Updated: Nov 10
Why should you read this?
Data Privacy laws such as GDPR and CCPA bring in a new set of requirements around Consent for processing of Personal Data. If your company actively processes private data of EU residents or California residents, especially in Salesforce...Read on.
Related Article...Managing Consent - Should you do it on Salesforce...and How?
What is Consent Management
Consent is basically getting permission from a person(data subject) in an "informed, unambiguous, and specific" manner. GDPR has specific guidelines for having people "opt-in" to whatever it is that you are doing with their data.
"Consent is one of the easiest to satisfy because it allows you to do just about anything with the data — provided you clearly explain what you’re going to do and obtain explicit permission from the data subject." Ref. https://bit.ly/2T9LzvL
However, consent is only one of the 6 lawful basis for data processing under GDPR's Article 6. That means we may not have to get consent if the data processing has some other lawful basis.
The interpretation of what is acceptable is dependent on your business. Typically, it takes into consideration the following aspects:
Residency status of the Data Subjects: Remember that Data Privacy laws have a cross border enforcement. i.e. It does NOT depend on where your business is based, as much as it does on whose Personal Data your organization is actively processing.
Legal and DPO's perspective: Compliance efforts are an exercise in risk management and have to find a pragmatic balance between investing in robust Data Privacy Management and managing risks.
Customer Trust: Forward-thinking companies understand that Personal Data Privacy is about doing what is right for their customers, and other stakeholders. It makes good business sense to do this and can bring immense dividends in terms of customer loyalty and trust.
Personal Data Privacy projects are customer trust initiatives because customers care more about how their information is handled than how much corporate tax the company paid last quarter.
Image Credit: http://fav.me/ddpboe1
When to build Consent Management on Salesforce?
A couple of reasons:
Your Salesforce Org is chock-full of personal information and for processing that Personal Data, consent is required.
Salesforce + Marketing Technology integration for outbound communication via emails, SMS, Social Media, etc., requires consent.
An ideal Enterprise Architecture "Hub and Spoke" model can leverage all the Salesforce investments to serve as the Consent Management Platform.
Salesforce for Consent benefits from a modern Cloud architecture, Automation, APIs and Marketing integration. However, like everything else, it depends!
Image Credit: http://fav.me/d9s39eu
When NOT to build Consent Management on Salesforce?
A separate full-blown Consent Management Platform (CMPs) exists - common in Mega customers with a large number of disparate systems.
A separate Master Data Management initiative is in place, and a Consent solution will be extended/integrated off it.
Small Salesforce footprint that is not strategic to the overall landscape, and possibly no direct Marketing Technology (Mar-tech) integration.
Technology choice for Consent Management needs to consider how the compliance will work for the full consent lifecycle (renewal, expiration, self-service, etc.)
Additionally, it also has to consider how it will integrate with other enterprise apps, as well as other Data Privacy related requirements such as Anonymization, Data Inventory, etc.
Consent Management is an important part of building Customer trust (and staying compliant). Salesforce can be an excellent choice for certain scenarios.
Discuss your specific GDPR/CCPA use cases with the author of this article. https://calendly.com/plumcloudlabs/
A detailed analysis should be conducted before a choice is made, and a holistic perspective is essential to determine where Consent is mastered in the Enterprise.
Read more about Cloud Compliance
Related Read...Managing Consent - Should you do it on Salesforce...and How?