customer-data-request-workflow
Implement GDPR/CCPA data subject rights (access, deletion, rectification) using Salesforce Privacy Center and/or custom workflow. NOT for general backup or org-level data retention policy.
Best use case
customer-data-request-workflow is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Implement GDPR/CCPA data subject rights (access, deletion, rectification) using Salesforce Privacy Center and/or custom workflow. NOT for general backup or org-level data retention policy.
Teams using customer-data-request-workflow should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/customer-data-request-workflow/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How customer-data-request-workflow Compares
| Feature / Agent | customer-data-request-workflow | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Implement GDPR/CCPA data subject rights (access, deletion, rectification) using Salesforce Privacy Center and/or custom workflow. NOT for general backup or org-level data retention policy.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Customer Data Subject Request (DSR) Workflow A Data Subject Request (DSR) is a regulatory workflow with strict SLAs (30–45 days depending on jurisdiction). Salesforce offers Privacy Center as a managed capability with pre-built Right to Be Forgotten, Data Portability, and Retention policies; for orgs without Privacy Center, this skill defines the equivalent Apex-based workflow and audit schema. ## Recommended Workflow 1. Identify scope: Contact, Lead, Case, and any custom objects referencing the individual (PersonAccount, portal Users, CampaignMember). 2. Choose mechanism: Privacy Center policy (preferred) or custom Apex batch with a hard-delete privacy service. 3. Execute in a sandbox first with a synthetic subject to prove the chain of deletion (no orphan FKs). 4. Run in production; capture a signed audit record (who requested, what was deleted, when). 5. Confirm completion to the requester within the regulatory SLA; retain the audit record per policy retention rules (typically 7 years). ## Key Considerations - Some objects (FieldHistory, RecordAuditTrail) cannot be deleted — document the residual risk with legal. - Backups contain subject data; coordinate with backup vendor for deletion from off-platform copies. - Einstein and Prediction stores may cache features — include the analytics retrain step. - Event logs / FinServ / Shield audit tables may require a separate erasure pipeline. ## Worked Examples (see `references/examples.md`) - *GDPR delete for a Lead + converted Contact* — EU subject asks for erasure; Lead was converted 9 months ago. - *Apex batch equivalent for orgs without Privacy Center* — Platform license, no Privacy Center. ## Common Gotchas (see `references/gotchas.md`) - **Person Accounts complicate identity** — Contact + Account deletion breaks if PersonAccount is referenced in Orders. - **Field History Retention** — FHRetention stores values for up to 10 years; they survive DML. - **Missing audit** — Regulator demands proof; you cannot show what you deleted. ## Top LLM Anti-Patterns (full list in `references/llm-anti-patterns.md`) - Running a hard `DELETE FROM Contact WHERE Email=…` query with no audit - Using the UI 'Delete' button for high-volume DSR — not repeatable, no audit - Ignoring analytics (CRMA) caches that retain PII in datasets ## Official Sources Used - Apex Developer Guide — Sharing — https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_bulk_sharing_understanding.htm - Salesforce Security Guide — https://help.salesforce.com/s/articleView?id=sf.security.htm - Shield Platform Encryption — https://help.salesforce.com/s/articleView?id=sf.security_pe_overview.htm - Session Security Levels — https://help.salesforce.com/s/articleView?id=sf.security_hap_session.htm - CSP and Trusted URLs — https://help.salesforce.com/s/articleView?id=sf.security_csp_overview.htm - API Only User Profile — https://help.salesforce.com/s/articleView?id=sf.users_profiles_api_only.htm - Privacy Center and DSR — https://help.salesforce.com/s/articleView?id=sf.privacy_center_overview.htm
Related Skills
sandbox-data-masking
Use this skill when configuring or reviewing Salesforce Data Mask to protect PII/PHI in partial or full copy sandboxes after a refresh. Trigger keywords: data mask, sandbox masking, PII in sandbox, GDPR sandbox, HIPAA non-production, mask contacts, obfuscate fields non-production. NOT for sandbox refresh mechanics (use sandbox-refresh-and-templates), NOT for production data anonymization, NOT for Shield Platform Encryption at rest.
