Salesforce Shield: Your new best friend for GDPR compliance

Take a peek under the hood of Salesforce’s newest offering, Salesforce Shield, which makes defining, executing, and monitoring your organization’s strategy to become GDPR compliant a breeze. By now you have heard that GDPR officially went into effect in May and is a regulation in EU law on data protection and privacy. While Shield is an incredibly helpful tool for GDPR compliance, the benefits go beyond that, and it can be of great value to all companies for monitoring security as well as examining your Salesforce org’s feature and enhancement adoption. Without further ado, read on to hear about how Salesforce Shield works, and how each of Shield’s three core offerings pertain to specific sections of GDPR.

Platform Encryption

Shield’s platform encryption brings to the table an offering for those that need advanced functionality beyond the, admittedly, already strong encryption offerings of the standard Salesforce platform. Government entities and companies that deal with PII and PHI will be able to rest easy using encryption at rest through Shield. While GDPR doesn’t specifically outline encryption requirements, many US regulations require various levels of encryption which can be satisfied using Shield. The major benefit of using platform encryption via Shield is the ease of set-up and level of control your organization will have. With just a few clicks (seriously, it’s only a few clicks) in Salesforce, encryption at rest can be configured selectively for chosen fields, files, and attachments without affecting any existing functionality. Additionally, Salesforce has built-in native key management which allows you to have full control (should you choose) over who is allowed to manage keys as well as rotate and destroy them, solely through UI interaction. Article 34 of GDPR (“Communication of a personal data breach to the data subject”) specifies requirements for what must happen in the event of a data breach. Companies may not be required to notify their data subjects if appropriate protection measures have been implemented, such as encryption that makes the personal data unintelligible.

Event Monitoring

Event monitoring is a powerful set of tools that not only assist your organization in moving towards GDPR compliance, but also unlock business benefits by monitoring system performance as well as feature usage and adoption. The GDPR side of event monitoring is that through the Salesforce UI, your organization can effortlessly monitor access to sensitive data. Shield also helps you go beyond this by offering some native functionality, as well as other third-party tools, that allow you to slice and dice event log files and visualize important metrics. Imagine having a dashboard that can show you recent large data exports by IP Address. Try again, disgruntled employee! Event monitoring goes even further by offering a real-time intervention that can prevent malicious behavior from happening in your Salesforce org. The final benefit of event monitoring is that you are able to easily see how well new features are being used and even dig deeper into that data and slice by user, which is invaluable for gauging feature usage and prioritizing future feature development and enhancements. Article 32 of GDPR (“Security of processing”) specifies requirements for tracking data history and data interactions. In particular, Article 32(2) states that, “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.” This presents a perfect use case for event monitoring which is an easy tool to monitor (and even prevent) any unwanted and potentially unauthorized data capture by persons in your organization.

Field Audit Trail

Field Audit Trail is a serious upgrade to existing functionality that allows you to track history on more fields and unlock operational insights. Right off the bat, Shield’s Field Audit trail increases scale to track up to 60 fields per object for up to 10 years. For any organization with serious concerns about GDPR compliance, or even PII/PHI, Shield is a serious step up and, as is the Salesforce way, it’s configured easily through the UI. What truly sets Shield apart here is the scale at which you can access this massive trove of data. 120-second query performance allows you to simply and quickly respond to auditors or check adherence to internal policies. As is the case with other Salesforce offerings and their future plans, analysis and visualization are at the forefront, and Field Audit Trail is no exception. Salesforce native reports and dashboards can be configured to glean insights from this data, and plenty of third-party vendors exist in this space as well to turbo boost the value of Field Audit Trail.

One important tenet of GDPR is that ”personal data shall be: adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed” (Article 5(1)(c). Field Audit Trail presents a simple way for an organization to ensure compliance with this regulation as well as be able to demonstrate their compliance as outlined in Article 5(2). If you are still thinking about how to best comply with GDPR, it's worth taking a look at how Shield can help.

If you're interested in learning more, we would love to hear from you.