Updated: Nov 10, 2020
Why should you read this?
Because you are curious if Salesforce can be your consent management platform for GDPR and CCPA compliance. And how can it be architected and designed for such use? Also, what features does Salesforce offer to make it easier? Read on...
Based on Managing Consent - What, Why, and Use Cases for Salesforce, let's assume we consider Salesforce as a possible candidate for Consent Management. This raises two fundamental questions. Let's start with the first one...
What are the ideal requirements for a Consent Management solution? And how can we achieve them with Salesforce, if at all?
What does a Consent solution do? Manage Consent, of course!
A constrained view of Data Privacy can get us a solution that checks all the boxes but does not really serve us well. This is very true for Consent Management. Here are some high-level considerations...
Improve Customer Transparency + Build Trust: Our solution should dramatically and completely bring transparency to our data processing and communication with the Customers. We need to constantly remind ourselves as it is easy to get lost in the forest of legal and compliance requirements.
Cost-effective + Digital Transformation Catalyst: A cost-effective (not Cheap) consent management solution would assist with meeting compliance requirements as well as pave the way for future innovations, business model changes, and digital transformation.
Deep Technology Integration + Future Readiness: Most digital property - your website, portals (support, partner, customer, employee, etc), mobile apps, internal line of business systems, and others may need access to consent data, and our solution needs to make this happen...easily and with a standards-based approach.
Image Credit: Cloud Compliance Consent Matrix
What does Salesforce offer for Consent Management?
In the last few years, Salesforce has offered some interesting capabilities on the Platform to ensure that its customers can use these features for their compliance needs.
Salesforce has a comprehensive data model with 17+ Data Privacy objects. A consent management solution on top of this requires careful consideration and architecture.
Image Credit: Salesforce Schema Browser from Summer 20 Pre-release Org
Objects for everyone: Salesforce has specifically designed Consent Management Objects, the most well known of which are the Individual and Contact Point Type Consent Objects. Customers (and partners like us) can design solutions using these.
Free Storage for all my friends: An interesting but lesser-known fact is that Salesforce does NOT count record storage for these objects as part of the Org storage. This matters because Consent records can be a multiple of the number of Contacts or Leads.
My Cousin Vinny: The Individual and Party Consent objects are designed to serve as the "Master" record. The Party Id can be used to connect other Salesforce products - notably, Customer 360 and possibly Marketing Cloud, Pardot, Commerce Cloud, etc.
Salesforce Individual and Consent Management Object
Let's do a deeper dive. The 'Individual' object represents a Natural person aka "Data Subject" that can link to one or more Contacts, Leads, Person Accounts, or Users via a lookup relationship.
Image Credit: Cloud Compliance Generated Individual / Salesforce UI
Essentially, the Salesforce data model offers a "Master Data Management" type approach, where the Individual serves as the "Golden Copy", and is related to various representations of personal information via Leads, Contacts, Person Accounts, Users, etc.
No Individual, No Salesforce Consent! Creating Individuals and Leads, Contacts, Person Accounts matching needs Custom Apex or Cloud Compliance's automation.
The Consent can then be created and managed against this Individual record. The individual is required from a Data Architecture perspective for Salesforce's consent functionality - No Individual, No Salesforce Consent Management functionality!
In general, the Consent Management Objects fall broadly in these categories:
Contact Point Consent objects to manage specific consent with its opt-in/opt-out status by Channel and Purpose. e.g. Email - Marketing, Email - Survey, SMS - Marketing, SMS - Survey, etc
Authorization Form Consent objects store authorization related records such as storing proof of acceptance for T&C, Privacy Statements, etc.
Subscription Communication Preference for functionality such as preferred time and communication channel etc.
Image Credit: Salesforce's Consent Management ERD
How can you manage Consent in Salesforce - Build vs. Buy?
Now that we know about Salesforce's comprehensive data model for Consent Management, how can we leverage this capability for GDPR/CCPA compliance?
We will compare two options here...building it yourself or going with an AppExchange package such as Cloud Compliance GDPR/CCPA Data Privacy Suite.
Option 1: Do It Yourself / Homebrew!
We will need to map business requirements and data privacy processes, understand and analyze the various consent management objects, design a solution, automate Individual and consent creation.
A 'Do It Yourself' approach requires some serious architecture and technical acumen, as well as the risk appetite to figure it out. It is a non-trivial problem.
Next, we will probably have to add data process automation - workflow/process builder/flows, build some custom Lightning components to show and manage consent from other views, add self-service, and marketing integration.
Summary: Customers who have architecture talent and bandwidth, can probably build some interesting solutions. However, those who do not have the time, inclination or the resources to do so, are better off not even trying.
Option 2: AppExchange offerings / Cloud Compliance
Implementing with Cloud Compliance entails understanding your use cases for Consent, setting up and configuring Cloud Compliance - declaratively - in hours/days, followed by testing and validating scenarios. That is it!
Cloud Compliance reduces risk and uncertainty with its configurable consent automation. Declarative+metadata driven approach gets it up in hours/days.
Why is this so quick? Because Cloud Compliance uses Salesforce's Individual and Consent Management Objects. It automates the underlying data creation of Individuals, matches/associates them with Leads, Contacts, Person Accounts, etc. , pre-defaults Consent, enables Self-service as well as propagates Consents (Opt-in/Opt-out) for Marketing technologies.
Summary: If you factor in the cost of design, development, maintenance, and upgrade, Cloud Compliance can be low risk and cost-effective option when compared with DIY.
The alternative - DIY with custom Objects (aka Technical Debt)
What if we don't care about Salesforce's Consent Management and Individual Object. That is the beauty of Salesforce, we can build our own version, with custom objects, along with automation for data sync, using Apex, Workflows, Process Builders and Flows, etc.
Consent is managed here by using custom child objects for Leads, Contacts, and other objects with personal data. It is also not as widely applicable as the Individual/Consent based model.
Summary: From an Enterprise Architecture perspective, this approach adds Technical debt and diverts away from Salesforce's guidance. In the long term, these types of options usually end up with an expensive re-implementation, usually when the in-house designer of this solution leaves the company.
Conclusion: Build wisely and patiently, or buy!
Successful data privacy initiative combines key stakeholders - Customer, Legal, Compliance, IT, Data Mgmt. & Enterprise Architecture, Marketing-Sales etc. - with a forward looking Salesforce solution.
Summary: At first glance, Consent Management with Salesforce may look simple. However, it can quickly get complicated as we dig into the GDPR/CCPA compliance requirements for the full consent lifecycle (renewal, expiration, self-service, etc.), as well as support for Anonymization, Data Inventory, etc.