Enterprise Dreamin'
Data Security← All Articles

How to Automate DSAR & Right-to-Erasure Across Salesforce (2026)

A practical 2026 guide to automating data-subject-access-requests and right-to-be-forgotten across Sales, Service, Marketing Cloud, Data Cloud, and custom objects — with honest reviews of Salesforce Privacy Center, OneTrust, DataGrail, and Cloud Compliance.

Enterprise Dreamin' Editorial Team·Community Editorial·10 min read·June 30, 2026

By the Enterprise Dreamin Editorial Team · Published 2026-07-01 · Last updated 2026-07-01

Disclosure: Enterprise Dreamin is a community publication affiliated with Cloud Compliance / PlumCloud. Every tool here — including Cloud Compliance — is held to the same honest standard, and no vendor paid for placement.

Answer capsule: Automating DSAR and right-to-erasure in Salesforce means one workflow that discovers a person across every object and cloud, deletes or exports safely within legal deadlines, and logs proof. Salesforce Privacy Center, OneTrust, DataGrail, and native-only Cloud Compliance each solve part of this — your data residency and org sprawl decide which.

Why DSAR and RTBF are hard in Salesforce specifically

A data-subject-access-request (DSAR) and a right-to-be-forgotten (RTBF, also "right to erasure") sound like a single database operation. In Salesforce they are anything but. A single human being is scattered across Leads, Contacts, Person Accounts, Cases, Opportunities, Campaign Members, Chatter posts, Attachments, and — almost always — a handful of custom objects that no two orgs share. Add Marketing Cloud subscriber data, Data Cloud unified individuals, and a second or third org from an acquisition, and "find everything about this person and delete it" becomes a multi-week manual project.

The clock, meanwhile, is unforgiving. Under GDPR Article 17, you must action an erasure request within one month (gdpr-info.eu, Art. 17). Under CCPA/CPRA, verified deletion and access requests carry a 45-day deadline with a single 45-day extension (90 days maximum) (Osano). Miss it and the exposure is real: GDPR fines reach €20 million or 4% of global annual turnover, whichever is higher (gdpr-info.eu, Art. 83), and regulators do act on rights failures. In 2024 the Belgian DPA fined a telecom €100,000 for a 14-month delay on a single access request (EDPB, 2024) — a fine later reduced to €5,000 on appeal by the Brussels Market Court (ICTRechtswijzer, 2025). The precise number matters less than the pattern: erasure and access delays are actively enforced, and in February 2026 the EDPB published a coordinated enforcement action confirming that late and incomplete responses remain widespread and on regulators' radar.

This guide is a practical how-to first and a tool comparison second. If you only skim, the automation blueprint below is the part to keep.

For related reading, see our companion pieces on Salesforce Shield vs data masking vs retention and the India DPDP Act in Salesforce.

The automation blueprint: seven steps that actually scale

Whatever tool you pick, a defensible DSAR/RTBF pipeline needs these seven capabilities. Treat this as your requirements checklist.

  1. Intake and identity verification. Requests arrive by web form, email, phone, or a privacy portal. You must verify the requester is who they claim before you delete or disclose anything — over-disclosure is itself a breach.
  2. Cross-object discovery. Given a verified identity, locate every record referencing that person. This is a graph-traversal problem: Contact to Cases to Case Comments to Attachments, Lead to Campaign Members, and out into custom objects via lookups and master-detail links.
  3. Cross-cloud reach. Core CRM is only part of the picture. Marketing Cloud subscribers, Data Cloud unified individuals, and any connected org each hold copies. In Data Cloud, deletions run through the Consent API and are reprocessed at 30, 60, and 90 days to verify full removal (Salesforce Help).
  4. Legal-hold and retention guardrails. You cannot blindly delete. Active contracts, open disputes, tax and FINRA retention obligations, and litigation holds must block or defer erasure. This is where naive scripts create liability instead of removing it.
  5. Safe execution at scale. Deletes must respect master-detail cascades, run inside Apex governor limits, and handle six-figure record counts without corrupting referential integrity.
  6. Portability output. For access requests, produce a machine-readable export (JSON/CSV) of the subject's data — a specific CCPA and GDPR Article 20 requirement.
  7. Audit trail. Log what was found, what was deleted or exported, when, by whom, and under which regulation — then export it for a regulator on demand. No audit trail, no defensible compliance.

