Whether your company is located in the European Union, sells to customers who are located in the European Union, or you would like your company to get ahead of the curve with respect to privacy acts as a best practice, Salesforce® has implemented an Individual object to help you keep track of an individual’s data privacy preferences. This can be used for compliance with GDPR or other privacy protection laws such as The California Online Privacy Protection Act (CalOPPA).
Customizing and using the Individual object will help you on your journey to honor your customers' wishes regarding how their data is stored and used. For the sake of this blog, we will be focusing on using the Individual object in support of GDPR.
First, what is GDPR? GDPR (General Data Protection Regulation) is a regulation in European Union law on data privacy and protection for all individuals within the EU and the European Economic Area.
That said, we're not attorneys, and this article isn't a magnum opus on EU data privacy or legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, we'll be offering some resources where you can learn more about GDPR, and how using the Individual object in Salesforce may help you along your journey to honor an individual’s data privacy and preferences.
If you are just starting out your journey or haven’t done so yet, we recommend checking out Salesforce’s GDPR Overview page for some excellent training resources in Trailhead and videos. Another great resource that goes into more specifics is Sales Cloud Accelerate GDPR Readiness.
While there are many aspects of GDPR to consider like how to handle Data Portability requests or how to perform Restriction of Processing, this blog will focus on two of the most tricky areas: the Right to be Forgotten and Consent.
When a customer no longer wishes for you to retain data about them, or when it’s no longer necessary to keep data, data protection and privacy regulations can require you to delete the customer's personal data. When this happens, you will need to either delete that data from your Salesforce org, or obscure it so that there isn’t any personally identifiable data according to their preferences. There are many reasons that a customer may want to be forgotten. For example, the customer may have decided to no longer do business with your company, or is no longer employed by your customer.
There are a number of ways to delete data from Salesforce, some of them have their limitations and some are more difficult than others.
Sometimes the data that needs to be removed may be linked to workflows or other related records, so you may choose to obscure the data rather than delete it. Salesforce recommends that you should consult with your company’s legal counsel before opting to obscure rather than delete records. One way that you can obscure the data is to delete the personal information in all fields, and replace the personal data with random or scrambled characters. You can also use generic data such as using, ‘Forgotten’ as an obscuring value for the last name field.
Customers may have specific preferences in the ways that you use their data, which may include using their data in cookies, communication preferences, and the use of their social profiles to name a few examples. Regarding communication preferences, Salesforce provides Email Opt-Out and Do Not Call fields on Contact and Lead that are available in all editions to assist with honoring such customers’ requests, but with GDPR, this is not sufficient to track all the possible channels and communication preference options. Enter the “Individual Object.”
A few years ago, Salesforce implemented a standard object, named “Individual,” that became available in All Editions. This object allows data privacy preferences to be tracked for any objects (including custom objects) on the Salesforce platform that contain personal information. Think of this object as a way to save an individual’s data privacy preferences that can be used when communicating with Leads, Contacts, and Person Accounts. By using this object, Salesforce is helping us to honor customers’ wishes. You can track and store preferences for:
Additionally, you can add custom fields to Individual for any additional preferences or processes that you may need for your organization.
The Individual object must first be enabled in your org.
To enable the use of Individual: Setup>Data Protection and Privacy>Edit>Make data protection details available in records>Save
Once you have saved, add the Individual field to Lead, Contact, or Person Account page layouts.
To make the Individual object tab available to your users, go to Setup>Profiles>Select a Profile>Object Settings>Individuals>Tab Settings>Default On>Save
From here you can also customize object and field permissions for the profile. Repeat this process for all profiles that will need access to Individuals.
Once you have the Individual object enabled and visible to the appropriate users, you will want to customize the object along with flows and reports, to support your unique business processes. While each business will use the object in different ways, there are some commonalities and complexities to introducing a new object into an organization that should be considered. These include saving users time, improving data accuracy by automating the creation and updates of Individual records, as well as using flows to drive business processes. Also, the Individual object has some limitations in functionality where typical tools like Process Builder are not currently supported.
Once enabled, Individual records need to be created and then related to Contact, Lead, Person Account, Community User, and/or any relevant custom object records. As a customer’s preferences change, the Individual records will need to be updated, and action taken by your organization to honor the new preferences.
| Requirement | PROCESS BUILDER | FLOW | APEX | PASSAGE TECHNOLOGY "ADMIN APPS" |
| Create Individuals Automatically | YES | YES | YES | YES |
| Link Lead, Comtact, etc. To Individual Automatically | NO | YES | YES | YES |
| Minimizes Duplication of Individual Records | NO | YES | YES | YES |
| Can Trigger Cascading Deletes on Child Objects? | NO | YES | YES | YES |
| Easy to Use! | NO | NO | NO | YES |
There a few different ways for new Individual records to be created, related to other records, and maintained:
While you may use Process Builder or Flow Builder to create Individual records when a Contact is created, you cannot update any Individual object field without an error. These tools also do not work when attempting to update the Individual field on a contact, which may be required when deduping or correcting contacts associated with their correct identities.
However you create Individual records, they should be related to the appropriate Lead, Contact, Person Account, Community User, etc. The lookup field can be populated to relate these child records as follows:
To ensure data accuracy when using any of the above options, there should be a unique identifier like email, or a direct or mobile phone on the records that are being related in order to prevent records from being mismatched.
When Contact, Lead, Person Account, or other Custom Object child records are renamed, the Individual record should be as well for consistency. Email Opt Out and Do Not Call fields on the record should be also be updated as an initial preference and as a customer’s preferences change. Additionally, the Contact/Lead/Person Account’s email, phone number or any other personal information could be initially logged and kept up to date in custom fields on their data privacy records. You may also want to consider adding customer status or any other means of identifying your legal basis for processing. These updates can be achieved:
Do you have any questions or comments? Please let us know by commenting below!