The Right to Be Forgotten is managed primarily through Marketing Cloud’s contact delete framework. Marketing Cloud developed a robust data deletion framework that currently has the capability to delete individual's personal data following a data subject request, and will continue to improve functionality as more features are released. In May 2018, Marketing Cloud will address contact deletion across all channels and audiences.
While part of Marketing Cloud, we will call out some specifics to Salesforce DMP due to the nature of the product. Salesforce DMP enables customers to carry out a complete deletion of entire data records as well as a selective deletion of only certain datasets or data fields. After termination of services, it must be possible for a customer's records to be automatically deleted.
The DMP will enable customers to export all data that exists in their DMP account. The data feed delivered to the customer comes in a machine-readable format using the existing data-feed transfer process. This can be managed using API or directly within the UI.
The Salesforce DMP provides multiple methods for you to manage and record the consent obtained from your consumer. Based on consent signals that you provide, DMP functionality only operates against a consented set of users. This can be managed using API or directly within the UI.
Salesforce DMP admins have the ability to stop processing data for a given user, meaning that data will not be used in any analytical jobs that run in the product until the restriction is lifted. This can be managed using API or directly within the UI.
“We are committed to our customers’ success, including compliance with the GDPR.”
- Obtain executive support for necessary staff resources and financial investments
- Choose someone to lead the effort in becoming GDPR-compliant
- Build a steering committee of key functional leaders
- Identify privacy champions throughout the organisation
- Identify all the systems where the organisation stores personal data, and create a data inventory
- Create a register of data processing activities and carry out a privacy impact assessment for each high-risk activity
- Document compliance
- Implement controls to limit the organisation’s use of data to the purposes for which it collected the data
- Establish mechanisms to manage data subject consent preferences
- Implement appropriate administrative, physical, and technological security measures and processes to detect and respond to security breaches
- Establish procedures for responding to data subject requests for access, rectification, objection, restriction, portability, and deletion (right to be forgotten)
- Enter into contracts with affiliates and vendors that collect or receive personal data
- Establish a privacy impact assessments process
- Administer employee and vendor privacy and security awareness training
- If required, appoint a data protection officer and identify the appropriate EU supervisory authority
- Conduct periodic risk assessments