What the world needs now is GDPR, says Salesforce’s Data Protection Officer

GDPR was a big theme at last week’s Salesforce World Tour event in London, hardly surprising with the clock running down to Friday’s deadline.

It was indicative of the importance of the new regulation that Lindsey Finch, Salesforce Senior VP of Global Privacy and Product Legal and now its first Data Protection Officer, was flown in from the U.S. to take a high profile at the conference.

As noted before, Finch sees GDPR, or more specifically its equivalent, as a clear and present need for the U.S. :

With GDPR imminent and the California Privacy Ballot coming up we really do think it is time to have a Federal Privacy Law, that is the Salesforce corporate position. We see it as key to rebuilding trust with technology companies overall. This won’t just be a copy and paste, we will have to go through our own processes, but the principles of people having control over their own data and big companies being accountable for their privacy practices are elements that we would like to see translated into US law.

Finch is currently spending much of her time talking to the company’s global customers to find out how they are looking at GDPR. It seems that quite a few are taking the obvious option, simply taking the principles of GDPR and applying them to all personal data irrespective of where the database resides. That is the simple and straightforward route:

Look at the application of thing like the 1995 Data Protection Directive or the Japanese privacy law that came into effect last year. There are more similarities than there are differences. Early US law was taken up and developed by the OECD in their laws on privacy and the transport of dataflows. But they have then been expanded and different countries have their own twists and turns on how they are implemented, but when you look at them they are all about giving people rights and companies accountability.

Areas where such differences might arise, she feels, could be in approaches to issues such as free speech, where in the US free speech is seen as paramount. Another is likely to be the right to be forgotten, which may end up being treated differently in different countries. Finch says:

It is all a balance for each country, but it can’t allow someone to walk into the bank where they have a mortgage and say `I’d like you to forget me’. But it would have been great if I could have checked into my hotel yesterday and have them know what type of room I like and what beverages I like to have available. But that does depend on there being trust in having that data available.

One area where GDPR has an obvious impact is in the use of cookies, which can be very useful in enhancing the relationship between a company and its customers, especially in terms of relationship building, but can (especially in the wrong hands) are open to being used maliciously in collecting and reporting back data that a customer might not want a vendor company to have. Salesforce has therefore ensured that its customers have the capability to build in consent in advance before a cookie is used with one of their customers. The aim is to make the consent granular.

As Salesforce is a SaaS model it is legally the `data processor’ for its customers, so it customers have be sure that they have a legal basis for the processing of data. So getting their customers’ consent is one, the concept of legitimate interest is another, explains Finch:

So what we have built out on the marketing cloud and the DMP is a very granular consent management functionality so that customers can have that and can go about collecting and honouring users. It means that their customers can define that they want their data used for ‘this’, , but not for ‘that’. And GDPR says that the consent has to be revocable, and that this must be honoured, so that users can change their minds.

Trust is good, but can you get it by the yard?

The company’s number one value and watch word is trust, and as Simon Mulcahy, the company’s Chief Marketing Officer, said in the post keynote Q&A session at the World Tour event, trust is now even more important than revenue to the company.

That is all well and good, but the other side of that coin is that revenue, profit and the readily quantifiable numbers of business are what guides people who want to invest in the stock of a company like Salesforce. While trust is a highly laudable objective, it is particularly subjective. So how does Finch measure it in a meaningful; way that makes sense to stock holders and traders? She says:

It doesn’t lend itself to measurability like the other things, but we spend a lot of time talking to customers and we have a lot of candid conversations that get into the various areas that make up trust. So we can learn whether we have reached, met or exceeded their expectations of what it means to be a trusted company.

She also suggests that trust shows in indirect ways that can be identified numerically, such as the customer acquisition and attrition rates, which is arguably partly true. The acquisition rate is going to be a sign that customers want `in’ on what Salesforce offers. The costs and inconveniences of unpicking a relationship which can become deeply embedded is not always going to be something many customers might contemplate with any degree of pleasure, however.

My take

Finch’s views on the overall suitability of Europe’s GDPR as the way to manage data privacy around the world highlight a growing need for not only regulation, but consistent regulation of privacy issues around the world, which in turn then highlights the need for not just better, but equally consistent management of cyber-security, and area where the USA currently seems to be letting politics rather than pragmatism rule the day.

With Salesforce CEO Marc Benioff adding his considerable voice to calls for a GDPR-US, it was perhaps ironic that President Trump would choose the same time to eliminate the post of Chief Cybersecurity Co-ordinator on the US National Security Council.

US press reports stated that a memorandum from the new National Security Advisor John Bolton, said the post was no longer necessary because cyber-security was now a “core function” of the President’s national security team. Others have suggested, however, that one reason might be that Bolton saw the role as a potential alternate power center in the security environment.

While this may not appear to be directly related to the arrival of GDPR in Europe and its impact on worldwide data management practices, cyber-security does lie at the heart of why the rise of GDPR has been necessary as the primary route to most data breaches. It is therefore concerning to see the subject falling into the role of becoming a political football.

This is not helped by the suggestion, from the US Department of Homeland Security, that government agencies should instead turn to private companies for cyber-security input and support. This does sound like a route that could lead to some serious unjoined thinking and actions at a time when coherency in cyber-security operations will have a direct impact on how all businesses manage their data and meet their obligations under GDPR.