A Guide to DesigningApplications on theSalesforce LightningPlatform in the Age ofthe GDPR

Legal DisclaimerThis white paper contains a broad overview of the General Data ProtectionRegulation (GDPR) and some of the requirements to consider when designingapplications. It is not intended to be legal advice. We urge individuals to consult withtheir legal counsel to familiarize themself with the GDPR requirements that governtheir specific situation.AbstractApplications are the lifeblood of modern business, and the ability to innovate andcustomize applications can provide critical competitiveness and differentiation forcompanies of all sizes and across segments. As these applications expand to handlemore critical and sensitive information, and as this information is exploited bycompanies in ways not explicitly approved of by individuals, the applications exposeindividuals to both risk and abuse. To address this challenge, governments havestepped in with regulations to help reduce that risk and abuse and provide sanctions,including potential penalties for the improper management of that data. In thiswhite paper, we will explore the implications of one new regulatory framework,the GDPR, on application development, and how organizations can leverage theSalesforce Lightning Platform to develop applications that accelerate their readinessfor this new regulation.

What is the GDPR?The GDPR is a new comprehensive data protection law (in effect May 25, 2018) inthe EU that strengthens the protection of personal data in light of rapid technologicaldevelopments, increased globalization, and more complex international flows of personaldata. It updates and replaces the patchwork of national data protection laws currentlyin place with a single set of rules, directly enforceable in each EU member state. Anyorganization that processes personal data of EU individuals is within the scope of the law,regardless of whether the organization has a physical presence in the EU.What are the key principlesof the GDPR?The GDPR is framed in the context of thefollowing roles: Controller: organization that determines the purposes and means of theprocessing of personal data of EU individuals Processors: organizations that process personal data on behalf of the Controller(for example, cloud service providers) Data Subject: an identified or identifiable natural personThe GDPR changes EU data protection laws in manysignificant ways:Definition of “personal data”: The GDPR expands the existing concept of personaldata, making it clear that location data and online identifiers, such as IP addresses, areconsidered personal data. The GDPR also expands the concept of sensitive personal datato include genetic and biometric data.New and expanded rights for EU individuals around deletion of data, restriction ofprocessing, and portability of personal data. eletion of data: With the “right to be forgotten,” Data Subjects may require that theDController erase personal data about them. This right may also be used as a means torequire internet service providers to delete out-of-date publicly available information, inparticular that information which appears in search results.

Restriction of processing: Under the GDPR, Data Subjects have the right to restrictthe Controller’s processing of their personal data, which means that the organizationis allowed to continue to store the data, but cannot process it any further.Portability of personal data: Data Subjects also now have the right, in certaincircumstances, to receive the personal data that they have provided to a Controllerin a structured, commonly used and machine-readable format, for the purposes oftransferring that data to another Controller.Security measures: The GDPR requires Controllers and Processors to implementappropriate technical and organizational measures to ensure a level of securityappropriate to the risks presented.Breach notification: The GDPR requires organizations to report certain personaldata breaches to the relevant data protection authority, and in some circumstances,to the affected Data Subjects. Controllers must notify the relevant data protectionauthority “without undue delay” (and where feasible, within 72 hours of having becomeaware of it), unless the breach is not likely to present any risk to the rights and freedomsof the Data Subjects concerned. If circumstances require it, Controllers may also berequired to communicate the data breach to Data Subjects. Processors, for their part,are required to notify Controllers “without undue delay” after becoming aware of apersonal data breach.Data protection impact assessments: Where certain processing is likely to beclassified as “high risk” to Data Subjects, the Controller may be required to carry out adata protection impact assessment identifying the impact of the proposed processingoperations on the personal data.International transfers: The GDPR does not require EU personal data to stay in theEU, nor does it place any new restrictions on transfers of personal data outside the EU,as long as there are appropriate safeguards in place to protect that data. Salesforce’sdata processing addendum, which references our Binding Corporate Rules, PrivacyShield certification, and the European Commission’s model clauses, will continue tohelp our customers legalize transfers of EU personal data outside of the EU.Consent: Consent is subject to additional requirements under the GDPR. The GDPRdefines consent as “any freely given, specific, informed and unambiguous indication ofa data subject’s wishes through a statement or clear affirmative action.” The conceptof consent is used throughout the GDPR as a means to legitimize certain processingactivities from a legal perspective.Transparency: The GDPR requires that Controllers provide Data Subjects withinformation about their processing operations at the time when the personal data iscollected. This information includes the identity and contact details of the Controller,

