A Guide to Designing Applications on the Salesforce Lightning Platform in the Age of the GDPR

Legal DisclaimerThis white paper contains a broad overview of the General Data Protection Regulation (GDPR) and some of the requirements to consider when designing applications. It is not intended to be legal advice. We urge individuals to consult with their legal counsel to familiarize themself with the GDPR requirements that govern their specific situation.

AbstractApplications are the lifeblood of modern business, and the ability to innovate and customize applications can provide critical competitiveness and differentiation for companies of all sizes and across segments. As these applications expand to handle more critical and sensitive information, and as this information is exploited by companies in ways not explicitly approved of by individuals, the applications expose individuals to both risk and abuse. To address this challenge, governments have stepped in with regulations to help reduce that risk and abuse and provide sanctions, including potential penalties for the improper management of that data. In this white paper, we will explore the implications of one new regulatory framework, the GDPR, on application development, and how organizations can leverage the Salesforce Lightning Platform to develop applications that accelerate their readiness for this new regulation.

What is the GDPR?The GDPR is a new comprehensive data protection law (in effect May 25, 2018) in the EU that strengthens the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It updates and replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state. Any organization that processes personal data of EU individuals is within the scope of the law, regardless of whether the organization has a physical presence in the EU.

What are the key principles of the GDPR?The GDPR is framed in the context of the following roles:

• Controller: organization that determines the purposes and means of the processing of personal data of EU individuals

• Processors: organizations that process personal data on behalf of the Controller (for example, cloud service providers)

• Data Subject: an identified or identifiable natural person

The GDPR changes EU data protection laws in many significant ways:

Definition of “personal data”: The GDPR expands the existing concept of personal data, making it clear that location data and online identifiers, such as IP addresses, are considered personal data. The GDPR also expands the concept of sensitive personal data to include genetic and biometric data.

New and expanded rights for EU individuals around deletion of data, restriction of processing, and portability of personal data.

Deletion of data: With the “right to be forgotten,” Data Subjects may require that the Controller erase personal data about them. This right may also be used as a means to require internet service providers to delete out-of-date publicly available information, in particular that information which appears in search results.

Restriction of processing: Under the GDPR, Data Subjects have the right to restrict the Controller’s processing of their personal data, which means that the organization is allowed to continue to store the data, but cannot process it any further.

Portability of personal data: Data Subjects also now have the right, in certain circumstances, to receive the personal data that they have provided to a Controller in a structured, commonly used and machine-readable format, for the purposes of transferring that data to another Controller.

Security measures: The GDPR requires Controllers and Processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented.

Breach notification: The GDPR requires organizations to report certain personal data breaches to the relevant data protection authority, and in some circumstances, to the affected Data Subjects. Controllers must notify the relevant data protection authority “without undue delay” (and where feasible, within 72 hours of having become aware of it), unless the breach is not likely to present any risk to the rights and freedoms of the Data Subjects concerned. If circumstances require it, Controllers may also be required to communicate the data breach to Data Subjects. Processors, for their part, are required to notify Controllers “without undue delay” after becoming aware of a personal data breach.

Data protection impact assessments: Where certain processing is likely to be classified as “high risk” to Data Subjects, the Controller may be required to carry out a data protection impact assessment identifying the impact of the proposed processing operations on the personal data.

International transfers: The GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU, as long as there are appropriate safeguards in place to protect that data. Salesforce’s data processing addendum, which references our Binding Corporate Rules, Privacy Shield certification, and the European Commission’s model clauses, will continue to help our customers legalize transfers of EU personal data outside of the EU.

Consent: Consent is subject to additional requirements under the GDPR. The GDPR defines consent as “any freely given, specific, informed and unambiguous indication of a data subject’s wishes through a statement or clear affirmative action.” The concept of consent is used throughout the GDPR as a means to legitimize certain processing activities from a legal perspective.

Transparency: The GDPR requires that Controllers provide Data Subjects with information about their processing operations at the time when the personal data is collected. This information includes the identity and contact details of the Controller,

the contact details of the data protection officer (if relevant), the purposes and the legal bases for the processing of the personal data, the recipients of the data, and a number of other fields to ensure that the personal data is being processed in a fair and transparent manner. In addition, Controllers are required to provide information to Data Subjects even in circumstances where the personal data has not been obtained directly from the data subject.

