Fields Gone Wild: Salesforce Data Governance

My name is Sarah Gupta and we are talking about Fields Gone Wild: CRM data governance. Thank you so much for joining. I am today joined by industry practitioners who are both extremely talented folks. Like all good Salesforce Partners, this is a disclaimer. None of this is legal advice. We will talk about privacy compliance governance and these are our professional personal points of view based on our prior experiences. They don't represent our employers. I am the co-founder of Cloud Compliance. We are a Salesforce AppExchange ISV partner and we have data masker, data retention, right to be forgotten, and portability-based application products — 100% native. That's what we do. You can learn more about us at cloudcompliance.app. I spent about seven years at Salesforce. My background is primarily enterprise architecture and I am a problem solver based in Chicago. So really the idea today is we've taken a sliver of governance because governance is a really, really large topic. What we want to talk about today was in general about governance, the changes that are happening, what's changing, the new level of complexity, and what does it mean for Salesforce? This webinar is the first of a series. We want to cover some of the topics organizations are wrestling with today. Data governance has been a 25-plus-year challenge in data and analytics. It's a complex and important topic that organizations often struggle with. Over the last decade things have shifted dynamically — it's no longer just a cost, it's almost unaffordable if you don't attend to data governance. Let's look at the numbers. It started with GDPR, roughly around $1.65 billion in fines. We started in the US with CCPA and CPRA, and as we speak, additional states are lined up to join privacy laws. Gartner has a data point that by 2025, 80% of customer data will be governed or highly regulated by data privacy laws, which brings super complications in terms of how we manage and govern data. Digital transformation has caused an explosion of data. We as customers and end users don't have the trust we used to have. We're paranoid about whether vendors are misusing our data, and that trust being broken impacts brand loyalty. Data breaches have averaged over $4 million, and that is significant. Data governance is not an option anymore — it's a key enabler for your business. It's not just the fines and security breaches. Think about customer loyalty, which drives the whole growth and bottom line. Now let's look at how we've progressed from legacy data governance. Legacy governance was about cataloging data assets, having data lineage, data quality, and integration. Even that is still a challenge in most organizations. We had some level of regulatory compliance, which was very local — HIPAA for healthcare, PCI for card payments. But with GDPR and the data privacy and security landscape, we started to see emerging trends in data privacy and data security. Seven or ten years back, we didn't have data subject requests or data processing and residency concerns. Notices and consent management were not that important. Privacy by design was barely discussed. Now we see incident response, privacy risk assessment, and a complete explosion of requirements. It progressed from knowing about your data assets to an explosion of emerging areas driven by digital transformation and new technologies. The challenge is that not one executive can take ownership of all three aspects — privacy, security, and governance — and that is the key challenge of who owns what. Data governance in Salesforce has evolved from the Legacy Salesforce world where you wouldn't have more than 10-15 objects, up to today where we pretty much store everything in Salesforce as a CRM platform. Salesforce itself complies with GDPR, HIPAA for financial services, and other compliance requirements. But customers are now starting to store very sensitive information in Salesforce — from basic customer information to sensitive PHI and financial records. The information stored in Salesforce was primarily accessed by internal users, but now it's connected to external users through communities, portals, and third-party integrations. This significantly expands the attack surface. What forward-looking Salesforce customers are doing: they're starting with a field-level audit to understand what data they hold, then enforcing retention policies, and then building automation for data subject rights requests. The key is getting started without boiling the ocean and without spending millions of dollars. For getting started on governance maturity: how do you check what you have? How do you begin? In the legacy world, you might have had 10-15 objects in Salesforce. Today, we store everything — contracts, health records, financial data — and it's all interconnected with other systems. The key questions are: Do you know what personal data you have? Do you have a retention schedule? Can you respond to a deletion request? Can you demonstrate to an auditor that you've handled data correctly? The practical steps are to start with a data audit, establish retention policies, automate DSARs, and improve your sandbox data hygiene so that non-production environments aren't a compliance liability.