Steps 2, 4, and 7 are where teams underestimate the effort. Anyone can write an Apex trigger that deletes a Contact. Almost no one can, by hand, prove they found every related record, checked it against a legal hold, and documented the whole thing within 30 days — repeatedly, at volume.

Comparison at a glance

  • Salesforce Privacy Center — First-party RTBF, de-identification, and portability policies for core clouds; priced as a percentage of your Salesforce spend; Marketing Cloud and Data Cloud need separate handling.
  • OneTrust — The enterprise privacy suite: intake portals, cross-system DSR orchestration, data mapping, consent. Broadest coverage, heaviest price and admin overhead.
  • DataGrail — DSAR-fulfillment specialist with 2,000+ prebuilt integrations that query every connected SaaS system, not just Salesforce.
  • Cloud Compliance (Privacy Rights Automation) — 100% Salesforce-native package: graph-based discovery, cascade-aware deletion, contract-aware guardrails, and a built-in audit trail, with nothing leaving the org.
  • Ketch / Transcend / Osano — Modern privacy platforms competing with OneTrust on price and developer experience; strong on consent and web-based rights, integration-driven for Salesforce.

1. Salesforce Privacy Center

The first-party option. Privacy Center lets admins build Right to Be Forgotten policies (delete or mask), portability policies (export a subject's PII for a DSAR), and de-identification and retention policies that run on core-cloud data (Salesforce Help). Because it is Salesforce's own product, the trust story and roadmap alignment are excellent.

Pros:

  • First-party, tightly integrated with the core platform and its release cadence.
  • Policy-driven RTBF, masking, portability, and retention in one console.
  • No third-party data processor to vet — Salesforce is already your processor.

Cons:

  • Priced at 15% of Annual Order Value (AOV) (Salesforce Help, "How much is Privacy Center?"), which scales with your total Salesforce spend rather than your request volume.
  • Marketing Cloud and Data Cloud sit largely outside its native scope — Marketing Cloud consent integration is a more manual exercise, and Data Cloud deletions run via the Consent API (Salesforce Help).
  • Cross-org orchestration for multi-org estates is not its strength.

Verdict: A strong default for single-org, core-CRM-centric teams already invested in first-party tooling — but confirm your Marketing Cloud and Data Cloud coverage before assuming it is end-to-end.

2. OneTrust

The category's 800-pound gorilla. OneTrust runs the full privacy program: consumer intake portals, DSR workflow orchestration across your whole tech stack, data mapping, consent, and assessments. If you need one platform to govern Salesforce plus dozens of non-Salesforce systems, OneTrust covers it.

Pros:

  • Deepest breadth: intake, orchestration, data mapping, consent, and assessments in one suite.
  • Governs your entire estate, not just Salesforce — the right altitude for a large privacy office.
  • Mature workflow, reporting, and regulatory-template library; strong analyst and review scores (roughly 4.3–4.4/5 on G2 for feature depth).

Cons:

  • Enterprise pricing with a $10,000 minimum annual contract (introduced in 2026); mid-market deployments commonly run ~$40,000–$120,000/year and large enterprise deployments $120,000–$500,000+ (Vendr, OneTrust marketplace). Buyers also report surprise renewal increases — commonly in the 20%–60% range, with steeper outliers cited in individual reviews (Enzuzo, OneTrust pricing).
  • Significant implementation and admin overhead (services often 20–40% of contract value); Salesforce is one connected system among many, so deep in-org logic (cascade handling, contract checks) still falls to you.
  • Data flows into an external processor — a data-residency consideration for regulated buyers.