Profiling: The GDPR introduces the concept of “profiling” or any form of automated processing that uses personal data to evaluate personal aspects and in particular to analyze or predict aspects relating to an individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. Data Subjects must be informed of the existence of profiling and any consequences of the profiling.

Enforcement: Fines for noncompliance under the GDPR can be substantial. Data protection authorities have a number of enforcement powers under the GDPR, including the ability to fine organizations up to €20 million or 4% of annual global turnover, whichever is higher. These are maximum fines, and it remains to be seen how regulators will use their newly acquired enforcement powers.

“One-stop shop”: Under the GDPR, organizations that are established in more than one EU member state or are processing personal data affecting Data Subjects in more than one EU country will have greater clarity about their supervising data protection authority. Supervisory authority for the main European establishment of that organization will act as the lead authority. This authority will cooperate with the other supervisory authorities concerned in respect of cross-border data protection issues.

What is the Salesforce Lightning Platform?The Lightning Platform is the world’s leading cloud platform. It powers the core apps at Salesforce and enables no-code, low-code, and programmatic options to build, secure, integrate, and manage business applications that extend CRM and power amazing customer, partner, and employee experiences. The Lightning Platform empowers everyone to build the apps they need using clicks, not code, building apps fast while giving IT the governance and control it needs to keep those apps scalable and secure. For professional developers, the Lightning Platform offers modern tools to drive collaboration and continuous integration and delivery. The Lightning Platform abstracts away the complexity around building apps, taking care of things like infrastructure, database design, scale, globalization, integration, search, mobility, and more, so companies can deliver apps in half the time of traditional and legacy platforms.

What are the benefits of developing on the Salesforce Lightning Platform?Organizations use many complex sets of tools, programs, and apps to serve their customers, sometimes creating a myriad of systems and applications that do not interface well together to get a complete view of the customer. Juggling many apps, logins, and disconnected experiences slows down employes and creates challenges in delivering a personalized customer experience.

The Lightning Platform provides an opportunity to unify digital apps and processes around an integrated view of customer data, empowering organizations to pursue digital transformation that puts the customer at the heart of everything they do. The Lightning Platform allows admins and developers to use point-and-click tools and drag-and-drop interfaces to create apps that connect to data, automate business processes, and are easy to customize for any role or department. Out-of-the-box Access Controls offer declarative options to establish granular security settings that ensure only the right people can access the right data at the right times.

With the SAlesforce Lightning Platform, customers can:

• Extend their CRM with no-code, low-code, and programmatic customizations

• Digitize business processes and increase collaboration, moving away from spreadsheets, email threads, paper processes, checklists, and Post-it notes

• Create amazing customer experiences and innovate with the latest technology, like artificial intelligence with Einstein and connected experiences with the IoT

• Deploy with confidence, leveraging Salesforce’s trust model and security architecture

• Go faster with prebuilt apps from AppExchange

How to leverage the Salesforce Lightning Platform to address key principles of the GDPRSalesforce, as a Processor, has taken necessary steps to prepare for the GDPR, and provides information on the Salesforce website as well as in the Data Protection and Privacy help section.

Managing Consent

The Lightning Platform has out-of-the-box settings on Contact and Lead records that enable customers to note a request from a Contact or Lead to not call, email, and/or fax them.

The Lightning Platform recently introduced an Individual Object for documenting privacy settings across the multiple roles of an individual in your organization. Individuals can be created and managed from standard objects — like Contacts, Leads, and Person Accounts — and custom objects. Organizations can add custom logic to integrate these consent settings into their processes. The Individual Object includes the following flags out-of-the-box:

• Block geolocation tracking• Do not process• Do not profile• Do not solicit• Do not track• Export individual’s data• Forget this individual• OK to store PII data elsewhere

With the Lightning Platform, customers can leverage a combination of Standard Objects and their settings, Custom Objects, and add their own business logic to build custom consent regimes that can be configured to meet their specific compliance requirements. This logic may include declarative controls, such as validation and workflow rules, custom processes and flows, or programmatic controls using APEX. These combinations of out-of-the-box capabilities, declarative customization, and extensible business logic make the Lightning Platform a powerful partner for any company looking to best manage consent in the age of GDPR.

