Is Salesforce Essentials CRM GDPR Compliant?

Compliant Tools
November 18, 2021
Salesforce is a popular company that provides CRM services around the globe, which may make you wonder – is Salesforce GDPR compliant?

Is Salesforce Essentials GDPR Compliant?

The General Data Protection Regulation or GDPR is a comprehensive data protection law that regulates the use of personal data belonging to EU (European Union) residents. It also provides individuals the right to control their data. 

It’s important to note that the GDPR doesn’t just apply to European-based companies. The regulation covers any organization around the world that offers services or products to or targets EU residents. 

To be GDPR compliant, companies must be transparent and accountable for how they use personal data and be able to demonstrate these privacy and security measures to individuals and regulators. 

Salesforce is one company that provides services around the globe, which may make you wonder – is Salesforce GDPR compliant? 

Keep reading to find out. 

What Is Salesforce Essentials CRM?

Salesforce is a powerful CRM (customer relationship management) solution designed for small businesses. 

In 2017, the software-as-a-service giant launched Salesforce Essentials, a product specifically designed for smaller businesses. It provides support for up to 10 users, and the price works for more startup budgets. 

You pay much less for Salesforce Essentials CRM than other platforms but can access all the services offered to “big businesses” for tracking, dashboards, support tools, and reporting.

Is Salesforce Essentials CRM GDPR Compliant?

Most of the data fields used in Salesforce Essentials CRM are subject to GDPR. The exception to this is business information that isn’t tied to an individual. 

Because of this, any leads or customers contained in the database must be capable of deletion or extraction. To ensure that it can work effectively with your marketing and sales departments, you must communicate that information automatically or manually entered into the Salesforce platform must be extractable via a data subject access request.

Salesforce provides options for deleting data through the UI that can be accessed through the administrators. Also, to effectively track data requests, all teams using the platform must work with compliance or legal teams. 

Ensure GDPR Compliance with Salesforce CRM Additions 

To ensure the Salesforce platform meets GDPR compliance requirements, you may need to use some additional tools and features. Some of the top options to use are listed here. 

Salesforce Individual Object 

The Individual object in the Salesforce CRM is a good first step in meeting GDPR requirements. Individual records in Salesforce are any that are related to a person (i.e., personal account, contact, lead, etc.). It’s designed to contain personal data details and preferences for processing. 

Several fields come out of the box for this object, including:

  • Okay to store PII data elsewhere
  • Don’t profile
  • Block geolocation tracking
  • Don’t track

While the individual object offers a good starting point, some organizations may find the functionality isn’t sufficient for their needs. With multiple teams across a company working to ensure that your organization complies with the GDPR, it’s essential that customer data processing is user-friendly, clearer, and more controlled. 

Lawful Basis 

If you want to process personal data, under GDPR you must have a “Lawful Basis” to do so. You will find six pre-defined categories and need to match the Lawful Basis that is most related to the relationship of the person and what you have planned for their personal data. 

The six categories include:

  • Public task
  • Consent
  • Legitimate interests
  • Contract
  • Vital interests
  • Legal obligation

In most cases, “consent” will be the “Lawful Basis” leveraged by most marketers. 

Ensuring Your CRM is GDPR Proof 

You must disclose your Lawful Basis in the Privacy Policy. You must have a record of Lawful Basis that can be produced on demand, and that will confirm you have the right to process personal information of each record that is being stored in your CRM. 

Things don’t stop there. An additional level of complexity is involved when you consider that some Lawful Basis has their own unique requirements, like “consent,” which will decay as time passes, and “legitimate interest,” which will require more details. 

Data constantly changes, which means someone must monitor the state of recorded data on an ongoing basis. 

Processing Reasons 

This refers to how your organization uses data. You may think of it in terms of your business function, such as customer service, analysis, executing a contract, or marketing. It’s essential that you cast your consideration throughout your business when determining these reasons. 

Processing Reasons applies to specific services, products, or product groups. 


It’s no longer possible to count all the different marketing channels on just two hands. As product suites become more and more sophisticated, multi-channel marketing is now possible. 

Some examples include direct mail, SMS, email, and phone. However, it’s important to think beyond just marketing – what channels are customer service, sales, and your other departments using for communication? Chances are, this list will continue to grow. 

Privacy Details Search

It’s important for data processing to be user-friendly as your teams work to ensure compliance. Marketing and sales teams must identify the records that are available to market a campaign. 

This may be time-consuming and tricky when considering all the GDPR obligations. Searching for the relevant individuals in your database based on their privacy details is essential. 

What smart organizations do is use the insight to help improve their communication. 

Deleted Records 

The latest regulations outline multiple “individual rights” that provide people with more rights to see and amend their own personal data. You must be ready to act on these requests, which is referred to as the “right to erasure.”

This means that if someone requests that you delete their data and the request is warranted, it should be done quickly. Along with that, you must be able to provide proof of this deletion. Maintaining a log of deleted records is beneficial for the contact and to confirm cross-referencing information down the road. 

Ensuring GDPR Compliance with Salesforce Essentials CRM

If you want to ensure the information you collect is GDPR compliant and you use Salesforce Essentials CRM, the information above should help. This provides an overview of what you need to do and how to ensure ongoing compliance. Understanding what to do is paramount to avoid issues, penalties, and more.

Get Started
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Ready to chat?

See how some of the fastest growing companies use Accountable to build trust through privacy and compliance.
Trusted by