the contact details of the data protection officer (if relevant), the purposes and thelegal bases for the processing of the personal data, the recipients of the data, and anumber of other fields to ensure that the personal data is being processed in a fair andtransparent manner. In addition, Controllers are required to provide information to DataSubjects even in circumstances where the personal data has not been obtained directlyfrom the data subject.Profiling: The GDPR introduces the concept of “profiling” or any form of automatedprocessing that uses personal data to evaluate personal aspects and in particular toanalyze or predict aspects relating to an individual’s performance at work, economicsituation, health, personal preferences, interests, reliability, behavior, location, ormovements. Data Subjects must be informed of the existence of profiling and anyconsequences of the profiling.Enforcement: Fines for noncompliance under the GDPR can be substantial. Dataprotection authorities have a number of enforcement powers under the GDPR,including the ability to fine organizations up to 20 million or 4% of annual globalturnover, whichever is higher. These are maximum fines, and it remains to be seen howregulators will use their newly acquired enforcement powers.“One-stop shop”: Under the GDPR, organizations that are established in morethan one EU member state or are processing personal data affecting Data Subjectsin more than one EU country will have greater clarity about their supervising dataprotection authority. Supervisory authority for the main European establishment of thatorganization will act as the lead authority. This authority will cooperate with the othersupervisory authorities concerned in respect of cross-border data protection issues.What is the SalesforceLightning Platform?The Lightning Platform is the world’s leading cloud platform. It powers the core apps atSalesforce and enables no-code, low-code, and programmatic options to build, secure,integrate, and manage business applications that extend CRM and power amazingcustomer, partner, and employee experiences. The Lightning Platform empowerseveryone to build the apps they need using clicks, not code, building apps fast whilegiving IT the governance and control it needs to keep those apps scalable and secure.For professional developers, the Lightning Platform offers modern tools to drivecollaboration and continuous integration and delivery. The Lightning Platform abstractsaway the complexity around building apps, taking care of things like infrastructure,database design, scale, globalization, integration, search, mobility, and more, socompanies can deliver apps in half the time of traditional and legacy platforms.

What are the benefits ofdeveloping on the SalesforceLightning Platform?Organizations use many complex sets of tools, programs, and apps to serve theircustomers, sometimes creating a myriad of systems and applications that do notinterface well together to get a complete view of the customer. Juggling many apps,logins, and disconnected experiences slows down employes and creates challenges indelivering a personalized customer experience.The Lightning Platform provides an opportunity to unify digital apps and processesaround an integrated view of customer data, empowering organizations to pursuedigital transformation that puts the customer at the heart of everything they do. TheLightning Platform allows admins and developers to use point-and-click tools and dragand-drop interfaces to create apps that connect to data, automate business processes,and are easy to customize for any role or department. Out-of-the-box Access Controlsoffer declarative options to establish granular security settings that ensure only the rightpeople can access the right data at the right times.With the SAlesforce Lightning Platform,customers can: Extend their CRM with no-code, low-code, and programmatic customizations Digitize business processes and increase collaboration, moving away fromspreadsheets, email threads, paper processes, checklists, and Post-it notes Create amazing customer experiences and innovate with the latest technology, likeartificial intelligence with Einstein and connected experiences with the IoT Deploy with confidence, leveraging Salesforce’s trust model and security architecture Go faster with prebuilt apps from AppExchange

