GDPR and the Salesforce CRM: what’s the impact?

A speculative look at how GDPR might affect businesses using Salesforce.


Next May (2018) the General Data Protection Regulation (GDPR) comes into effect in the UK, with the threat of severe consequences for those businesses who fail to comply.

It’s fairly safe to assume that at least a handful of Salesforce’s 25,000 staff will be looking at how this will impact their customers in the UK, and with three platform releases between now and next May, there is probably sufficient time to make any required platform changes to support GDPR.

However, for those wishing to find out where they might stand, the Information Commissioner’s Office (ICO) website has a great Overview of the GDPR which explains that for data processing to be lawful under the GDPR, businesses need to identify a legal basis before they can process personal data, and that this must be documented.

Consent must be obtained

Typical legal bases are laid out on on the ICO website, but it’s worth highlighting that consent of the data subject is a key legal basis for processing personal data under GDPR. Other bases include processing that is necessary for performance of a contract, and processing necessary for compliance with a legal obligation. See the ICO website for the full list, including conditions for special categories of data.

Consent is a slightly grey area. The GDPR references both ‘consent’ and ‘explicit consent’, but the difference between these is not clear. However, there must be “some form of clear affirmative action”, and not just an assumption that the data subject’s silence on the matter equals  consent. It must also be borne in mind that consent can be withdrawn at any time.

Consent must be verifable

Perhaps crucially, it is important that consent must be verifiable in the form of some kind of record of how and when consent was given.

How this will be done in practice remains to be seen. When someone hands over their business card at a busy networking event, it could be argued that such an action does not constitute explicit consent, so networkers may all need to begin asking if it’s okay to log those details into an information system so they can keep in contact.

No consent, no processing?

If a business cannot obtain consent from the data subject and there is no other legal basis for processing their data, the ICO website states the processing must not be carried out, or must be ceased.

However, there is an interesting paragraph that states:

Remember that you can rely on alternative legal bases to consent – for example, where processing is necessary for the purposes of your organisation’s or a third party’s legitimate interests.

Exactly what is meant by “legitimate interests”? Can business development and sales activities be considered necessary for a business’s legitimate interests?

Further reading on GDPR

To find out more about the rights of individuals under GDPR, visit the Overview of the GDPR on the ICO website. This is a fairly comprehensive resource and an official stance on GDPR from the Information Commissioner’s Office.

As Salesforce Registered Consulting Partners, we will keep an eye on developments and update our own blog with GDPR news as we learn more. We will be ready to work with our customers to ensure their Salesforce implementations are GDPR compliant in time.

Leave a Reply