Right to be Forgotten

Salesforce customers, as Controllers, may delete data from their Salesforce orgs declaratively, from within the UI, or programmatically, using logic API tools. There is no one-size-fits-all approach, and organizations should design their process after seeking legal advice. Below are two sample approaches to how Right to be Forgotten (RtbF) may be executed using the Lightning Platform.

Using the approaches depicted above, when a Data Subject completes the company’s process to request deletion of the company’s data pertaining to them (Right to be Forgotten), a Salesforce user can set a Right to be Forgotten (RtbF) flag on the Individual Object or a Custom Object to log the request and kick off the business logic to handle deletion of records.

This is one sample approach that Processors can use to execute deletion of records when requested by the Data Subject:

1. Provide a place to store the Data Subject’s intent to exercise their right to be forgotten.

2. When Data Subject invokes this right, trigger a Right to be Forgotten process:

a. Identify the records related to the Data Subject.

b. Delete the records.

c. Obfuscate details on User record, if needed.

PROCESS TRIGGERED

Customer deploys Trigger on RtbF attribute (individual)

Customer deploys Trigger on custom RtbF attribute

PRE-WORK

Customer enables Individual including UX for RtbF attr

Customer enables custom object/attribute for RtbF

RTBF PROCESS

Delete Contact, Lead, and other records

Delete Contact, Lead, and other records

Scrub/Delete other objects per guidance

Is there a User record?

RTBF PROCESS

Delete Contact, Lead, and other records

Delete Contact, Lead, and other records

Scrub/Delete other objects per guidance

Is there a User record?

RTBF INVOKED BY DATA SUBJECT

User logs in and sets RtbF flag

Data Subject optionally

verified

Data Subject optionally

verified

Data Subject exercises RtbF (through form, phone

call, or other method)

Restriction of Processing

The Lightning Platform allows customers to track Restriction of Processing on the Individual Object. Salesforce has identified techniques like this for Controllers wanting to follow a conservative approach:

1. Identify the records related to the Data Subject.

2. Export the records to the file system or other file storage to facilitate restoration.

3. Delete the records.

4. Import the records when the restriction is lifted.

ROP INVOCATION PROCESS

Signal Admin

Deactivate User

Export, then delete all records associated with Data Subject

Record restricted records and Data Subject info in external system to facilitate restoration

Data Subject is External Identity/

CommunitiesYes

PROCESS TRIGGERED

Customer deploys Trigger on RoP attribute (individual)

Customer deploys Trigger on custom RoP attribute

PRE-WORK

Customer enables Individual including UX for RoP attr

Customer enables custom object/attribute for RoP

ROP INVOCATION PROCESS

Signal Admin

Deactivate User

Export, then delete all records associated with Data Subject

Record restricted records and Data Subject info in external system to facilitate restoration

Data Subject is External Identity/

CommunitiesYes

ROP INVOKED BY DATA SUBJECT

User logs in and sets RoP flag

Data Subject optionally

verified

Data Subject optionally

verified

Data Subject exercises RoP (through form, phone

call, or other method)

Data Portability

The GDPR requires companies to be able to deliver to Individuals the personal data that they have provided to the Controller in a structured, commonly used, and machine-readable format. Salesforce supports data export in several of these formats, including CSV, XLS, JSON, and XML.

Both declarative options, available via the UI, and programmatic options, available via API tools, are available including:

• Reports can be accessed through the Salesforce UI and provide export capabilities in CSV and XLS formats.

• Reports and Dashboards API may be used to query for a report and the records it contains. This method also produces CSV and XLS formats.

• Data Loader is a Salesforce tool designed to create, update, upsert, delete, and export records. When exporting data, the Data Loader output is CSV files.

• Apex can be used from the developer console to generate a comma-delimited string with a line for each record. This extract can be saved as an attachment or static resource.

