Why should you read this?
Because you are curious if Salesforce can be your consent management platform for GDPR and CCPA compliance. And how can it be architected and designed for such use? Also, what features does Salesforce offer to make it easier? Read on…
Based on Managing Consent – What, Why, and Use Cases for Salesforce, let’s assume we consider Salesforce as a possible candidate for Consent Management. This raises two fundamental questions. Let’s start with the first one…
What does a Consent solution do?
Manage Consent, of course!
A constrained view of Data Privacy can get us a solution that checks all the boxes but does not really serve us well. This is very true for Consent Management. Here are some high-level considerations…
What does Salesforce offer for Consent Management?
In the last few years, Salesforce has offered some interesting capabilities on the Platform to ensure that its customers can use these features for their compliance needs.
Objects for everyone: Salesforce has specifically designed Consent Management Objects, the most well known of which are the Individual and Contact Point Type Consent Objects. Customers (and partners like us) can design solutions using these.
Free Storage for all my friends: An interesting but lesser-known fact is that Salesforce does NOT count record storage for these objects as part of the Org storage.
This matters because Consent records can be a multiple of the number of Contacts or Leads.
My Cousin Vinny: The Individual and Party Consent objects are designed to serve as the “Master” record. The Party Id can be used to connect other Salesforce products – notably, Customer 360 and possibly Marketing Cloud, Pardot, Commerce Cloud, etc.
Salesforce Individual and Consent Management Object
Let’s do a deeper dive. The ‘Individual’ object represents a Natural person aka “Data Subject” that can link to one or more Contacts, Leads, Person Accounts, or Users via a lookup relationship.
Essentially, the Salesforce data model offers a “Master Data Management” type approach, where the Individual serves as the “Golden Copy”, and is related to various representations of personal information via Leads, Contacts, Person Accounts, Users, etc.
The Consent can then be created and managed against this Individual record. The individual is required from a Data Architecture perspective for Salesforce’s consent functionality – No Individual, No Salesforce Consent Management functionality!
In general, the Consent Management Objects fall broadly in these categories:
How can you manage Consent in Salesforce – Build vs. Buy?
Now that we know about Salesforce’s comprehensive data model for Consent Management, how can we leverage this capability for GDPR/CCPA compliance?
We will compare two options here…building it yourself or going with an AppExchange package such as Cloud Compliance GDPR/CCPA Data Privacy Suite.
Option 1: Do It Yourself / Homebrew!
We will need to map business requirements and data privacy processes, understand and analyze the various consent management objects, design a solution, automate Individual and consent creation.
Next, we will probably have to add data process automation – workflow/process builder/flows, build some custom Lightning components to show and manage consent from other views, add self-service, and marketing integration.
Summary: Customers who have architecture talent and bandwidth, can probably build some interesting solutions. However, those who do not have the time, inclination or the resources to do so, are better off not even trying.
Option 2: AppExchange offerings / Cloud Compliance
Implementing with Cloud Compliance entails understanding your use cases for Consent, setting up and configuring Cloud Compliance – declaratively – in hours/days, followed by testing and validating scenarios. That is it!
Why is this so quick? Because Cloud Compliance uses Salesforce’s Individual and Consent Management Objects.
It automates the underlying data creation of Individuals, matches/associates them with Leads, Contacts, Person Accounts, etc. , pre-defaults Consent, enables Self-service as well as propagates Consents (Opt-in/Opt-out) for Marketing technologies.
Summary: If you factor in the cost of design, development, maintenance, and upgrade, Cloud Compliance can be low risk and cost-effective option when compared with DIY.
The alternative – DIY with custom Objects (aka Technical Debt)
What if we don’t care about Salesforce’s Consent Management and Individual Object. That is the beauty of Salesforce, we can build our own version, with custom objects, along with automation for data sync, using Apex, Workflows, Process Builders and Flows, etc.
Consent is managed here by using custom child objects for Leads, Contacts, and other objects with personal data. It is also not as widely applicable as the Individual/Consent based model.
Summary: From an Enterprise Architecture perspective, this approach adds Technical debt and diverts away from Salesforce’s guidance. In the long term, these types of options usually end up with an expensive re-implementation, usually when the in-house designer of this solution leaves the company.
Conclusion: Build wisely and patiently, or buy!
Summary: At first glance, Consent Management with Salesforce may look simple. However, it can quickly get complicated as we dig into the GDPR/CCPA compliance requirements for the full consent lifecycle (renewal, expiration, self-service, etc.), as well as support for Anonymization, Data Inventory, etc.