Now we’ve made it to the final instalment of our Pillars to Salesforce Security. If you are not caught up, we highly recommend you read through Part 1: User Access & Part 2: System Access.
With that being said, here we’ll be taking a deep dive into Records and Data with the key theme:
Don’t Keep Records and Data You Don’t Need.
One of the first questions you should ask yourself is “What is the cost & risk of the data in my Salesforce org?”
Many companies are very reluctant to delete records as they have often paid to acquire potential customers. Even if a Lead is old (or dead), many will feel that deleting it symbolizes a door closing that can not be reopened, which can lead to pushback when suggesting the deletion of records. However, many companies do not realize that the costs/risks of maintaining data in their Salesforce org can be far more expensive compared to the cost of new data acquisition.
Retention PoliciesÂ
Do you know if your company has a data retention policy? There are numerous systems and software available that allow you to automate data removal to align with your company’s policy and minimize internal conflict. If your company does not currently have a data retention policy, a good practice/starting point is to delete non-customer records that have not been updated in the past 18 months.
The following factors should be considered as part of a Data Retention and Deletion Policy:
- Recycle bin
- Salesforce backups
- The retention period for sensitive data
- Drafts and Duplicates
- Automatic deletion process
- Salesforce Sandboxes
You may be wondering why it’s so crucial to have a strong data retention policy. A 2021 study from IBM found that 44% of data breaches included PII (Personal Identifiable Information) and the average cost was $180 USD per lost or stolen record. In conclusion, not enforcing a data retention policy not only puts your customers at risk, but is extremely hazardous for your company’s financials if a breach does occur.
Sandboxes
Sandboxes are very cost-effective and mask your data in a variety of ways depending on the sensitivity so that it is not replicated or readable in another environment. Keep in mind, that once your sandbox data is masked it cannot be unmasked. This makes sandboxes poor places to test integrations that vendors and contractors have access to.
Summary
In conclusion, there is a cost to maintaining records in your org for too long. While the retention of data and records can be extremely useful to your company in providing a baseline, it is vital that you know when to part with the data as well – whether it be through masking, deletion, or shredding.