gdpr-data-privacy
Use this skill when implementing GDPR or CCPA data privacy controls in Salesforce: Individual sObject linkage, consent tracking, Right to Be Forgotten (RTBF) requests, data subject request handling, and Privacy Center configuration. Trigger keywords: GDPR, data privacy, consent management, right to erasure, Individual object, ContactPointConsent, ShouldForget, data subject request, Privacy Center, data portability. NOT for general data quality cleanup, duplicate management, field-level encryption (see platform-encryption skill), or sandbox data masking (see sandbox-data-masking skill).
data-classification-labels
Classify Salesforce fields by data sensitivity and compliance category using the four built-in classification attributes (SecurityClassification, ComplianceGroup, BusinessOwnerId, BusinessStatus). Covers Metadata API deployment, Tooling API querying, and Einstein Data Detect recommendations. NOT for data masking, Shield Platform Encryption, or runtime access control enforcement.
omnistudio-deployment-datapacks
Use when exporting, importing, or version-controlling OmniStudio components using DataPacks via the OmniStudio DataPacks tool or vlocity CLI. Covers DataPack export/import, Git version control integration, CI/CD for OmniStudio. NOT for SFDX-based metadata deployment of non-OmniStudio components.
omnistudio-asynchronous-data-operations
Use Integration Procedures queues, DataRaptor Chain, and Remote Actions with async patterns for long-running OmniStudio flows. NOT for simple DataRaptor reads.
dataraptor-transform-optimization
Use when DataRaptor Transform operations are slow, hit governor limits, or use Apex where formula fields would suffice. Covers formula vs Apex expressions, bulk transform sizing, and chained transform composition. Triggers: 'dataraptor transform slow', 'dataraptor formula vs apex', 'dataraptor bulk transform', 'dr governor limit'. NOT for DataRaptor Extract or Load performance.
dataraptor-patterns
Use when designing or reviewing OmniStudio DataRaptors, especially Extract versus Turbo Extract versus Transform versus Load, field mapping strategy, performance tradeoffs, and when to move work into Integration Procedures or Apex. Triggers: 'DataRaptor Extract', 'Turbo Extract', 'DataRaptor Load', 'DataRaptor Transform', 'OmniStudio data mapping'. NOT for overall OmniScript journey design or Integration Procedure sequencing when the main question is not the DataRaptor shape itself.
lwc-datatable-advanced
Advanced lightning-datatable patterns — inline edit + draftValues, custom cell types via extending LightningDatatable, sortable columns, infinite scroll with onloadmore, row-level errors, and the cost of large data sets. NOT for read-only display of small lists (plain lightning-datatable suffices) or fully custom grids (use a third-party library).
lwc-data-table
Use when designing or reviewing `lightning-datatable` usage in Lightning Web Components, including column configuration, stable `key-field` values, inline editing, row actions, infinite loading, and custom cell types. Triggers: 'lightning datatable inline edit', 'row actions in lwc datatable', 'key field missing', 'infinite loading in datatable'. NOT for highly custom virtualized grids or broad page-performance work outside the datatable boundary.
lwc-custom-datatable-types
Use when you need to extend `lightning-datatable` with custom cell renderings: status pills, progress bars, image thumbnails, action cells, editable pickliststo, rich-text, or any column that `lightning-datatable` does not ship out of the box. Triggers: 'custom cell type lightning datatable', 'progress bar column', 'image column', 'inline edit picklist in datatable', 'rich text column'. NOT for basic datatable usage (see `lwc-data-table`) and NOT for tree-grid or large-dataset virtualization (see `virtualized-lists`).
slack-workflow-builder
Use this skill when designing or troubleshooting Slack Workflow Builder workflows that call Salesforce — especially the Salesforce connector step Run a Flow, mapping inputs/outputs, handling failures, and understanding limits. Triggers on: Slack Workflow Builder Salesforce, Run a Flow from Slack, autolaunched flow from Slack, Slack automation calling Salesforce. NOT for Salesforce Flow Builder tutorials unrelated to Slack (use flow skills), not for Flow Core Actions that send Slack messages from Salesforce (use flow-for-slack), not for initial org-to-workspace connection (use slack-salesforce-integration-setup), and not for building custom Slack apps outside Workflow Builder.
salesforce-data-pipeline-etl
Export large Salesforce datasets to a lakehouse via Bulk API 2.0, CDC streams, or Salesforce Data Pipelines. NOT for ad-hoc exports.