Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Salesforce Consultant
medium

How do you handle data classification and privacy in Salesforce?

Data classification = labelling each field by sensitivity. Drives encryption, access, retention, audit decisions.

Approach:

1. Classification taxonomy.

Levels (typical):

  • Public — anyone in/out org can see (Industry, Public Holidays).
  • Internal — internal users only (most operational data).
  • Confidential — restricted internal (financials, compensation).
  • Restricted — small group (HR data, deal team data).
  • Mission Critical — highest restriction (legal hold, executive comp).

Compliance categories:

  • PII — personal identifiers (name, email, phone).
  • PHI — protected health (HIPAA).
  • PCI — payment cards.
  • GLBA — financial data.

2. Apply to fields.

Setup -> Object Manager -> per field, set Compliance Categorization and Data Sensitivity Level. These are metadata; reportable; help downstream tools enforce policy.

3. Enforce policies.

Classification metadata doesn't enforce; you do:

  • Encryption (Shield Platform Encryption) for Restricted/Mission Critical.
  • Field-Level Security restricts who sees what.
  • Sharing Rules restrict record access.
  • Disable Export for non-trusted profiles.
  • Audit via Event Monitoring for sensitive fields.

4. Privacy regulations:

  • GDPR — right to access, right to be forgotten, data minimisation, lawful basis for processing.
  • CCPA — similar California requirements.
  • HIPAA — US healthcare.
  • LGPD — Brazil.
  • Industry-specific (PCI for payments, FERPA for education, etc.).

5. Privacy Center (Salesforce feature):

  • Manages right-to-be-forgotten requests.
  • Anonymises records.
  • Tracks data subject requests.

6. Data retention.

  • Define how long each data type is kept.
  • Big Object archiving for compliance retention beyond core.
  • Auto-delete or anonymise after expiry.

7. Audit trail.

  • Setup Audit Trail for metadata changes.
  • Field History Tracking + Field Audit Trail (Shield) for data changes.
  • Event Monitoring for runtime activity.

Common pitfalls:

  • Classifying sensitive fields but not encrypting them — half-hearted compliance.
  • No data retention policy — old PII piles up; GDPR risk.
  • No audit trail review — logs exist but nobody looks at them.

Senior consultants make data classification a Discovery deliverable — not an afterthought when the auditor arrives.

Why this answer works

Senior. The taxonomy, regulation list, and audit-trail importance are mature.

Follow-ups to expect

Related dictionary terms