The loss of critical, and often sensitive, information can severely impact the profitability and innovation of your organization — and with consumer awareness of data protection on the rise, it’s no surprise that data security has become a mandatory responsibility for organizations running Salesforce.
What is data classification in Salesforce?
To protect your most sensitive data, you need to know where to find it. And that’s where data classification comes in. In Salesforce, data classification provides a solid foundation for security, giving you a high-level overview of what’s in your Org, and where IT resources should be deployed.
So, what is data classification? It’s simply the process of organizing your data into defined categories according to its sensitivity level. Each category corresponds to an impact level and a recommended security/access protocol; public data, for example, can be viewed by anyone, but requires controls to prevent unauthorized editing. Sensitive or confidential data, on the other hand, needs to be more tightly protected, especially if regulations like HIPAA or GDPR are in scope.
By understanding where different types of data are stored, enterprises are able to build effective and precise controls to protect it.
What does data classification look like in Salesforce?
Your Salesforce Org is home to hundreds of different types of information, from customer names and email addresses to business-critical financial records. To help keep track of this information, Salesforce introduced data classification metadata fields as part of its ‘19 summer release. This feature allows you to add data classification tags to any field in a standard or custom Object.
Salesforce data classification gives you four fields to categorize and classify data in your Org: Compliance Categorization, Data Owner, Field Usage and Data Sensitivity Level. Here’s a look at what each of these mean.
Data Sensitivity
The first question you’ll want to ask about a field is ‘how sensitive is it?’ Who should be able to see it? Who should be able to edit it? Salesforce gives you several default values for this classification:
- Public: available to the public to view but not alter
- Internal: available to company employees and contractors; must not be shared publicly, but can be shared with customers, partners and others under a non-disclosure agreement (NDA)
- Confidential: available to an approved group of employees and contractors; not restricted by law, regulation or a master service agreement (MSA), and can be shared with customers, partners and others under an NDA
- Restricted: available only to an approved group of employees and contractors; likely restricted by law, regulation, an NDA or MSA
- MissionCritical: available only to a small group of approved employees and contractors; third parties who are given access could be subject to heightened contractual requirements, and almost always restricted by law, regulation or an NDA/MSA
Compliance Categorization
Highly sensitive data may be subject to regulatory scrutiny; the Compliance Categorization field gives you a way to identify data with special privacy requirements that will require additional security controls. Out of the box, Salesforce comes with data classification tabs for the following regulatory standards:
- CCPA (California Consumer Privacy Act)
- COPPA: (Children’s Online Privacy Protection Act)
- GDPR: (General Data Protection Regulation)
- HIPAA: (Health Insurance Portability and Accountability Act)
- PCI: (Payment Card Industry)
- PII: (Personally Identifiable Information)
Organizations in highly regulated industries — healthcare, life sciences and finance are three common examples — can benefit from using these fields to identify and track data that will be of concern to auditors.
Data Owner
This classification specifies the group or person associated with the field — ie. the person who can answer the questions, ‘Is this important?’ and ‘Can I change this?’ As a result, the data owner should be someone who understands the importance of the field’s data to your company; they will likely also be responsible for determining the minimum data sensitivity level and any relevant controls around it.
Field Usage
Finally the Field Usage classification tracks whether the field is in use, which can be useful when conducting a clean up project. The available categories include:
- Active: In use and visible
- DeprecateCandidate: Planned for deprecation and no longer in use
- Hidden: Not visible and possibly planned for deprecation — use with caution
Regularly cleaning up unused customizations is key to both user adoption and overall Org performance. By using this field, you can flag potential candidates for deprecation (and if you check the data owner classification, you’ll know who to talk to next) and streamline your Org.
Netwrix Strongpoint offers a set of tools and a proposed cadence for safe, effective Org cleanup. With or without data classification enabled, we can help you identify unused customizations and other candidates for deprecation, run impact analysis and route approvals to the appropriate authority.
Why Use Salesforce’s Data Classification Feature?
While many organizations create their own data classification model (learn more about data classification for compliance), starting with Salesforce’s native data classification capabilities can be the perfect baseline for your business.
This strategy goes beyond improving data organization — from data protection and risk management to improving user productivity, there are multiple benefits to properly categorizing your data. It is an invaluable component of your security strategy that also helps to ease some of the uncertainty around understanding the information in your system.
Data Classification in Salesforce with Netwrix Strongpoint
Our native data classification app builds on Salesforce’s data classification tool to automate the most time-consuming parts of getting it set up and keeping it updated — while still giving you all of the benefits of data classification in your Org.
We start by automatically finding and classifying your sensitive data according to the rules you’ve set out. Then, we give you a suite of tools for managing it — managing user permission levels, automating data subject review/deletion requests, running data cleanup projects, and tracking everything in an audit-ready package.