• SOAP and REST APIs can be leveraged through many different methods and may yield a number of different output types. One common Salesforce API tool is Workbench, which allows the user to pick the object and fields needed and generate a query.

• Third-Party ETL (Extract-Transform-Load) tools offer more powerful options for exporting data. Jitterbit, Informatica, Dell Boomi, Talend, and MuleSoft are examples of ETL tools that are not Salesforce-specific, but offer adapters or connectors for working with Salesforce data. These tools are commonly used by enterprise customers with sophisticated integration patterns.

How to leverage Salesforce’s security architecture when designing applicationsThe GDPR requires Controllers and Processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented. Salesforce customers can rely on many technical controls from Salesforce as their Processor.

Trust is the #1 priority at Salesforce, and security is built into the Platform’s infrastructure with advanced threat detection, continuous monitoring, encryption in transit, secure data centers, and trusted IP ranges. The Trust team carefully monitors Salesforce infrastructure around the clock, which is significantly more efficient than a conventional in-house system, where an organization must divide its efforts between a myriad of IT concerns, with security being only one of them. Salesforce provides transparency around security and performance metrics through a dedicated trust site.

While Salesforce has many security controls at the network and infrastructure layers, Salesforce customers leverage out-of-the-box access controls at the application layer to protect themselves from account credential compromise and data loss. Insider threats are the leading source of cybersecurity attacks, with 60% of incidents caused by employees inside an organization. Salesforce offers granular controls at the application layer to allow organizations to enforce a least privilege access model and reduce the risk of insider threats. One key principle of the GDPR is a requirement for technical security measures to protect personal data (Article 5(1)(f), Article 32). Technical measures include user authentication and logical access controls. With the Lightning Platform, customers can be confident about cloud security and can leverage access controls and other platform-native technical measures to protect their Data Subjects.

Trust and Cloud Security

81% of those surveyed

believed that GDPR would

maintain or accelerate their cloud adoption.*

83% of IT leaders say they feel

more comfortable with their knowledge of cloud

security than they did five years ago.**

65% plan on increasing

data stored in the cloud over the next 12 to 18

months.**

* “Closing the Cloud Security Business Gap”, 2018

** Salesforce “State of IT”, 2017

What does Salesforce offer at each security layer?

Infrastructure Services

Infrastructure Services are at the foundation of the Salesforce security model, which includes the extensive security within our data centers, backup and disaster recovery practices, and real-time data replication, all of which are backed up by third-party certifications and customer audits. Salesforce manages this infrastructure for customers, streamlining their efforts to prevent hardware theft, ensure business continuity, and provide documentation for customer audit process.

Salesforce deploys firewalls and/or access control lists (ACLs) at every layer of the stack, including the database layer. Customers have to go through a separate bastion host so direct login to the database servers is prevented. Salesforce also encrypts traffic that is flowing between Salesforce data centers so that data is never unencrypted as it travels between primary and backup locations.

Infrastructure Services

Network Services

Application Services

Secure Data Centers

Backup and Disaster Recovery

HTTPS Encryption

Penetration Testing

Advanced Threat Detection

Identity & Single Sign-On

Two-Factor Authentication

User Roles & Permissions

Secure Firewalls

Real-Time replication

Password Policies

Third-Party Certi cations

IP Login Restrictions

Customer Audits

Salesforce Shield Platform Encryption

Event Monitoring

Field Audit Trail

Field Level Security

Classic Encryption

Field History Tracking

Monitor Login History

Network Services

Network Services are core to how Salesforce handles customer data and monitors transactions, including encryption in transit, penetration testing, monitoring, advanced threat detection, secure firewalls, and IP login restrictions. This layer of the Salesforce security model offers out-of-the-box protection that benefits every customer and every Salesforce transaction.

Salesforce secures its network with a variety of technical measures. End-to-end transport layer security (TLS) cryptographic protocols encrypt all network data transmissions so the strongest level of encryption is used to safely transmit customer data. access control lists (ACLs) inspect all network packets and prevent unauthorized connections. In addition, a number of sophisticated security tools monitor platform activity in real time to expose many types of malicious events, threats, and intrusion attempts. For example, hacking attempts on a customer’s web applications are identified and prevented in real-time by intrusion detection systems (IDS).

