A Guide to Salesforce Data Classification

As the volume, variety and velocity of Salesforce data continues to increase at unprecedented rates, the importance of securing this data has grown as well. One particularly important aspect of data security is data classification, which tends to be a complex challenge that many organizations struggle to fully complete. How do we know? Of all of our customers who completed a Risk Assessment for Salesforce last year, none had successfully completed data classification on all fields.

So, to help you conquer the challenge of data classification in Salesforce, let's take a closer look at what data classification is, its role in your overall security and governance strategy, and how to get started classifying your data.

At its core, data classification allows you to better understand the data that your business stores. This information includes not only sensitivity levels and compliance categories, but descriptive details: the type of data, the business owner, what it will be used for, and how it’s shared between systems.  

Having a crystal-clear understanding of the kind of data that exists in each of your systems—such as your Salesforce org—is critical to protecting that data and using it in an effective way. 

For example, if there’s a breach of sensitive, high-value data, are there associated notification requirements? Do you need to encrypt at rest? Do you know all the downstream systems that touch that piece of data? Conversely, if it’s a breach of low-value, public information, InfoSec teams can immediately reassure stakeholders that the fallout will be minimal.

In addition to the obvious security benefits, data classification is that it can help you better leverage your company’s valuable data. Good data management and retrieval processes will always make it easier to identify helpful insights. 

So what are some other benefits of classifying your data?

By providing a quick view of what data you have and where you have it, data classification can benefit you several ways: 

• Data security: As the first step in any security plan, data classification helps inform nearly all aspects of data security, including authentication, authorization, encryption, backup, etc.
• Compliance: Data classification will help you ensure you stay compliant with information security standards, such as SOC 2, ISO 270001, and PCI, as well as regulations including HIPAA, GDPR, and CCPA. 
• Incident response: In the event of a data breach or security incident, you know exactly what data has leaked—whether it’s sensitive and high-value or public and low-value—and can immediately update stakeholders on the fallout (time-sensitive notifications, encryptions, associated systems that link to the data). This saves you a massive amount of stress, as well as reputational and financial damages, and aids any investigations.
• Business operations: Understanding who the data owners are and whether data elements are being used reveals whether that data is valuable to the business. If it isn’t valuable, you shouldn’t maintain or pay to store it. If it does have value, you can dig into how it drives profit and growth.
• Prioritization: Data classification helps right-size your investment in protecting your data. Not all information is created equal, and knowing what’s sensitive and high risk, versus public and low risk, will help you decide where to spend time and money.

Now that you’ve bought into the benefits of data classification, how do you actually do it? 

In Salesforce, you can manually record data sensitivity and compliance categorization at the field level. Salesforce also provides the ability to enable default data sensitivity levels for fields. Once enabled, it is updated on most of the fields on standard and custom objects. You can then create a report on data classification and analyze the data.

Here’s a breakdown of the four metadata fields in Salesforce related to data classification and the default values for each, as outlined on Salesforce’s Help page. Note that picklist values for Compliance Categorization and Data Sensitivity Level can be customized at the org level.

The compliance acts, definitions, or regulations that are related to the field’s data. Default values:

• CCPA: California Consumer Privacy Act
• COPPA: Children’s Online Privacy Protection Act
• GDPR: General Data Protection Regulation
• HIPAA: Health Insurance Portability and Accountability Act
• PCI: Payment Card Industry
• PII: Personally Identifiable Information

NOTE: The field corresponds to the ComplianceGroup field on the FieldDefinition Tooling API.

The person or group associated with this field. The data owner understands the importance of the field’s data to your company and might be responsible for determining the minimum data sensitivity level.

NOTE: The field corresponds to the BusinessOwnerId field on the FieldDefinition Tooling API.

The sensitivity of the data contained in this field. Default values:

• Public: Available to the public to view but not alter.
• Internal: Available to company employees and contractors. This data must not be shared publicly, but it can be shared with customers, partners, and others under a non-disclosure agreement (NDA).
• Confidential: Available to an approved group of employees and contractors. This data isn’t restricted by law, regulation, or a company master service agreement (MSA). It can be shared with customers, partners, and others under an NDA.
• Restricted: Available only to an approved group of employees and contractors. This data is likely restricted by law, regulation, an NDA, or a company MSA.
• MissionCritical: Available only to a small group of approved employees and contractors. Third parties who are given access could be subject to heightened contractual requirements. This data is almost always restricted by law, regulation, an NDA, or a company MSA.

Tracks whether the field is in use. Default values:

• Active: In use and visible.
• DeprecateCandidate: Planned for deprecation and no longer in use.
• Hidden: Not visible and possibly planned for deprecation. Use with caution.

The field corresponds to the BusinessStatus field on the FieldDefinition Tooling API.

While it certainly is helpful and better than not classifying at all, manual data classification in Salesforce will undoubtedly pose several challenges, as it can be:

• Complicated: It’s convoluted and time-consuming to gather a full list of data elements into a spreadsheet, and keep the sheet continually updated.  
• Disconnected: Spreadsheets or documents living outside of Salesforce make it difficult to connect, summarize, and provide visibility into data (and the associated issues and trends).
• Error Prone: Inaccurate (typos) and incomplete data are inevitable when manually updating spreadsheets.
• Messy: Anyone with access can make changes or duplicate spreadsheets, creating version control issues and compromising the integrity of the information.
• Costly and Resource Heavy: Managing and maintaining manual efforts requires significant labor hours from internal resources, which results in indirect costs.

The other option you have to classify your data is to use an automated data classification tool. Using software to automate data discovery and classification in Salesforce simplifies and accelerates these manual processes. By using an automated tool, you can quickly and easily search through and filter your data, identify fields that aren’t classified, and assign classification levels directly – all in real time.

Also, since platforms like Salesforce are easy to modify to support business objectives, development teams are always deploying new data models to their production system. So automating the data classification process can help ensure that your classification efforts keep pace with your ever changing database. 

With OwnBackup Secure, you can find exactly where sensitive information exists in Salesforce and apply the correct compliance and sensitivity categories down to the field level. All this is done within a single view, providing search, filtering, and bulk selection functionality for an efficient user experience. 

Knowing if and how certain fields are being used is another important component of data classification. Secure’s Fill Rates Calculator provides a percentage of records that have entries in each field, so you can prioritize which data is more critical to classify and protect. Once data classification is complete, Secure leverages this information to inform other Salesforce security controls – like profiles and permission settings, encryption, and alerting.

Interested in learning more? Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.