At Salesforce, we see the GDPR as a tremendous opportunity for marketers to deliver greater value, and a deeper, more trusted relationship with customers. To navigate the GDPR and to continue to blaze a trail in marketing, you need to balance customer-centricity, governance, and compliance and Marketing Cloud can help you do just that.

The Right to Be Forgotten is managed primarily through Marketing Cloud’s contact delete framework. Marketing Cloud developed a robust data deletion framework that currently has the capability to delete individuals' personal data following a data subject request. Contact deletion can be initiated for many Marketing Cloud products either through the Contact Builder User Interface, or through the contact delete framework API.  More information on the Marketing Cloud approach to the deletion of individual data across all products and channels is in the Learn More link below.

Salesforce DMP, a product offering within Marketing Cloud, also provides functionality supporting customers’ Right to Be Forgotten. Salesforce DMP customers can request data deletion in multiple ways, including via API and the Salesforce DMP user interface. After the termination of services, account data is automatically deleted    

Marketing Cloud has functionality to support exporting and extracting data, as well as the option to port data in different ways, depending on your customer's needs. Data extension and individual contact data can be exported with current functionality using the user interface or API. Additionally, a contact data portability report is available that can be used to extract data about a contact and save it in various file formats. Our GDPR help documentation, linked below, outlines the use of these features to enable you to extract the data as needed.

Salesforce DMP supports several methods for receiving portability requests, whereby the portability files are delivered to customer on behalf of the requesting individual in a machine-readable format using the existing data-feed transfer process. This can be managed using API or directly within the User Interface. 
Marketers can manage consent across all channels and ensure transparency. Each product within Marketing Cloud has functionality behind the scenes that may require consent. We advise you to work with your company’s legal counsel on drafting consents and listing types of information that require consent in the Privacy Notices as well. In our help documentation below, we list by product the functionality within Marketing Cloud that may require consent to help you when speaking to your legal counsel.

Salesforce DMP provides multiple methods for you to manage and record the consent obtained from your customer. Based on consent signals that you provide, DMP functionality only operates against a consented set of users. This can be managed using API or directly within the user interface. 
Contact restriction is available for Marketing Cloud products through an API.  The Learn More link provides further information on the Marketing Cloud approach to restriction of processing across all products and channels. Using Marketing Cloud's restriction of processing functionality, unsubscribes continue to be collected while a contact is restricted.

Salesforce DMP admins have the ability to stop processing data for a given user, meaning that data will not be used in any analytical jobs that run in the product until the restriction is lifted. This can be managed using API or directly within the user interface.
Salesforce offers customers a robust data processing addendum containing strong privacy commitments that few software companies can match. This addendum contains data transfer frameworks ensuring that our customers can lawfully transfer personal data to Salesforce outside of the European Economic Area by relying on either Binding Corporate Rules, our Privacy Shield certification, or the Standard Contractual Clauses (depending on the service in question). This addendum also contains specific provisions to assist customers in their compliance with the GDPR.
Marketing Cloud provides our customers with a secure solution in accordance with our Trust and Compliance documentation.

We are committed to our customers’ success, including compliance with the GDPR.”

- Raise awareness of the importance of GDPR compliance with organization leaders
- Obtain executive support for necessary staff resources and financial investments
- Choose someone to lead the effort in becoming GDPR-compliant
- Build a steering committee of key functional leaders
- Identify privacy champions throughout the organization
- Review existing privacy and security efforts to identify strengths and weaknesses
- Identify all the systems where the organization stores personal data, and create a data inventory
- Create a register of data processing activities and carry out a privacy impact assessment for each high-risk activity
- Document compliance
- Ensure privacy notices are present wherever personal data is collected
- Implement controls to limit the organization’s use of data to the purposes for which it collected the data
- Establish mechanisms to manage data subject consent preferences
- Implement appropriate administrative, physical, and technological security measures and processes to detect and respond to security breaches
- Establish procedures for responding to data subject requests for access, rectification, objection, restriction, portability, and deletion (right to be forgotten)
- Enter into contracts with affiliates and vendors that collect or receive personal data
- Establish a privacy impact assessments process
- Administer employee and vendor privacy and security awareness training
- Compile copies of privacy notices and consent forms, the data inventory and register of data processing activities, written policies and procedures, training materials, intracompany data transfer agreements, and vendor contracts
- If required, appoint a data protection officer and identify the appropriate EU supervisory authority
- Conduct periodic risk assessments