Application Layer

There are multiple levels of access that can be granted at the application layer, ranging from the ability to limit logins to trusted networks to granular field-level security controls. User interactions in Salesforce are tracked and can generate an audit trail. Organizations can even set object-level history tracking so they can see when individual changes are made and by whom.

Salesforce eases implementation of security policies and protocols with a variety of point-and-click tools. Using these declarative controls, Salesforce administrators can establish a record-sharing model, enforce login and password policy settings, and set profile-based permissions for object- and field-level access.

How does Salesforce Shield enhance security?Companies of all sizes and industries are using Salesforce across departments to run their businesses faster and transform application development. As adoption of Salesforce for critical business capabilities grows, monitoring user behavior, tracking changes to data, and preventing data loss are more important than ever. With more sensitive data in the cloud, security and compliance requirements also become increasingly complex. Salesforce Shield, a premium set of security services, helps address these requirements while allowing customers to proactively monitor user activity and enforce security policies.

Platform Encryption

Platform Encryption lets customers encrypt their most sensitive data at rest while retaining critical app functionality. Platform Encryption is natively integrated with key Salesforce features, so core functionality like search, lookups, validation rules, and Chatter are preserved. Platform Encryption helps customers provide their users a full 360-degree view of their customers by bringing and managing regulated, private, or proprietary data with confidence.

Which GDPR requirements can it help with?

Security Measures While the GDPR is not prescriptive in stating what “appropriate” technical measures are, one example it does provide is encryption (Article 32(1)(a)). Salesforce offers encryption while data is in transit for most of its services at no additional cost to the customer. The addition of Shield offers the option of encrypting data while at rest, meaning that it is encrypted when it’s inactive or being stored within Salesforce using an advanced key derivation system.

Personal Data Breach Platform Encryption may be helpful in the event of a personal data breach where customer data is exfiltrated, no matter how big or small in scale. Under the GDPR, the Controller may be required to notify the data protection authority and/or the individuals affected if the breach is likely to result in “a risk to the rights and freedoms” of the people involved (Articles 33 & 34). If the personal data involved in the breach was encrypted, it is less likely that the personal data will become visible to someone

who shouldn’t be seeing it, thus limiting the impact of the breach. Furthermore, the GDPR notes that the communication to the Data Subjects will not be required if the Controller has implemented appropriate technical and organizational measures, such as encryption, which render the personal data unintelligible to any person who is not authorized to access it (Article 34(3)(a)). As a result, encryption may further limit the scope of any potential embarrassment or further investigation into the incident.

Event Monitoring

Event Monitoring delivers access to detailed performance, security, and usage data for customers’ Salesforce apps to help monitor compliance with their security policies, understand user adoption across their apps, and troubleshoot and optimize application performance. Transaction Security, a key component of Event Monitoring, lets customers build flexible, customizable security policies that give IT the power to identify and prevent malicious activity in real time.

Which GDPR requirements can it help with?

Security and Data Integrity As described above, adequate security is important for ensuring that personal data is properly protected under the GDPR. In addition to encryption, the GDPR provides further examples of measures that may be “appropriate,” including those that allow for “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and service” (Article 32(1)(b)). Event Monitoring allows customers to monitor log data and to quickly identify suspicious activity, assisting them in preserving the integrity of the personal data and their systems.

Personal Data Breach By being able to observe and quickly respond to any threats, Event Monitoring assists customers by allowing them to minimize damage and rapidly remediate the threat, thus limiting the scope of the impact on the Data Subjects. The Transaction Security feature allows customers to tailor their security profile to respond in real time to certain threats commonly faced by their organization. This helps customers to better enforce their policies, for example, by blocking the activity or by notifying a designated user of the unwanted activity.

Field Audit Trail

With Field Audit Trail, customers can track changes to their data for up to 10 years and report on its value and state over time for forensic-level compliance and greater operational insights into their business.

Which GDPR requirements can it help with?

Retention Under the GDPR, one of the key principles is that personal data must only be retained for “no longer than is necessary” for the purpose of the processing, otherwise known as the “data retention” principle (Article 5(1)(e)). Field Audit Trail can assist customers with their data retention obligations by enabling them to develop data retention policies to ensure that personal data is not stored for excessive periods of time, actively manage their data over a period of time, and develop data retention policies accordingly.

