Salesforce World Tour - Benioff calls for ‘GDPR-US’

Salesforce CEO Marc Benioff has caused a bit of a stir in the U.S. by calling for a national privacy law akin to Europe’s imminent GDPR (General Data Protection Regulation).

Speaking on the CBS This Morning TV show, Benioff declared:

What we need is a national privacy law, and that will really not just protect the tech industry; it's going to protect all the consumers.

The call-to-arms comes of course in the wake of the recent Facebook data privacy scandals, but this is not some kind of Pauline-conversion on the part of Benioff. As far back as 2014, he told me that he supported the kind of tougher data protection laws that have been rolled out in the European Union. He said:

I’m all in favor of consumers having more power and more control over their data. As a consumer, you should have all of the rights. It’s like a cloud Bill of Rights. As a consumer or as an enterprise, you should have the right to be forgotten or to add or take away your data.

The upside of the Facebook revelations has been to put data privacy center stage for consumers and Benioff’s 2018 comments are tapping into the ensuing debate about the responsibilities of social media giants:

Ultimately, [a national privacy law is] going to protect our kids, which is really what this is all about because we know that all these companies are looking to bring kids into their social networks as well.

In some ways you can say Facebook has really become the new cigarettes in our industry. That is, it's a technology that is, yeah it's addictive, it may not be that great for you and it might be something that you might want to go back to. .

Again, this isn’t a new theme from Benioff. He’s voiced concerns about data use/abuse by the likes of Facebook and others for a long time. Again from 2014, he told me:

Once you give those companies your data, it becomes their data. If you post something to Facebook, it becomes their data...it really is very important to talk about that and explain this...When we sign a contract with a customer, we are their servant. That’s not the case with consumer clouds where the masters are different.

As this has now become globally clear courtesy of Facebook, Benioff reckons that it’s time to move onto the next stage of the debate:

Maybe this is a time where the government has to step in and regulate not just that product but really our industry. We're really at that point with technology.

Hence the idea of a ‘GDPR-US’:

That would mean the companies would have to fully disclose how they collect your information, use your information, and you'd have a right to be forgotten so that if you want all your information deleted, you can hit that button and be assured that your data is gone forever.

The idea that the U.S. will follow Europe’s lead was also aired by another CRM industry leader, Larry Augustin of SugarCRM on diginomica earlier this month. Whether it comes to pass remains to be seen - I suspect we’ll be hearing a lot more about this over the coming months leading up to the Dreamforce conference in September.

GDPR is here (almost)

But before then it’s now only a matter of days before GDPR kicks into law and Salesforce has been pushing its own preparations for the big day on 25 May.

At the Salesforce World Tour in London today, Chief Marketing Officer Simon Mulcahy aired the topic in the opening minutes of his keynote address, citing the effort that the firm has put into GDPR and telling the audience:

Many of you will be rolling your eyes and saying GDPR is a compliance issue. It is a compliance issue, but it’s also a phenomenal opportunity to give your customers what they want. What they want is to know that when they give you their data, you’re looking after it appropriately.

That was a message mirrored later by Maeve McMahon, Director Marketing, Commercial Business and Private Banking at Ulster Bank/RBS, who said:

In order to be a bank and to be sustainable we absolutely have to protect our customers data, so being compliant with GDPR is absolutely core to where we go in the future.

We internally have all completed GDPR modules. That was mandatory training for the whole organisation that we all had to complete before the end of this week. We’ve also mailed and emailed all our customers to let them know what is changing, what is happening, get their permission to have conversations with us. It is really important in terms of marketing, what I do every day, to ensure that we have customer consent.

Our vision is to be the number one bank for customer service trust and advocacy. We can’t have that trust if we don’t protect our customers data. As a bank we have access to so much data that we have to keep that safe, secure, compliant with regulations, but also enable conversations with our customers to go on on an ongoing basis. It’s really really important.

House in order

Earlier this week Salesforce announced the appointment of its own Data Protection Officer (DPO), a role that is required for companies of a certain size under the terms of the new regulation to oversee GDPR compliance and act as contact points for privacy issues.

Salesforce has added that DPO responsibility to the remit of Lindsey Finch, Senior Vice-President of Global Privacy and Product Legal. Before joining Salesforce in 2008, Finch spent two years as privacy counsel for General Electric as well as acting as a law clerk at both the Federal Trade Commission and the U.S. Department of Homeland Security. Of her new role, she says:

The official DPO designation is a natural outgrowth of our existing programme. My team and I will continue to partner across the company to foster a culture of privacy - designing, implementing, and ensuring compliance with our global privacy programme, including ensuring that privacy is considered throughout the product development lifecycle.

Salesforce has done a lot of work to put its own house in order, she explains:

We started by kicking off a thorough review to ensure compliance across the company. The GDPR is an incredibly rich document—99 articles and 173 recitals across 88 pages! Our Privacy team broke this down into key principles and worked closely with our Technology & Products organization to review our compliance. We found that we were already in a really great place.

Since then, a lot of the work we've been doing has been to document how our customers can use our services to comply with some of the key GDPR principles, which we've published on our GDPR website. There is no finish line when it comes to GDPR compliance. While Salesforce currently offers the tools for our customers to comply with the GDPR, we will continue to release new innovations that help our customers achieve compliance success.

As for those customers, she says:

The top theme I'm hearing is that our customers are using the GDPR as an opportunity to focus on their privacy practices and putting their customers—oftentimes end-consumers—at the center of their businesses. The GDPR is a complex law, but putting the individuals to whom the personal data relates at the forefront, and focusing on their expectations and preferences, is a great starting point for compliance with the GDPR and other privacy laws.

And as her CEO pitches his new campaign for tougher U.S. legislation, Finch believes that there will be new GDPR-like laws to come. At the London World Tour today, she told me:

We really see a Federal privacy law as the next step that should be taken to ensure that American consumers have their data protected as well...I think it’s an opportunity right now in time...With everything that’s going on, right now is really the time for the United States as a country to have a Federal privacy law.

My take

The World Tour event in London had a number of GDPR sessions, reflecting the importance of this topic and preparations, even at this late stage. As for Benioff’s call-to-arms, there’s a commendable clarity and consistency about his position on this topic, which stands in welcome contrast to the vacillating and prevaricating of Mr Zuckerberg.