensure data accuracy when using any of the above options, there should be a unique identifier like email, or a direct or mobile phone on the records that are being related in order to prevent records from being mismatched.

Keeping Data Privacy (Individual) Records Up to Date

When Contact, Lead, Person Account, or other Custom Object child records are renamed, the Individual record should be as well for consistency. Email Opt Out and Do Not Call fields on the record should be also be updated as an initial preference and as a customer’s preferences change. Additionally, the Contact/Lead/Person Account’s email, phone number or any other personal information could be initially logged and kept up to date in custom fields on their data privacy records. You may also want to consider adding customer status or any other means of identifying your legal basis for processing. These updates can be achieved:

Manually
Apex
Rollup Helper – a freemium AppExchange app by Passage Technology

Declarative solution that can bulk update records in batch via a lookup relationship, and automatically keep them up to date in real-time as new records are created or customer’s preferences change.