How to leverage the SalesforceLightning Platform to address keyprinciples of the GDPRSalesforce, as a Processor, has taken necessary steps to prepare for the GDPR, andprovides information on the Salesforce website as well as in the Data Protection andPrivacy help section.Managing ConsentThe Lightning Platform has out-of-the-box settings on Contact and Lead records thatenable customers to note a request from a Contact or Lead to not call, email, and/orfax them.The Lightning Platform recently introduced an Individual Object for documentingprivacy settings across the multiple roles of an individual in your organization.Individuals can be created and managed from standard objects — like Contacts, Leads,and Person Accounts — and custom objects. Organizations can add custom logic tointegrate these consent settings into their processes. The Individual Object includes thefollowing flags out-of-the-box: Block geolocation tracking Do not process Do not profile Do not solicit Do not track Export individual’s data Forget this individual OK to store PII data elsewhereWith the Lightning Platform, customers can leverage a combination of StandardObjects and their settings, Custom Objects, and add their own business logic to buildcustom consent regimes that can be configured to meet their specific compliancerequirements. This logic may include declarative controls, such as validation andworkflow rules, custom processes and flows, or programmatic controls using APEX.These combinations of out-of-the-box capabilities, declarative customization, andextensible business logic make the Lightning Platform a powerful partner for anycompany looking to best manage consent in the age of GDPR.

Right to be ForgottenSalesforce customers, as Controllers,may delete data from their Salesforceorgs declaratively, from within the UI, orprogrammatically, using logic API tools.There is no one-size-fits-all approach, andorganizations should design their processafter seeking legal advice. Below are twosample approaches to how Right to beForgotten (RtbF) may be executed usingthe Lightning Platform.Using the approaches depicted above,when a Data Subject completes thecompany’s process to request deletion ofthe company’s data pertaining to them(Right to be Forgotten), a Salesforce usercan set a Right to be Forgotten (RtbF) flagon the Individual Object or a CustomObject to log the request and kick offthe business logic to handle deletion ofrecords.This is one sample approach thatProcessors can use to execute deletionof records when requested by the DataSubject:PRE-WORKCustomer enables Individualincluding UX for RtbF attrCustomer enables customobject/attribute for RtbFRTBF INVOKED BY DATA SUBJECTUser logs in andsets RtbF flagData Subject exercisesRtbF (through form, phonecall, or other method)Data SubjectoptionallyverifiedData SubjectoptionallyverifiedPROCESS TRIGGEREDCustomer deploys Trigger onRtbF attribute (individual)Customer deploys Trigger oncustom RtbF attributeRTBF PROCESSIs there aUser record?Delete Contact, Lead, andother recordsDelete Contact, Lead, andother recordsScrub/Delete otherobjects per guidanceRTBF PROCESS1. Provide a place to store the DataSubject’s intent to exercise their rightto be forgotten.Is there aUser record?2. When Data Subject invokes this right,trigger a Right to be Forgotten process:a. Identify the records related to theData Subject.b. Delete the records.c. O bfuscate details on User record,if needed.Delete Contact, Lead, andother recordsScrub/Delete otherobjects per guidanceDelete Contact, Lead, andother records

Restriction of ProcessingThe Lightning Platform allows customersto track Restriction of Processing on theIndividual Object. Salesforce has identifiedtechniques like this for Controllers wantingto follow a conservative approach:1. Identify the records related to theData Subject.2. Export the records to the file system orother file storage to facilitate restoration.3. Delete the records.4. Import the records when the restrictionis lifted.PRE-WORKCustomer enables Individualincluding UX for RoP attrCustomer enables customobject/attribute for RoPROP INVOKED BY DATA SUBJECTUser logs in andsets RoP flagData Subject exercisesRoP (through form, phonecall, or other method)Data SubjectoptionallyverifiedData SubjectoptionallyverifiedPROCESS TRIGGEREDCustomer deploys Trigger onRoP attribute (individual)Customer deploys Trigger oncustom RoP attributeROP INVOCATION PROCESSSignal AdminData Subject isExternal Identity/CommunitiesExport, then delete all recordsassociated with Data SubjectYesDeactivate UserRecord restricted records and Data Subject infoin external system to facilitate restorationROP INVOCATION PROCESSSignal AdminData Subject isExternal Identity/CommunitiesExport, then delete all recordsassociated with Data SubjectYesDeactivate UserRecord restricted records and Data Subject infoin external system to facilitate restoration

