Prioritizing Data Privacy and Compliance in Salesforce Development

Data privacy is no longer a legal checkbox — it's a competitive differentiator and existential risk. GDPR fines exceeded €4.5 billion cumulatively by 2025, CCPA enforcement is accelerating, and HIPAA violations carry penalties up to $1.5 million per incident. For organisations running Salesforce as their system of record, every custom field, integration, and Apex trigger is a potential compliance surface.

Salesforce provides a robust compliance toolkit — Shield Platform Encryption, Event Monitoring, Field Audit Trail, and Data Mask — but these tools require deliberate architecture decisions from day one. Retrofitting compliance onto an existing org is 5–10x more expensive than building it in. This guide covers the complete compliance stack for Salesforce development, from regulatory mapping through automated enforcement and audit readiness.

Map regulatory requirements to Salesforce capabilities:

• GDPR (EU): Applies to any organisation processing EU residents' data. Key requirements: lawful basis for processing (consent, legitimate interest, contract), right to access (Article 15), right to erasure (Article 17), data portability (Article 20), and breach notification within 72 hours (Article 33). Salesforce Individual object and data processing records help track consent status.
• CCPA/CPRA (California): Grants California residents the right to know what data is collected, delete personal information, opt out of data sales, and non-discrimination for exercising rights. The CPRA amendment adds data minimisation requirements, purpose limitation, and establishes the California Privacy Protection Agency (CPPA).
• HIPAA (US Healthcare): Requires administrative, physical, and technical safeguards for Protected Health Information (PHI). Salesforce Health Cloud with Shield encryption provides HIPAA-compliant architecture — but requires a Business Associate Agreement (BAA) with Salesforce, available only on Enterprise+ editions.
• SOX (Financial): Sarbanes-Oxley requires audit trails for financial data changes. Salesforce Field Audit Trail retains field history for up to 10 years, and Event Monitoring tracks login activity and data exports — critical for SOX compliance evidence.
• Cross-Regulation Mapping: Create a compliance matrix mapping each regulation's requirements to specific Salesforce features — consent management → Individual object, encryption → Shield, audit logging → Event Monitoring, data deletion → Apex batch jobs.

Shield Platform Encryption provides encryption at rest with unique architectural considerations:

• Deterministic vs Probabilistic: Deterministic encryption allows encrypted fields to be filtered, grouped, and used in SOQL WHERE clauses — essential for fields like email or SSN that need query support. Probabilistic encryption provides stronger security but prevents filtering — use for notes, descriptions, and free-text fields.
• Encryption Key Management: Shield uses a hierarchical key system — tenant secrets (customer-controlled) combined with master secrets (Salesforce-controlled) generate derived data encryption keys. Rotate tenant secrets regularly (quarterly recommended) and archive old keys for historical data access.
• Performance Impact: Encrypted fields cannot use standard indexes — custom indexes require Salesforce support to enable. SOQL queries on encrypted fields are slower; plan capacity for 10–20% query performance degradation on heavily encrypted objects.
• Field-Level Encryption: Encrypt sensitive fields including SSN, credit card numbers, health records, financial data, and PII. Not all field types support encryption — formula fields, auto-number fields, and certain standard fields cannot be encrypted. Plan data model accordingly.
• Bring Your Own Key (BYOK): For maximum control, generate and manage encryption keys externally using HSMs (Hardware Security Modules) and upload to Salesforce via the Key Management Service. BYOK enables key revocation independent of Salesforce — critical for regulatory requirements mandating customer-controlled encryption.

Implement defence-in-depth access control:

• Profile-Based Access: Create dedicated profiles for each role — restrict field-level access (read, edit, hidden) on sensitive fields. Use the principle of least privilege — start with minimal access and grant additional permissions only when justified.
• Permission Sets: Use Permission Sets and Permission Set Groups for granular, additive permissions. Avoid modifying profiles for individual user needs — Permission Sets provide audit-friendly, easily reversible access changes.
• Record-Level Security: Configure Organisation-Wide Defaults (OWD) as private for sensitive objects. Use Role Hierarchy, Sharing Rules, and Manual Sharing for controlled data access expansion. Apex Managed Sharing provides programmatic sharing for complex business rules.
• Apex Security: Enforce CRUD and FLS checks in all Apex code — use WITH SECURITY_ENFORCED in SOQL queries, Security.stripInaccessible() for DML operations, and Schema.SObjectType.describe() for dynamic permission checking. Never bypass sharing rules with without sharing unless explicitly justified and documented.
• Connected App Policies: For API integrations, configure Connected Apps with OAuth 2.0 scopes limiting access to specific objects and operations. Use Named Credentials for secure credential storage and IP restrictions for API access control.