Security and Data Integrity The GDPR highlights that measures that allow “the ability to ensure the ongoing confidentiality, integrity, availability and resilience” of processing systems may be “appropriate” to secure certain personal data. In the event personal data is incorrectly modified or is lost, Field Audit Trail allows customers to retrieve a recent historical copy, thereby assisting them in ensuring the availability and resilience of their personal data.

Accountability The GDPR requires that organizations are able to demonstrate that they treat personal data in compliance with the law (Article 24). Field Audit Trail helps customers to achieve this by allowing them to confirm exactly what data the organization has held on the Lightning Platform, and for how long.

GDPR as catalyst for building a modern app portfolioAs companies endeavor to understand their obligations in the age of the GDPR, they conduct internal audits of all the business processes and applications that touch personal data from their employees and customers. These audits may uncover existing applications that are not GDPR compliant.

IT teams face a challenging decision: keep or modernize these legacy applications. If the choice is made to keep the existing applications, the IT team will need to invest in developing new features and purchase additional hardware where needed. Organizations opting to modernize their app portfolio can use the GDPR as an opportunity to redesign and migrate legacy applications to Salesforce, empowering their teams to transform application development with tools that are fast, easy, and fun. This approach has the benefit of consolidating applications onto a single platform, reducing complexity, increasing agility, and centralizing efforts for GDPR readiness.

Salesforce customers can build apps over 50% faster using the Lightning Platform’s clicks-not-code approach. Salesforce’s AppExchange, the #1 Business App Marketplace, further accelerates time to market, offering many required departmental apps ready-to-install.

The Lightning Platform advantage and Salesforce’s GDPR-ready features can be extended to all business applications for truly transformational application development. Organizations that leverage their GDPR readiness as a strategic opportunity to conduct an app modernization project will empower business and IT users to work together to modernize, automate, and deliver the experiences customers and employees need.

What should I do next?Once you’ve decided on migrating your legacy application to Salesforce, you’ll need to:

Identify AN Executive Sponsor

It is critical to ensure that your leadership understands the importance of GDPR and the potential consequences of noncompliance. You will need the support of admin and developer resources and commitment in the budget. Your executive sponsor can be your champion toward ensuring you have funding and help spread the message about your work.

Build a Project Team

Application development is a team sport. Make sure your team includes representation from various departments across your organization, including your admins and developers, IT, security and compliance, legal, product management, and business leadership. It is a best practice to appoint a leader to oversee the project, and this person could serve as your data protection officer. It is important to have documented roles and responsibilities for each member of the team.

Prioritize Applications for Migration

You may have multiple legacy applications that would benefit from being migrated to Salesforce. Conduct an assessment of all databases and systems that may contain personal data. First, take time to document each system, what type of data it contains, where the data originated from, who accesses it, what security measures are in place, and how long data is stored here. This is a good time to identify which third-party providers each system receives personal data from or transfers personal data to. Next, identify which of these systems include data processing activities that may pose the most risk to data privacy. You should now be able to determine the priority order for migration.

Create Your Roadmap

With an expanded understanding of your organization’s systems, the personal data contained within, the users of that data, and data privacy risks, it is time to create your roadmap of technological and operational changes. This roadmap should take into account changes to your core processes concerning security, privacy notices, Data

Subject rights, usage limitations, employee and vendor training, international transfers, incident responses, and ongoing data protection impact assessments.

Document Compliance

You’ve gathered a lot of documentation about the assessment of your current state and the roadmap of changes to come. Once you’ve completed the migration, you will need to document your compliance efforts to present in the event of an audit. This documentation may include privacy notices and consent forms, a data inventory and records of processing activities, training materials, data transfer agreements, vendor contracts, and other written policies and procedures. Your data protection officer should oversee the periodic review of this documentation.

Where can I find out more information?

Website Salesforce on GDPR

White Paper Your GDPR Compliance

Journey with Salesforce Shield

Trailhead EU Privacy Law Basics

Accelerator EU Privacy Basics