Data PortabilityThe GDPR requires companies to be able to deliver to Individuals the personal data thatthey have provided to the Controller in a structured, commonly used, and machinereadable format. Salesforce supports data export in several of these formats, includingCSV, XLS, JSON, and XML.Both declarative options, available via the UI, and programmatic options, available viaAPI tools, are available including: Reports can be accessed through the Salesforce UI and provide export capabilities inCSV and XLS formats. Reports and Dashboards API may be used to query for a report and the records itcontains. This method also produces CSV and XLS formats. Data Loader is a Salesforce tool designed to create, update, upsert, delete, and exportrecords. When exporting data, the Data Loader output is CSV files. Apex can be used from the developer console to generate a comma-delimited stringwith a line for each record. This extract can be saved as an attachment orstatic resource. SOAP and REST APIs can be leveraged through many different methods andmay yield a number of different output types. One common Salesforce API tool isWorkbench, which allows the user to pick the object and fields needed and generatea query. Third-Party ETL (Extract-Transform-Load) tools offer more powerful options forexporting data. Jitterbit, Informatica, Dell Boomi, Talend, and MuleSoft are examplesof ETL tools that are not Salesforce-specific, but offer adapters or connectors forworking with Salesforce data. These tools are commonly used by enterprise customerswith sophisticated integration patterns.

How to leverageSalesforce’s securityarchitecture whendesigning applicationsThe GDPR requires Controllers and Processors to implementappropriate technical and organizational measures to ensure alevel of security appropriate to the risks presented. Salesforcecustomers can rely on many technical controls from Salesforceas their Processor.Trust is the #1 priority at Salesforce, and security is built intothe Platform’s infrastructure with advanced threat detection,continuous monitoring, encryption in transit, secure datacenters, and trusted IP ranges. The Trust team carefullymonitors Salesforce infrastructure around the clock, whichis significantly more efficient than a conventional in-housesystem, where an organization must divide its efforts betweena myriad of IT concerns, with security being only one ofthem. Salesforce provides transparency around security andperformance metrics through a dedicated trust site.While Salesforce has many security controls at the networkand infrastructure layers, Salesforce customers leverage outof-the-box access controls at the application layer to protectthemselves from account credential compromise and dataloss. Insider threats are the leading source of cybersecurityattacks, with 60% of incidents caused by employees insidean organization. Salesforce offers granular controls at theapplication layer to allow organizations to enforce a leastprivilege access model and reduce the risk of insider threats.One key principle of the GDPR is a requirement for technicalsecurity measures to protect personal data (Article 5(1)(f),Article 32). Technical measures include user authenticationand logical access controls. With the Lightning Platform,customers can be confident about cloud security and canleverage access controls and other platform-native technicalmeasures to protect their Data Subjects.Trust andCloud Security81%of those surveyedbelieved that GDPR wouldmaintain or acceleratetheir cloud adoption.*83%of IT leaders say they feelmore comfortable withtheir knowledge of cloudsecurity than they did fiveyears ago.**65%plan on increasingdata stored in the cloudover the next 12 to 18months.*** “Closing the Cloud SecurityBusiness Gap”, 2018** Salesforce “State of IT”, 2017

What does Salesforce offer at eachsecurity layer?Salesforce ShieldPlatformEncryptionEventMonitoringFieldAudit TrailApplication ServicesClassicEncryptionIdentity & ionField LevelSecurityUser Roles &PermissionsField HistoryTrackingNetwork ServicesHTTPSEncryptionPenetrationTestingMonitor LoginHistoryAdvancedThreat DetectionSecureFirewallsIP LoginRestrictionsInfrastructure ServicesSecure DataCentersBackup andDisaster RecoveryReal-TimereplicationThird-PartyCerti cationsCustomerAuditsInfrastructure ServicesInfrastructure Services are at the foundation of the Salesforce security model, whichincludes the extensive security within our data centers, backup and disaster recoverypractices, and real-time data replication, all of which are backed up by third-partycertifications and customer audits. Salesforce manages this infrastructure for customers,streamlining their efforts to prevent hardware theft, ensure business continuity, andprovide documentation for customer audit process.Salesforce deploys firewalls and/or access control lists (ACLs) at every layer of the stack,including the database layer. Customers have to go through a separate bastion host sodirect login to the database servers is prevented. Salesforce also encrypts traffic that isflowing between Salesforce data centers so that data is never unencrypted as it travelsbetween primary and backup locations.

