At JourneyBlazers, we do a lot of challenging Salesforce Marketing Cloud implementations within highly regulated industries such as Banking, Insurance, Healthcare and LifeSciences amongst others. Our team has successfully advised on and implemented some of the most complex SFMC engagements for clients in these regulated industries.
Below are a few considerations when setting up Salesforce Marketing Cloud to comply with the applicable data protection and privacy regulations. The below considerations will provide you with guidance as you consider implementing SFMC and protecting your brand.
Loop-in the Legal team early:
Depending on the industry you are in – you are required to adhere to HIPAA, ACA, SOX, SEC, FINRA and other regulations. It is recommended that you connect with the legal and compliance team early on (Trust me – some of these decisions take a long long time to resolve) and explain to them:
- How Salesforce Marketing Cloud is going to fit into the existing architecture?
- How data will flow in and out of the platform?
- How will each field be used in the platform? That is, which data points will be brought into the platform to enable marketers to do accurate segmentation and messaging?
At a large healthcare company we were brought in to help them migrate from a legacy email marketing platform. The data was being brought in from EPIC into Salesforce Marketing Cloud. The legal team required encryption of personally identifiable data points as well as other disease information. However, the marketers wanted to segment the audience by date of birth and disease information and needed those fields to be queryable to send personalized communications.
(Example – think of awareness / nurture Journey that requires segmenting females over a certain age for a Mammogram).
As a part of our Discovery we were able to get the Legal and the Marketing team in the same room to review their business cases (current and future) and align on the segmentation variables while adhering to the regulations.
Do you need Encryption?
Marketing Cloud permits encryption of data at the field level or at the data base level. FLE (Field Level Encryption) enables encryption at the field level to facilitate compliance with corporate privacy policies, regulatory requirements, and contractual obligations for handling private data. The system converts encrypted fields to plain text at the time of send.
TDE (Transparent Data Encryption) encrypts data at rest at the data base level. We like to have an early conversation with our stakeholders to help decide on which type of encryption (if needed at all) satisfies the legal and compliance requirements.
Develop Guidelines for Evolving Requirements:
Teams change and integrations evolve along with business needs. In the case of Marketing Cloud Connect it is very easy for Marketers with appropriate permissions to sync additional fields.
We recommend having well defined documentation to control the integrations and fields synchronization into the platform. Also, it is important to define governance for iteratively visiting the regulations and evaluating your adherence to them at a regular cadence.
Example 1 – if certain fields (Account Numbers, SSN, etc.) are added to the Sales Cloud objects – make sure that there are proper controls in place to restrict these fields from being synced into Marketing Cloud Connect (permissions, FLS, etc.).
Example 2 – if Date of Birth cannot be used – utilize ETL to convert DOB to Age before moving to SFMC and make sure there is thorough documentation on how Date of Birth is being worked around.
Secure your SFMC Org
Below are a few examples for tightening the security around data access and retrieval for your SFMC Org.
- Custom Roles – If you are housing PII and restricted data – make sure you have created custom roles with granular level permissions to deny all nonessential resources from accessing data related features.
- Audit and Access Logs – SFMC allows for configuration of advanced logging for access to the platform as well as more granular logs on some modules. The advanced features may cost extra. Ensure that your Security / Compliance team gets extracts of these files as required.
- Export permissions – SFMC allows for the configuration of a set of email addresses or domains to export actual data from the org. Remember you can block export all together from all roles.
- Other methods – Features like SSO and Multi-factor login allow for verification of the authenticity of the login. Enable these features to secure your SFMC access.
Consent Management Regulations for Geographically Dispersed Teams:
As a marketer you are required to adhere by one or more of the below regulations as you are handling your customer communications.
- California Consumer Privacy Act (CCPA), United States
- Telephone Consumer Protection Act (TCPA), United States
- General Data Protection Regulation (GDPR), European Union
- Personal Information Protection Act (PIPA), Japan
- Canada’s Anti-Spam Law (CASL) (amongst others)
If you have a single SFMC org that hosts data from different countries / regions in different business units make sure you are involving respective legal teams to figure out the right consent flags and processes. (Example the requirement for soliciting consent before sending out communication is different in CAN-SPAM, CASL and GDPR.)
For a large Financial Services firm that conducted business in 4 countries we architected a multi-org setup where each country specific data was routed to its respective business units depending on predefined rules. Each of these business units then had automations that looked at various consent and privacy flags to determine what opt-out / unsubscribe / delete flow should be triggered, and when.
If Marketing Cloud is not the source of truth for the consent data – ensure that there are processes in place (SFTP / API) to sync this data back to the source system.
We would love to assist you with your SFMC needs – email us at info@journeyblazers.com