To get a sense of how B2B-oriented companies are responding to the upcoming General Data Protection Regulation (GDPR), we checked in with Salesforce and Demandbase.
While Salesforce is used for consumer-facing marketing and customer management, it is best known as the repository of customer data for salespeople calling on companies.
She told me that Salesforce is building on its existing “sophisticated sharing model,” with lots of new audit fields. The ability to delete an identity across the platform has previously existed, for example, but a release in February made it “easier and more consistent.”
A significant new addition in the February release is the Individual Object, a data container for an individual that now includes consent and privacy settings.
A big issue in data security is data leakage — how personal information gets passed around with third-party vendors and partners. Finch said Salesforce’s contract with those in its large ecosystem now includes specific commitments for GDPR compliance, but those, of course, are all other businesses or organizations.
The platform, she noted, is not in control of how those vendors and partners deal with their individual customers. Consent from individual customers is up to the Salesforce-using business or publisher, which will set up the consent parameters in the new Individual Object.
There are also new kinds of documents, with reports for such GDPR-appropriate functions as consent, data portability and fulfillment of user data requests. An existing product on the platform, called Shield, allows users to track the usage of an individual’s personal data.
Data Protection Impact Assessments are also being added, which help organizations demonstrate their accountability and track various GDPR metrics.
Demandbase: Only for EU citizens
While Salesforce is oriented around its B2B center, Demandbase works exclusively with B2B customers. Its chief privacy officer, Fatima Khan, told me her firm will comply with GDPR for its EU customers, then will see about applying those same standards to customers in other countries.
Because it’s B2B, she noted, those customers often have existing relationships with the publishers or advertisers who use Demandbase. This could give Demandbase’s B2B users a rationale to employ the “legitimate interest” provision in GDPR, which some interpret as meaning consent is not required where there are existing relationships, although others contest that assessment.
Regardless, Demandbase is moving forward to set up internal GDPR tools for its EU users. Those internal tools will offer such functions as allowing Demandbase client companies to more readily delete all personal data about a user or to allow that user to move their data profile elsewhere.
Storing data for EU citizens will be different from storing it for others, with tools offering such functions as auditing. Khan noted that these internal changes “have been a big process” on which the company has been working for many months.
As for external tools, Demandbase said it is “exploring” the IAB’s framework for consent acquisition in advertising, including whether to require its use for any of its partners.
Typically, Demandbase helps websites target content, ads and sales offers to web users, based on their company and their perceived interests.
It tracks hundreds of millions of unique business users monthly, which it categorizes by billions of signals showing intent or interest, such as IP address, browsing trails and information about what their companies are interested in.