Build automated consent workflows:

• Individual Object: Salesforce's Individual object tracks consent preferences — HasOptedOutProcessing, HasOptedOutSolicit, HasOptedOutTracking, and HasOptedOutGeoTracking. Link Individual records to Contact/Lead records and enforce consent status in all marketing and processing workflows.
• Consent Management APIs: Build self-service portals (Experience Cloud) allowing data subjects to view consent status, modify preferences, request data exports, and submit deletion requests. Automate consent change propagation to all integrated systems.
• Right to Access: Create Apex batch jobs that compile all personal data across standard and custom objects into exportable formats (CSV, JSON). Include related records — Cases, Activities, Email Messages, and custom object relationships — for complete data subject access requests (DSARs).
• Right to Erasure: Implement automated deletion workflows — when erasure is requested, Apex triggers anonymise or delete personal data across all objects, remove from reporting snapshots, and propagate deletion requests to integrated third-party systems via platform events.
• Consent Audit Trail: Log every consent change with timestamp, source (web form, phone call, API), and the specific consent granted or withdrawn. Use custom objects or Event Monitoring to maintain a tamper-proof consent history for regulatory audits.

Automate data lifecycle management:

• Retention Policy Design: Define retention periods by data category — customer records (7 years post-relationship), transaction data (per SOX/tax requirements), marketing interaction data (2 years), support cases (3 years post-resolution). Document policies in a Data Retention Schedule reviewed annually by legal.
• Automated Archival: Use Salesforce Big Objects or external data lakes (AWS S3, Snowflake) for long-term archival. Schedule Apex batch jobs to move records past retention thresholds to archive storage — maintain foreign key references for audit queries while reducing org data volume.
• Automated Deletion: Schedule batch Apex to permanently delete records past retention periods — implement soft-delete first (custom "Marked for Deletion" flag), review flagged records, then hard-delete after a grace period (30 days). Log all deletions for compliance evidence.
• Sandbox Data Management: Use Salesforce Data Mask to anonymise production data in sandboxes — replace real names, emails, phone numbers, and addresses with realistic but fictional data. Prevent sensitive production data from persisting in development and testing environments.
• Backup Compliance: Ensure backup solutions (OwnBackup, Spanning, Grax) respect retention policies — data deleted for compliance reasons must also be purged from backups after the backup retention window, preventing "zombie data" that violates erasure requirements.

Build continuous compliance monitoring:

• Event Monitoring: Shield Event Monitoring captures login events, API calls, report exports, data exports, and Apex executions. Create Transaction Security Policies to automatically block suspicious activity — exports exceeding threshold record counts, logins from blocked geographies, or API access outside business hours.
• Field Audit Trail: Retain field change history for up to 10 years — critical for regulated industries where auditors need to reconstruct data state at any historical point. Configure audit policies for sensitive fields (financial amounts, status changes, approval decisions).
• Health Check: Run Salesforce Health Check regularly — it scores your org's security against baseline standards (session settings, password policies, network access, certificate management). Aim for a Health Check score of 90+ and remediate all "High Risk" findings.
• Compliance Dashboards: Build executive dashboards tracking — open data subject requests (DSARs) and SLA compliance, consent coverage percentage, encryption deployment status, access review completion rates, and security incident response metrics.
• Audit Documentation: Maintain an evidence repository — data flow diagrams showing how personal data moves through Salesforce and integrated systems, completed Data Protection Impact Assessments (DPIAs), annual access reviews, and incident response test results.

Secure the integration perimeter:

• API Security: All integrations should use OAuth 2.0 with Named Credentials — never store credentials in custom settings or code. Implement JWT Bearer Flow for server-to-server integrations and enforce IP whitelisting for Connected Apps.
• Data Processing Agreements: Ensure every third-party system receiving Salesforce data has a signed Data Processing Agreement (DPA) — document what data is shared, processing purposes, retention obligations, and breach notification requirements.
• Integration Audit Logging: Log all data flowing to/from third-party systems — platform events with EventBus.publish() can capture outbound data transfers, while Salesforce Connect tracks external data access. Use Change Data Capture (CDC) to monitor real-time record modifications.
• Marketing Cloud Compliance: If using Marketing Cloud, ensure email consent synchronisation with Sales Cloud, implement preference centres for granular opt-out management, configure suppression lists for regulatory compliance, and archive email send logs for required retention periods.

MetaDesign Solutions provides end-to-end Salesforce compliance services — from regulatory gap analysis and Shield Platform Encryption implementation through automated consent management (GDPR/CCPA/HIPAA), data retention policy automation, Event Monitoring configuration, Health Check remediation, and audit preparation support. MDS has delivered compliance solutions for healthcare, financial services, and enterprise clients requiring the highest levels of data protection.