In the webinar, Why Privacy Matters: How to Establish Trust Through Salesforce Security and Privacy, Salesforce Principal Platform Security Specialist Rachel Beard and United Capital CISO Mark Bowling teamed up to explore the importance of privacy for organizations – particularly those in the financial services industry.
Why does data privacy matter? Because it enables trust, customers expect it, and because data privacy is rapidly becoming highly regulated and legally enforceable. Laws like the EU’s GDPR (General Data Protection Regulation), the upcoming CCPA (California Consumer Privacy Act), and HIPAA (Health Insurance Portability and Accountability Act) are examples of legislation that governs the regulation of consumer privacy and data protection. As someone involved in an organization’s security, privacy, and compliance practices, explore this post to discover why privacy matters as much as security and how you can establish robust privacy practices in cloud environments like Salesforce.
Why is trust important for organizations?
Many companies adhere to the belief that the customer is always right, and for a good reason – customers are the most important consideration for any business that wants to succeed. As custodians of customers’ private data, companies have the responsibility to protect their information to ensure trust. Therefore, businesses must build a reputation of trust with customers, especially in an increasingly technological world where data is obtained and stored in the cloud.
Reports estimate that, by 2020, 83% of enterprise workloads (software, platforms, and infrastructures) will be in the cloud. The increase in cloud usage also increases access to data from anywhere at any time. Customer information in the cloud is accessible by mobile devices, SaaS apps like Salesforce, and other sources. In order to protect your customers’ sensitive information, your company must embrace a culture of privacy because it’s necessary to retain customer trust. By creating an organization-wide culture of privacy, you’re committing to the customer and establishing a stronger relationship.
The data privacy movement
The data privacy movement has been driven by consumer concerns of oversharing publicly on the internet in addition to being driven by regulations, which are looking closely at information that organizations like hospitals, financial advisors, and the payment card industry provide to protect customer information.
In response to privacy concerns, privacy advocates have begun to push for consumer-centric data privacy protection. GDPR led the way, and the United States is seeing similar movement with CCPA in California – the first act to attempt to protect broad consumer regulations. More countries and states are developing their own privacy laws, and the United States will likely establish a federal privacy law in the near future.
Data privacy challenges for financial organizations
Financial services organizations typically protect two types of data – PII (personally identifiable information) and PFI (personal financial information), which are non-public information. Organizations must understand what data they own and what it has been used for; is it going towards marketing purposes, or is the data being retained in order to maintain accurate books and records? Begin by identifying what data is collected for your customers versus what data is collected for prospects or potential customers.
If someone is a prospect, laws like CCPA create a significant challenge for managing their privacy preferences. Under CCPA, if a prospect contacts your organization requesting that their personal data be erased, you need the ability to identify all data associated with that individual and delete it. If they aren’t a customer, you won’t have bank records or investment records you’re required to maintain for them, so any data must be removed. To facilitate this process, your company needs methods for identifying who is a client and who is a prospect, locating the information on file, and erasing the information promptly.
Data protection in the cloud – whose responsibility is it?
As soon as you input data into a cloud application like Salesforce, it’s your responsibility to protect it. SaaS applications are secure, but once the data enters the SaaS environment, it becomes the company’s responsibility to safeguard.
CCPA and GDPR essentially contain two parts – a breach notification act, which requires companies to protect customers’ information and places the burden on the financial services provider to protect it, and a requirement that organizations know whose information is on file and how to erase it should the need arise.
To demonstrate who owns what in the cloud provide – cloud user relationship, refer to the shared responsibility model. This model extends across multiple cloud platform providers like Salesforce, Amazon Web Services, Google Cloud, and more.
According to the model, the cloud platform manages:
- The software running on the hardware
- The hardware itself
- The physical controls for the hardware
- The physical controls for the core part of the operating system
The customer is responsible for:
- Customer data
- Applications and identity access management
- Operating system, network, and firewall configuration
If your organization uses Salesforce, then you have to manage Salesforce as your SaaS application. Fortunately, Salesforce provides powerful tools to manage the platform and facilitate the protection of customer information.
“If there are additional tools that we can purchase that allow us to [manage the platform], we have the responsibility to do that.”
