Package: Compliance

Compliance: Overview

About This Guide

This guide is provided for anyone interested in learning:

  • The detailed capabilities of the Compliance App.

  • The process for developing, circulating, and enforcing compliance policies.

  • How to set up your own compliance program within the App.

Overview

The Compliance App is a tool that enables you to develop, document, and enforce policies to protect your business. Policies can include data protection, information security, human resources, and any other policies your business manages.

We recommend that you consult experts and define policies that are appropriate for your business. Compliance does not define or offer advice regarding your actual policies. It merely provides the structure required to manage the policies your company has defined.

Participants

The Compliance App is designed for use by a hierarchy of internal users that define, review, and circulate your policies to internal employees. You should designate a team within your business to review, approve, and disseminate your policies. These team members should access Compliance as full users of Salesforce. They should be assigned Permission Sets for one or more of the following Roles:

  • Policy Author

  • Policy Publisher

  • Compliance Manager

  • Compliance Auditor

Internal employees are expected to review policies, acknowledge reading them, and periodically review them as part of the compliance process. We recommend that employees who need to be aware of your policies, but are not active in the management of the policy, access the information via a defined Employee Community. The primary purpose of the community is to make the employee aware of the policies and get them to self-acknowledge the policy system and policies. The Employee Permission Set is used with these community users to ensure they have the proper access.

The Compliance App is designed to enable third parties to make requests of your business to provide data, remove information, and request that data be updated. In our system, we expect external constituents to access the system via a Consumer Community site. The Third Party permission set is used with these community users to ensure proper access.

Data Privacy Support in Salesforce

With the release of Spring 2018, Salesforce now provides standard support for tracking Data Privacy Preferences. These preferences are an important part of the process required to comply with:

  • General Data Protection Regulation (GDPR), European Union

  • Gramm-Leach-Bliley Act (GLB Act), United States

  • Canada's Anti-Spam Law (CASL)

The New Data Privacy records are used to track and store customers' preferences for:

  • Collecting, storing, and sharing their personal data.

  • Packaging their personal data so they can take ownership of it.

  • Deleting records and personal data related to them.

  • Solicitation of products and services.

  • Tracking their geolocation and web activity.

For a complete reference on support for Data Privacy in Salesforce, refer to the following Community Article in the Trailblazer Community: Store Customer's Data Privacy Preferences. Within Jobscience you can associate each Data Privacy Record with a Contact to track their consent. Even though Data Privacy Records let you track and store certain data privacy preferences, it is up to you to determine how to honor them.

Legitimate Interest

One important class of Compliance Policies is related to the concept of Legitimate Interest. For direct marketers, this will generally involve the proper support for opting out of emails and support for the right to be forgotten. For long-term relationships though, it is often important to know the last time your organization had any interaction with a contact in your database. Interaction in this case means:

  • Sending an Email or SMS

  • Making a Phone call

  • Sending an Invitation for an event

These are all indications of continuing interest in the contact. The problem arises when there is no interaction for extended periods of time. Can you really say you have a legitimate interest in a contact if you have not even emailed them in more than two years?

Applications are usually designed to take action when something happens. This creates a challenge when you want to take action when nothing happens. For example, it is easy to detect no activity for 90 days in Salesforce, but then how do you continue to remind the team to resolve this issue after the initial alert?

The Compliance App provides an object called Legitimate Interest Alert (LIA), which represents a potential challenge to Legitimate Interest. These can be created through any process you want to define, but we provide one method out of the box to detect the inactivity use case mentioned above.

This process is triggered based on the "Last Activity" date on the Contact record. The default time delay is 90 days, but the admin can change it with a setting. Last Activity is reset any time a task or event is created on this Contact. So as long as users are generating activity around this Contact and combining it with a Task or Activity, the trigger will never fire.

If after 90 days there has been no activity, the trigger will fire and create a Legitimate Interest Alert record. The creation of this LIA record can then generate additional actions. The Default Action is to create a Task, assigned to the Owner of the neglected contact, which drives them to review this contact and either interact with them if appropriate or archive the record if that is the process your company wants to follow. You can set a due date on that task which will generate an overdue task as a reminder. You could create a Business Process that sends out an email to the Contact Owner once a Legitimate Interest Alert record is created.