Build trust and transparency around your data with Community Cloud.

Community Cloud allows you to easily build intelligent and branded communities and portals for customers, partners, and employees. It is built on the Salesforce Platform which connects your customer touchpoints across disparate systems, apps, and departments — giving you a single view of your customer. Built into the platform is a rich set of controls that helps you manage the lifecycle of customer data and track the preferences and consent of end users. The foundation of the Salesforce Platform is made on built-in security and trust.

Community Cloud Accelerates GDPR Readiness


Right to Be Forgotten

You may need to delete customer data to comply with data protection and privacy regulations. The Salesforce Platform offers a rich set of features to help you meet your obligations under the GDPR. Deletions of Salesforce instances (orgs) are synced regularly.

Data Portability

You can use Community Cloud to help you honor your customers’ requests to export their data. Data can be extracted via both UI-driven as well as API-driven methods, including reports and report/dashboard APIs, data loader, Apex, SOAP and REST APIs, and third-party ETL tools. Export formats include CSV, JSON, and XML.
Salesforce helps you comply with data protection regulations by providing out-of-the-box support for indicating do-not-call, email opt-out, and fax opt-out preferences, as well as Custom Objects and Fields that provide richer consent regimes. Community Cloud allows you to share data with your customers directly and provides a platform for them to indicate their consent at their discretion.

Restriction of Processing

On the Salesforce Platform, records can be identified, exported, and deleted upon receiving a verified request to restrict processing. If the restriction is lifted at a later date, the records can be re-imported.


Salesforce offers customers a robust data processing addendum containing strong privacy commitments that few software companies can match. This addendum contains data transfer frameworks ensuring that our customers can lawfully transfer personal data to Salesforce outside of the European Economic Area by relying depending on the service on Binding Corporate Rules, our Privacy Shield certification, or the Standard Contractual Clauses. This addendum also contains specific provisions to assist customers in their compliance with the GDPR.


Salesforce has security built into every layer of the platform. The infrastructure layer comes with replication, backup, and disaster recovery planning. Network services has encryption in transit and advanced threat detection. Our application services implement identity, authentication, and user permissions. We also offer an additional layer of trust with Salesforce Shield, including Platform Encryption, Event Monitoring, and Field Audit Trail.

We are committed to our customers’ success, including compliance with the GDPR.”


What should customers do?

- Raise awareness of the importance of GDPR compliance with organisation leaders
- Obtain executive support for necessary staff resources and financial investments
- Choose someone to lead the effort in becoming GDPR-compliant
- Build a steering committee of key functional leaders
- Identify privacy champions throughout the organisation
- Review existing privacy and security efforts to identify strengths and weaknesses
- Identify all the systems where the organisation stores personal data, and create a data inventory
- Create a register of data processing activities and carry out a privacy impact assessment for each high-risk activity
- Document compliance
- Ensure privacy notices are present wherever personal data is collected
- Implement controls to limit the organisation’s use of data to the purposes for which it collected the data
- Establish mechanisms to manage data subject consent preferences
- Implement appropriate administrative, physical, and technological security measures and processes to detect and respond to security breaches
- Establish procedures for responding to data subject requests for access, rectification, objection, restriction, portability, and deletion (right to be forgotten)
- Enter into contracts with affiliates and vendors that collect or receive personal data
- Establish a privacy impact assessments process
- Administer employee and vendor privacy and security awareness training
- Compile copies of privacy notices and consent forms, the data inventory and register of data processing activities, written policies and procedures, training materials, intracompany data transfer agreements, and vendor contracts
- If required, appoint a data protection officer and identify the appropriate EU supervisory authority
- Conduct periodic risk assessments

GDPR Resources