Network ServicesNetwork Services are core to how Salesforce handles customer data and monitorstransactions, including encryption in transit, penetration testing, monitoring, advancedthreat detection, secure firewalls, and IP login restrictions. This layer of the Salesforcesecurity model offers out-of-the-box protection that benefits every customer and everySalesforce transaction.Salesforce secures its network with a variety of technical measures. End-to-end transportlayer security (TLS) cryptographic protocols encrypt all network data transmissions sothe strongest level of encryption is used to safely transmit customer data. access controllists (ACLs) inspect all network packets and prevent unauthorized connections. Inaddition, a number of sophisticated security tools monitor platform activity in real timeto expose many types of malicious events, threats, and intrusion attempts. For example,hacking attempts on a customer’s web applications are identified and prevented in realtime by intrusion detection systems (IDS).Application LayerThere are multiple levels of access that can be granted at the application layer, rangingfrom the ability to limit logins to trusted networks to granular field-level security controls.User interactions in Salesforce are tracked and can generate an audit trail. Organizationscan even set object-level history tracking so they can see when individual changes aremade and by whom.Salesforce eases implementation of security policies and protocols with a variety ofpoint-and-click tools. Using these declarative controls, Salesforce administrators canestablish a record-sharing model, enforce login and password policy settings, and setprofile-based permissions for object- and field-level access.

How does Salesforce Shieldenhance security?Companies of all sizes and industries are using Salesforce across departments torun their businesses faster and transform application development. As adoption ofSalesforce for critical business capabilities grows, monitoring user behavior, trackingchanges to data, and preventing data loss are more important than ever. With moresensitive data in the cloud, security and compliance requirements also becomeincreasingly complex. Salesforce Shield, a premium set of security services, helpsaddress these requirements while allowing customers to proactively monitor useractivity and enforce security policies.Platform EncryptionPlatform Encryption lets customers encrypt their most sensitive data at rest whileretaining critical app functionality. Platform Encryption is natively integrated with keySalesforce features, so core functionality like search, lookups, validation rules, andChatter are preserved. Platform Encryption helps customers provide their users a full360-degree view of their customers by bringing and managing regulated, private, orproprietary data with confidence.Which GDPR requirements can it help with?Security MeasuresWhile the GDPR is not prescriptive in stating what “appropriate” technical measuresare, one example it does provide is encryption (Article 32(1)(a)). Salesforce offersencryption while data is in transit for most of its services at no additional cost to thecustomer. The addition of Shield offers the option of encrypting data while at rest,meaning that it is encrypted when it’s inactive or being stored within Salesforce usingan advanced key derivation system.Personal Data BreachPlatform Encryption may be helpful in the event of a personal data breach wherecustomer data is exfiltrated, no matter how big or small in scale. Under the GDPR,the Controller may be required to notify the data protection authority and/or theindividuals affected if the breach is likely to result in “a risk to the rights and freedoms”of the people involved (Articles 33 & 34). If the personal data involved in the breachwas encrypted, it is less likely that the personal data will become visible to someone