– Mark Bowling, CISO, United Capital
Salesforce data privacy and trust
Salesforce’s number one priority is trust, and their multi-layered approach to trust enables them to extend trust to their customers. By providing privacy and security tools, Salesforce customers can demonstrate and extend trust to their own customers when working with private data.
GDPR was a big deal even for non-European citizens – it triggered an influx of alerts from global companies letting consumers know how they could manage their privacy preferences. Looking back, GDPR was simply a milestone in the overall data privacy journey. GDPR and other privacy regulations present the ideal opportunity to rethink the way organizations handle data privacy and extend trust to customers. The key thing to consider during your compliance journey is how you can future-proof your privacy posture against emerging legislation. How are you going to think about privacy when this is the new normal of how to handle customer data?
“You want to put the customer at the center of your trust model. We know that customers trust companies when they have control of their data and when they have some transparency to how their data is being used.”
– Rachel Beard, Principal Platform Security Specialist, Salesforce
In conjunction with putting the customer first, the common themes across many of these privacy acts are:
- Being able to capture consent (you have my permission to work with my data)
- The ability to revoke consent (do not process my data)
- Being able to control when your information is deleted
- Requesting a copy of your data
- Putting preferences in place around when your information can be sold to other parties
These acts are a powerful driver to rethink what you’re doing with customer data, reconfigure what information you’re processing for customers, and extend trust by offering additional transparency, visibility, and control over customers’ PII. Another consideration should be where you can incorporate preference tracking and reporting features to monitor as consent preferences change. Salesforce, for example, has introduced options for enhancing privacy and governance to track data such as consent preferences.
Salesforce platform: privacy and data governance elements
How does Salesforce enable users to manage privacy? At the platform level, Salesforce offers data classification to help understand it as well as consent levels to manage consumer privacy preferences.
Data classification allows you to note where your data is being used, who is responsible for that data, and the sensitivity level of that data – is it restricted? Confidential? Public? The tool allows you to enforce your data classification strategy within Salesforce by first documenting it, and then by looping in additional functionality such as Event Monitoring’s transaction security, which is real-time prevention for your security policies.
In response to GDPR, Salesforce also introduced consent-related objects, particularly around the Individual object. You may have many ways to represent each unique person in your Salesforce environment- Contacts, Person Accounts, Leads. The Individual allows you to aggregate all those identities around one person and document their consent preferences so you can incorporate them into your data classification regime. You can also integrate analytics capabilities to track how much of your data is covered under privacy protections.
Building an organizational culture of privacy
Culture is what’s created within an organization to meet the trust expectations of customers and the cloud ecosystem. Cohesion and internal trust are necessary in order to create a culture of privacy both with customers and employees. Generating organizational trust can help improve the speed and agility of your projects, supporting your overall company goals. Once you have internal departmental trust, it spreads to the entire enterprise, which creates a culture of ensuring customer privacy.
To develop this culture of privacy, begin with:
- Organization structure and personnel. Should the CISO be under the CIO or should they be under the Chief Risk Officer or the Chief Security Officer? Any organizational structure can work as long as the people are working collaboratively and they’re a cohesive team with loyalty and trust working towards common goals.
- Effective security and compliance policies. Understanding your compliance framework is critical. What regulations and laws are you responsible for aligning with? Based on the framework, you must have the right privacy and compliance policies in place, or you may need to reevaluate your practices to avoid fines and penalties. For example, anyone doing business with California residents that nets more than $25 million annually is now also accountable to another compliance framework – CCPA.
- Salesforce security health checks. Perform security health checks frequently to understand what gaps you might be facing in your Salesforce environment. If you have multiple ecosystems – B2C and B2B, for example – then you must perform health checks and monitoring for every environment.
- Enforce the right values. Privacy must be an organizational value to enforce best practices and fulfill your responsibility. Customer transparency is also critical, because in the end, if the customer doesn’t have confidence that you’re going to be responsive to them, you’ll lose credibility.
While privacy may not initially seem as critical as security, when it comes to protecting your customers’ data and personal information, establishing robust privacy and security frameworks is the key to developing a long-lasting and trusting relationship with your consumer base. Why does privacy matter? Because it enables trust. And trust leads to a successful business and loyal customers.