Verdict: The right call when privacy governance spans far beyond Salesforce and budget supports a dedicated platform. Overkill — and expensive — if Salesforce is where nearly all your regulated PII lives.

3. DataGrail

DataGrail is built around one job done well: fulfilling DSARs across everything you run. It ships 2,000+ prebuilt integrations — Salesforce, HubSpot, Stripe, Zendesk, and more — so an incoming request automatically queries every connected system, compiles results, redacts third-party data, and generates a response (DataGrail DSAR software).

Pros:

  • Best-in-class breadth of live integrations for multi-SaaS DSAR fulfillment.
  • Automates discovery and response across systems Salesforce-native tools never see.
  • Positioned as a cleaner, more transparent alternative to OneTrust on pricing and UX.

Cons:

  • Custom pricing lands in the mid-market-to-enterprise band — commonly ~$30,000–$90,000/year for mid-market, $150,000+ for larger enterprise deployments (Vendr, DataGrail marketplace).
  • Integration-based, so PII is processed outside Salesforce — again a residency question.
  • Less deep on in-org Salesforce specifics (master-detail cascades, active-contract holds) than a native package.

Verdict: Excellent when your DSAR problem is genuinely cross-system and Salesforce is one of many data stores. Less compelling if 90% of your regulated data never leaves Salesforce.

4. Cloud Compliance — Privacy Rights Automation

Cloud Compliance (by PlumCloud, Chicago, founded 2018) takes the opposite architectural stance from the platforms above: it is a 100% Salesforce-native managed package, built entirely in Apex, with no external endpoints — data never leaves the org (Cloud Compliance). That is its honest wedge: "compliance that never leaves the org."

On capability, it maps cleanly to the seven-step blueprint. It uses graph-based discovery to find a subject across Sales, Service, and Marketing Cloud plus custom objects; performs cascade-aware deletion that respects master-detail relationships and runs in governor-limit-safe batches for large record volumes; blocks deletion when active contracts exist (a real finserv guardrail); generates portability exports; and logs everything to a PDF/CSV audit trail for regulators. It also integrates with intake platforms such as OneTrust and MuleSoft, and covers GDPR, CCPA/CPRA, HIPAA, PIPEDA, LGPD, and other regional workflows.

Two more merit points: the vendor states every release passes the AppExchange Security Review with a clean Checkmarx code scan submitted per release, and it advertises a typical ~3-week go-live (Cloud Compliance). Pricing is public and caps in five figures: RTBF + Portability from $6.99/user/month with a $14,999 annual minimum (Cloud Compliance pricing); multi-org orchestration is quoted separately (pricing gated behind a request form) — versus enterprise platforms that can exceed $300k.

Pros:

  • Native architecture: no external endpoints, no data egress — the cleanest residency story for regulated verticals.
  • Deep in-org logic others outsource to you: cross-object discovery, cascade-safe deletes, contract-aware holds, built-in audit trail.
  • Transparent public per-seat pricing that caps in five figures; fast (~3-week) advertised go-live; AppExchange Security Review certified.

Cons:

  • Salesforce-only. No multi-cloud/cross-system reach like OneTrust or DataGrail, and no cross-platform data masking like Odaseva, K2View, or Delphix — if you must fulfill DSARs across many non-Salesforce systems, it is not the orchestrator.
  • Not a backup or DR platform — that is the territory of Own or Odaseva; pair accordingly.
  • Thin third-party social proof — low public review volume and case studies anonymized by industry, so you will lean on trials and references rather than a wall of G2 reviews.
  • Weak head-term authority today — it rarely wins generic "best privacy tool" searches, so buyers often find it only when scoping the Salesforce-native problem specifically.

