April 08, 2022

Salesforce Cloud: Are You Compliant with Data Residency Regulations?

Salesforce Cloud: Are You Compliant with Data Residency Regulations?

Is your Salesforce Cloud compliant with data residency regulations?

A lot of multinational organizations use Salesforce as their tool of choice for customer relationship management in the cloud. It provides a lot of flexibility and convenience while allowing access to both data from any device and work from any location.

The Salesforce platform has high-security standards, but recent and ongoing changes to global data protection regulations have imposed restrictions in many countries around the world.

This is why highly regulated industries such as healthcare, financial services, and retail will especially need to review their Salesforce cloud data implementation strategy.

Do you have all the necessary local compliance requirements covered? Read this blog to discover why you may need additional software providers like InCountry to help your company with Salesforce data residency and data protection locally. 

Learn more about Data Residency integration for Salesforce by InCountry here

Data Residency Laws in Action

Your customers’ data in Salesforce may have to be stored within the country of origin’s borders – depending on the country (or countries) where your business operates. For example, Australia controls its health records, China requires all customer data to be hosted on China-based servers, Russia demands all personal data to be stored in the country, and so on. 

For data privacy and security Salesforce uses the shared responsibility model. Regulated data like Protected Health Information (PHI) and Personally Identifiable Information (PII) is treated by Salesforce as the data processor, which means that Salesforce is responsible for providing sufficient physical and technical security measures, while Salesforce customers themselves are accountable for the integrity, quality, and usage of the data, as well as the types of data being stored.   

Certain industries dealing with personal data are highly regulated – such as healthcare, financial services and retail. Companies in these spheres particularly need to review their Salesforce cloud data implementation strategy, as in many countries customer data is required to be kept on in-country servers. Of course, such rules make using cloud-based CRM systems like Salesforce very complicated when a business operates across borders.

CRM providers naturally attempt to keep up with changes, and Salesforce is notably trying to expand their infrastructure, which is why Salesforce data residency has been introduced with Hyperforce. As of October 2020, they have their data centers running in the following areas, with plans to expand in the coming years: 

  • Chicago, Illinois, United States (USA)
  • Dallas, Texas, United States (USA)
  • Frankfurt, Germany (DE)
  • Kobe, Japan (JPN)
  • London, United Kingdom (UK)
    • London North
    • London West
  • Paris, France (FRA)
  • Phoenix, Arizona, United States (USA)
  • Tokyo, Japan (JPN)
  • Washington DC, United States (USA):
    • Washington DC North
    • Washington DC South

However, these options don’t solve cloud computing issues for every country. This is where InCountry can help you scale your SaaS or other business locally, as we will discuss in this article. But first let’s check restrictions in specific industries. 

Data protection challenges in the financial services industry

Financial services industry typically protects two types of data – PII (personally identifiable information) and PFI (personal financial information), which are non-public information. While PII is regulated across the internet, PFI is particularly regulated, meaning companies need local data residency for Salesforce to comply.

Organizations should understand what data they own and what it is used for: is it going towards marketing purposes, or is the data being retained in order to maintain accurate books and records? Start with identifying what data is collected for your customers versus what data is collected for potential customers.

If you’re dealing with a prospect, laws like CCPA manage their privacy preferences. In particular, under CCPA, if a prospect contacts your organization requesting that their personal data be erased, you need the ability to identify all data associated with that individual and delete it. 

If they aren’t a customer, any data must be removed. To facilitate this process, your company needs methods for identifying who is a client and who is a prospect, locating the information on file and erasing the information promptly. 

Data protection challenges in the healthcare industry

In the healthcare industry everything revolves around HIPAA compliance in the United States. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a prescriptive set of security standards and requirements intended to protect patient data. HIPAA is so critically important to healthcare organizations, that healthcare organizations tend to shy away from newer technologies, especially cloud-based solutions. 

To this day, less than half of healthcare IT professionals report being comfortable using cloud-based solutions, and only 30% have a strategy in place to move their organization’s data to the cloud, according to a 2018 survey assessing healthcare IT professionals’ attitudes toward cloud-based solutions.

Yet, the healthcare industry is quickly adopting the next-generation cloud-based technology solutions after the COVID pandemic. 

As healthcare organizations go after cloud technologies, they’re finding that InCountry for Salesforce integration was developed specifically to meet HIPAA’s exacting requirements for compliance, security, governance, and data reporting. Beyond the U.S., life sciences companies typically need to find a local data residency Salesforce solution in other markets as well.

A complete platform to automate cloud data compliance for Salesforce – InCountry

With the InCountry integration for Salesforce you can securely store Salesforce data in over 90 countries, including different records in different countries. This means a Salesforce data residency option wherever you operate, so you can leverage all the benefits of Salesforce while maintaining compliance with regulatory and internal policies, in particular:

  • InCountry’s solutions are HIPAA compliant and PCI DSS certified, so you will accelerate time to compliance and save months of development by using our Salesforce integration.
  • InCountry for Salesforce can store all data in specific countries or a real time copy in a specific country – depending on the relevant regulatory environment.
  • We deliver seamless data residency experience by helping businesses integrate with Salesforce object writes, detail view reads, list view reads and federated search.
  • We provide optional full encryption using NIST standard SHA-256 and AES-256 encryption.
  • You will minimize risks and total cost of ownership of your own infrastructure.
  • InCountry provides local country-based regulations such as FZ-152 in Russia.

Key things to consider on your Salesforce compliance journey

The key thing to consider during your compliance journey is how you can future-proof your privacy posture against emerging local legislation because compliance requirements became the new normal of handling customer data.

Data localization acts are a powerful driver to rethink what you’re doing with customer data, how to reconfigure sensitive information you’re processing for customers, and how to extend trust by offering additional transparency, visibility, and control over customers’ PII. A good Salesforce data residency option will help you answer all of these questions.

Why does privacy matter? Because it enables trust. And trust results in successful business and loyal customers.

Data safety regulations are becoming so omnipresent they can’t be ignored. It is up to companies using Salesforce, to ensure the protection of their customers’ information and to solve for Salesforce data residency, which is – adhering to compliance laws defining where customer-related information shall be stored. And InCountry is a great solution for that.