who shouldn’t be seeing it, thus limiting the impact of the breach. Furthermore, theGDPR notes that the communication to the Data Subjects will not be required if theController has implemented appropriate technical and organizational measures, suchas encryption, which render the personal data unintelligible to any person who is notauthorized to access it (Article 34(3)(a)). As a result, encryption may further limit thescope of any potential embarrassment or further investigation into the incident.Event MonitoringEvent Monitoring delivers access to detailed performance, security, and usage data forcustomers’ Salesforce apps to help monitor compliance with their security policies,understand user adoption across their apps, and troubleshoot and optimize applicationperformance. Transaction Security, a key component of Event Monitoring, letscustomers build flexible, customizable security policies that give IT the power to identifyand prevent malicious activity in real time.Which GDPR requirements can it help with?Security and Data IntegrityAs described above, adequate security is important for ensuring that personal datais properly protected under the GDPR. In addition to encryption, the GDPR providesfurther examples of measures that may be “appropriate,” including those that allowfor “the ability to ensure the ongoing confidentiality, integrity, availability and resilienceof the processing systems and service” (Article 32(1)(b)). Event Monitoring allowscustomers to monitor log data and to quickly identify suspicious activity, assistingthem in preserving the integrity of the personal data and their systems.Personal Data BreachBy being able to observe and quickly respond to any threats, Event Monitoring assistscustomers by allowing them to minimize damage and rapidly remediate the threat,thus limiting the scope of the impact on the Data Subjects. The Transaction Securityfeature allows customers to tailor their security profile to respond in real time tocertain threats commonly faced by their organization. This helps customers to betterenforce their policies, for example, by blocking the activity or by notifying a designateduser of the unwanted activity.

Field Audit TrailWith Field Audit Trail, customers can track changes to their data for up to 10 yearsand report on its value and state over time for forensic-level compliance and greateroperational insights into their business.Which GDPR requirements can it help with?RetentionUnder the GDPR, one of the key principles is that personal data must only be retainedfor “no longer than is necessary” for the purpose of the processing, otherwise knownas the “data retention” principle (Article 5(1)(e)). Field Audit Trail can assist customerswith their data retention obligations by enabling them to develop data retentionpolicies to ensure that personal data is not stored for excessive periods of time,actively manage their data over a period of time, and develop data retention policiesaccordingly.Security and Data IntegrityThe GDPR highlights that measures that allow “the ability to ensure the ongoingconfidentiality, integrity, availability and resilience” of processing systems may be“appropriate” to secure certain personal data. In the event personal data is incorrectlymodified or is lost, Field Audit Trail allows customers to retrieve a recent historicalcopy, thereby assisting them in ensuring the availability and resilience of their personaldata.AccountabilityThe GDPR requires that organizations are able to demonstrate that they treat personaldata in compliance with the law (Article 24). Field Audit Trail helps customers toachieve this by allowing them to confirm exactly what data the organization has heldon the Lightning Platform, and for how long.

GDPR as catalyst for building amodern app portfolioAs companies endeavor to understand their obligations in the age of the GDPR, theyconduct internal audits of all the business processes and applications that touch personaldata from their employees and customers. These audits may uncover existing applicationsthat are not GDPR compliant.IT teams face a challenging decision: keep or modernize these legacy applications. Ifthe choice is made to keep the existing applications, the IT team will need to invest indeveloping new features and purchase additional hardware where needed. Organizationsopting to modernize their app portfolio can use the GDPR as an opportunity to redesignand migrate legacy applications to Salesforce, empowering their teams to transformapplication development with tools that are fast, easy, and fun. This approach hasthe benefit of consolidating applications onto a single platform, reducing complexity,increasing agility, and centralizing efforts for GDPR readiness.Salesforce customers can build apps over 50% faster using the Lightning Platform’s clicksnot-code approach. Salesforce’s AppExchange, the #1 Business App Marketplace, furtheraccelerates time to market, offering many required departmental apps ready-to-install.The Lightning Platform advantage and Salesforce’s GDPR-ready features can beextended to all business applications for truly transformational application development.Organizations that leverage their GDPR readiness as a strategic opportunity to conductan app modernization project will empower business and IT users to work together tomodernize, automate, and deliver the experiences customers and employees need.

What should I do next?Once

What is the Salesforce Lightning Platform? The Lightning Platform is the world's leading cloud platform. It powers the core apps at Salesforce and enables no-code, low-code, and programmatic options to build, secure, integrate, and manage business applications that extend CRM and power amazing customer, partner, and employee experiences.