Data Management

4 Salesforce Data Governance Best Practices for Life Sciences

Ed Ponte
Secure for Salesforce Product Manager
March 26, 2021

RevCult is now OwnBackup Secure! In 2021, OwnBackup acquired RevCult, enhancing the cloud data protection platform with proactive data security. With OwnBackup Secure, you will strengthen security posture by understanding data exposure risks and proactively taking action to protect and secure your data -- all within Salesforce.


The days of the Wild West of data are fading into the rearview, and that means high expectations for maturing industries such as life sciences. Thanks to growth, expansion, and — to some degree — cloud adoption, regulators are keeping a close eye on companies in the space, and shortcomings in data quality and integrity can result in inspections, delayed product approvals, recalls, or even shutdowns. That doesn’t even include the damage to one’s reputation and the crippling fines levied for data violations.

In one recent settlement, violations of the Health Insurance Portability and Accountability Act incurred a $16 million bill, while the Federal Trade Commission has levied fines exceeding $20 million for misleading data practices. The California Consumer Privacy Act limits fines to $7,500 per violation, but there’s no such limit on the number that can be issued — and data breaches can quickly rack up astronomical charges.

While most organizations are taking prudent steps necessary to protect their data, many are dangerously unaware of their exposure. In particular, life science organizations have adopted Salesforce en masse for the platform’s abilities to fuel sales teams with data, accelerate R&D through data sharing, and improve patient management programs. All these capabilities offer exciting new opportunities, but entering and storing a wealth of private health information also comes with risks that must be addressed.

To begin securing Salesforce against both external threats and internal negligence, follow these four steps:

Understand applicable security and privacy regulations

The specific regulations governing your company will vary. In healthcare, for example, HITRUST certification requires you to prove user access to ePHI on a regular basis. Other regulations such as Europe’s General Data Protection Regulation or the aforementioned California Consumer Privacy Act in the U.S. apply more broadly to the use and storage of customer data, and your company’s own InfoSec policy will also affect your approach to data security and governance controls in the Salesforce environment.

Baseline with an evaluation of existing controls and associated risks

Conducting an audit of your existing security measures is the only way to effectively start shoring up your Salesforce security posture. If it’s your first time performing this type of exercise, start with a user access report. Producing a user access report will show you who has access to what data; nine times out of 10, the findings will alarm you. You might also discover that it’s difficult to even compile this information, which means there’s even more work to do to improve security.

Classify the data in your Salesforce org

You will never know how to protect your data if you don’t know what data needs protecting. Identify and classify all the different types of data in your Salesforce org, and leverage native classification capabilities so that changes are reflected in real time and you’re always working with the most current data. Apply regulatory tags to make it easy to determine why data is classified in a certain way as you go through and look for holes in your security posture.

Revisit your risk posture regularly

Once you’ve implemented your initial set of controls and proved compliance, your work is far from over. Revisiting your risk posture should be part of your normal development processes, particularly as you actively innovate in terms of how you use the platform. Salesforce has incredible data capture and storage capabilities, but those same capabilities can increase risk if they aren’t adopted with security in mind.

Securing the Salesforce platform can be an intimidating proposition for life science organizations, but OwnBackup is here to help. Our solution provides a centralized view of risk, enabling customers to tackle their biggest security shortcomings first. We offer actionable information and simplified reporting to ensure that security gaps are eliminated and that compliance requirements are met.

As Salesforce has grown and evolved, its capabilities have expanded immensely. Even if you started out using the platform one way, your organization might be using it in a completely different way now — capturing PII, ePHI, and other highly regulated data. To meet your data security responsibilities and protect your patients and customers from a potential loss of health and other personally identifiable data, rely on OwnBackup to help you implement data security controls on the Salesforce platform and prevent your company from ending up in headlines for the wrong reason.

Interested in learning more? Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.

Get started

Submit your details and we will contact you shortly to schedule a custom 25-minute demo.
You may also like

Get started

Share your details and we’ll contact you shortly to schedule a custom 25-minute demo.
Schedule a Demo
magnifiercrossmenuchevron-downchevron-right linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram
Copy link
Powered by Social Snap