GDPR – Salesforce Compliance & Best Practices

With text messaging being one of the most effective low-cost communication channels, you can use it to massively improve your business-customer communications. With around 2.44 billion people on WhatsApp daily, you should take advantage of everything your business environment provides. Already 5 million businesses are using WhatsApp Business. Therefore, it is time for you to join them and take a global approach to your digital marketing and communications. Additionally, statistics show that over 85% of global customers in 2022 prefer to receive a text message over a phone call or email.

In this article, we’ll explain what is GDPR, how to comply with the GDPR in Salesforce, why it is important, and provide best practices and tips. Our aim is to help organizations generate and convert more leads via texting, as well as to improve their customer service and reduce costs.

What is GDPR, and Why Does it Matter?

The GDPR is the strongest privacy and security law in the world. Despite that the GDPR was passed by the EU, it imposes obligations on organizations all over the world, as long as they collect data or target people in the EU. As a result of this fines will apply to those who violate the GDPR’s privacy and security standards. The penalties can reach tens of millions of euros.

Most importantly, the GDPR helps Europe to signal its firm stance on data privacy and security in a time that more people and businesses enter and intrust cloud services, where breaches are a daily occurrence. 

Texting in the US & Canada:

• U.S. Laws for SMS Opt-in and Opt-out
• Canada’s texting rules and regulations (CASL)

GDPR Data Privacy

Your organization is obligated to facilitate the rights explained below.

Transparency and communication

You have to describe how you are processing your customer’s data in “a concise, transparent, intelligible and easily accessible form, using clear and plain language”. Also, you must create an easy way for people to send a request to you and have a quick and adequate response to those requests. ValueText’s powerful ChatBots and Automations can help you achieve this In Salesforce.

Collecting personal data

Most commonly you will collect personal data directly from the user. However, if you don’t collect the information directly from them, you still need to provide them with similar information. Check these articles 1, and 2 for the exact information that you have to provide your users. Again this is something easily achievable with the help of ValueText’s features.

Right of access

Your users have the right to know specific information regarding the processing activities of the data collector. This includes the sources of their data, the length of time the data will be held, and the purpose of processing, among other items. The most important thing is that you have to provide them with the information that you have collected if they request it.

Accuracy

People have the right to correct inaccurate or incomplete personal data that you are processing.

The right to be forgotten

Data subjects are entitled to the right to request that you delete any information that the organization has collected. There are five situations in which you don’t have to delete their information, including when processing their information is essential for you to exercise your right to freedom of expression. You have to provide a simple way for your users to file a right-to-be-forgotten request. A template can be found here.

Right to restrict processing

The data subject can ask you to temporarily change the way you process their data, (for example removing it from your website) if they consider the information is inaccurate, being used illegally, or is no longer needed by your organization. Your customers have the right to simply object to your processing of their data. 

Data portability

You have to store your customers’ data in an easily sharable format and easily understood. Also, if they ask you to send their data to a third party, you are obligated to even if they are your competitors.

Right to object

Users can object to you processing their data. You can only override them by presenting the legitimate basis for using their data.

How to gain Consent “Opt-in” in compliance with the GDPR in Salesforce?

You can include your consent wherever you collect your information. Therefore, you would normally create a TCPA complaint form, email, or paper, and you can set up a keyword for your audience to text your organization over WhatsApp or SMS. However, your organization must disclose a few pieces of information for a consent form to be validated:

• The privacy policy details
• How to opt-out (unsubscribe)
• The number of messages a customer should expect
• How to get help

SMS Opt-in with GDPR in Salesforce

There are numerous ways to obtain consent. For example, customers of ValueText often prefer to use a form that could include a checkbox reading “Subscribe to receive text messages from [name of the organization]” with a hyperlink to all necessary disclosures. Also, many clients use the keyword query form “START” to conduct a consent. So, you can create a call to action on any digital and traditional channels inviting people to send a text message (keyword) to your organization’s address.

For instance, “Text [insert word] to [insert number] for more information about [insert product name]”. 

We also recommend you set up a double-opt-in by responding with “We would like to send you helpful information each month regarding “Y”. Is this okay with you? Please, respond with YES or NO”. 

How to Opt-out GDPR in Salesforce?

If the person doesn’t respond to your opt-in and double-opt-in request, consider that an opt-out. It is important to make the opt-out process easy. Firstly, your customers should be able to opt-out by texting you “STOP”, “UNSUBSCRIBE”, “OPT-OUT”, or “CANCEL”. 

Therefore, to make it easier, ValueText provides opt-out backup automation in Salesforce. Firstly, this automation includes a checkbox that can be found on any Record. Secondly, it effectively blocks any text messages in Salesforce from being sent to that specific Contact. 

We have written a separate guide on the topic which you can access here.

WhatsApp Business Opt-in with GDPR in Salesforce

What about if your company also uses other messaging channels like WhatsApp? Well, WhatsApp allows us to initiate text conversations only by sending messages using a pre-approved template.

When your customer replies, this is considered an opt-in, and the session will be active for the next 24 hours. The 24-hour session will be activated and you won’t have to gain consent when the customer sends you a text first.

Despite, the complexity of this matter we have written a separate guide on the topic which you can access here.

Key Take Aways

Despite the best time to implement a texting communication channel in your org was when you launched your business, you still have the chance to do it today. We would love to give you a hand any way we can, just reach out to us at support@valuetext.io

GDPR in Salesforce Compliance Checklist

Data security

• Take data protection into account at all times, from the moment you start developing a product to each time you are processing data
• Encrypt, or make data anonymous whenever possible
• Create an internal security policy for your team members, and build data protection awareness
• Have a process in place to conduct a data protection impact assessment

Accountability and governance

• Put someone in charge to ensure GDPR compliance across your whole organization
• Sign a data processing agreement between your organization and any third-party companies that process personal data on your behalf
• If your organization is located outside of the EU, appoint a person to represent you in of the EU’s countries
• If necessary appoint a Data Protection Officer

Privacy Rights

• Make it easy for your customers to request and receive all the information you have regarding them
• Your customers must be able to correct or update incomplete or inaccurate information
• Customers must be able to easily request their data to be deleted
• Customers must be able to easily receive a copy of their personal data in a format that can be transferred to another company
• Your customers must be able to object to you processing their data
• If you make decisions about people based on automated processes, you must have a procedure to protect their rights as well.

GDPR compliance Checklist for US companies

• You must conduct an information audit for EU personal data
• Your customers must know why you’re processing their data
• You must assess your data processing activities and improve the level of protection
• Make sure you have a data processing agreement with your vendors
• If necessary appoint a Data Protection Officer
• Assing a representative in the European Union
• Educate yourself on what to do if there is a data breach
• If applicable comply with cross-border transfer laws

Conclusion 

Despite that, organizations have to follow complex rules and regulations set by CASL, Canadian citizens on the other hand have a much safer and stress-free environment to live in. Also, CASL provides an amazing opportunity for businesses to get creative and build trust, which can impact significantly the ROI.

In conclusion, we understand that navigating through Salesforce and complying with all the laws and regulations might be stressful sometimes. Therefore, at ValueText we would love to give you a hand in your endeavors. You can contact us at support@valutext.io or on our website here.