The pattern: assess regulatory scope, classify data, configure platform features (Individual, Privacy Center, Shield, Compliance BCC), build DSR workflows, document retention, audit. The program is heavy; rolling out feature by feature without coordination produces gaps regulators find.
- Assess regulatory scope
GDPR, CCPA, HIPAA, regional. Each has different requirements; the assessment defines what the program must produce.
- Classify personal data through Data Classification
Tag fields with sensitivity and compliance categorization. The inventory drives every subsequent decision.
- Enable Data Protection and Privacy settings
Setup, Data Protection and Privacy. Turn on Make Data Protection Details Available and Track Individuals on Opt-In/Opt-Out. The settings expose Individual on Lead and Contact and capture consent changes.
- Configure the Individual object and link from Lead/Contact
Object Manager, Individual. Set up record types, page layouts, and the lookup from Lead and Contact. The Individual becomes the durable privacy identity.
- Install Privacy Center or build custom DSR workflows
Privacy Center is the managed app for DSR intake and processing. Alternative: custom Flow or Apex workflows for the same purpose.
- Configure Shield Platform Encryption for high-sensitivity fields
Sensitive PII, PHI, financial data classified as Confidential or Restricted. Shield is the encryption layer for the data Privacy needs to protect.
- Configure Compliance BCC Email for outbound archive
Regulated outbound communications need archival for retention and supervisory review.
- Document the program and audit quarterly
Policies, configurations, evidence trail. The documentation is what regulators ask for; the quarterly audit catches drift.
GDPR, CCPA, HIPAA, regional. Drives requirements.
How the durable privacy identity is structured and linked from Lead/Contact.
Privacy Center managed app or custom-built. Drives operational handling of requests.
Which sensitive fields are Shield-encrypted. Aligned with Data Classification.
Scheduled deletion logic for data past the retention window. Required for regulatory compliance.
- Data Protection and Privacy is a program, not a feature. Rolling out feature-by-feature without coordination produces gaps regulators find.
- Consent flags do not automatically gate marketing sends. Marketing tool integration with consent is the enforcement; misconfiguration produces sends to opted-out recipients.
- Retention is not automatic. Admins must build the automation; the platform provides the policy framework but not the execution.
- DSR handling is operationally heavy. Privacy Center or custom workflows are needed; ad-hoc handling does not scale past a few requests per quarter.
- Regulators ask for evidence, not just configuration. Document the program as you build it; building documentation after the fact is much harder.