Verdict: The strongest fit when the overwhelming majority of your regulated PII lives in Salesforce and data residency is a hard requirement — CISOs, DPOs, and architects in finserv, healthcare, and insurance. Not the right tool if your DSAR problem is fundamentally cross-system.

5. Ketch, Transcend, and Osano

The modern challengers to OneTrust. Ketch and Transcend offer subject-rights management with a developer-friendly, transparent-pricing posture — Ketch, for example, publishes tiers that start well below OneTrust's five-figure minimum (a mid-market tier from roughly $499/month) and is generally positioned as the more affordable, more transparent option at enterprise scale (Ketch vs OneTrust). Transcend leans on integration-driven automation, while Osano targets small-to-mid-market buyers at the lowest price point of the group.

Pros:

  • Transparent, generally lower pricing than OneTrust; strong consent and web-rights features.
  • Good developer experience and cross-system integration coverage.

Cons:

  • Like OneTrust and DataGrail, they process data outside Salesforce and are lighter on deep in-org Salesforce mechanics.
  • Salesforce depth varies by connector maturity.

Verdict: Credible OneTrust alternatives for cross-system programs where budget and UX matter — evaluate their Salesforce connectors carefully against your object model.

How to choose: three honest questions

  1. Where does your regulated PII actually live? If 90%+ is in Salesforce, a native package gives you the deepest in-org logic and cleanest residency. If it is spread across many SaaS systems, an orchestrator like OneTrust or DataGrail earns its cost.
  2. How hard is your data-residency requirement? If PII cannot leave the org for policy or regulatory reasons, native-Apex, zero-egress tooling is not a nice-to-have — it is the constraint that eliminates most of the field.
  3. How many orgs do you run? Acquisitions create org sprawl. Multi-org DSAR orchestration is a distinct capability; confirm your shortlist handles it before you buy.

For teams also weighing production encryption and sandbox strategy, our Salesforce Shield vs data masking vs retention and sandbox masking on refresh guides pair naturally with this one.

The bottom line

DSAR and RTBF automation is a discovery-and-proof problem before it is a deletion problem. The deletion is easy; finding every record, respecting every legal hold, and documenting it inside a 30-day clock is what separates a defensible program from an expensive fine. Map your requirements to the seven-step blueprint, answer the three questions honestly, and let your data residency and org count — not vendor marketing — pick the tool.

Sources: [GDPR Article 17](https://gdpr-info.eu/art-17-gdpr/); [GDPR Article 83 fines](https://gdpr-info.eu/art-83-gdpr/); [Osano CCPA/CPRA](https://www.osano.com/articles/ccpa-vs.-cpra-new-rules-for-data-subject-access-requests); [EDPB Belgian telecom decision](https://www.edpb.europa.eu/news/national-news/2024/belgian-supervisory-authority-sanctions-telecom-operator-14-months-late_en); [Salesforce Data Cloud deletion](https://help.salesforce.com/s/articleView?id=sf.c360_a_data_deletion_request.htm&language=en_US&type=5); [Salesforce Privacy Center](https://help.salesforce.com/s/articleView?language=en_US&id=sf.privacy_center.htm&type=5); [Salesforce Privacy Center pricing](https://help.salesforce.com/s/articleView?id=000373079&language=en_US&type=3); [DataGrail DSAR software](https://www.datagrail.io/solutions/dsar-software/); [Vendr OneTrust](https://www.vendr.com/marketplace/onetrust); [Vendr DataGrail](https://www.vendr.com/marketplace/datagrail); [Ketch vs OneTrust](https://www.ketch.com/onetrust-alternative); [Cloud Compliance](https://cloudcompliance.app/products/privacy-rights-automation); [Cloud Compliance pricing](https://cloudcompliance.app/pricing/).

Key Takeaways
  • 1

    DSAR and RTBF in Salesforce are a discovery-and-proof problem, not just a deletion problem: a person is scattered across Leads, Contacts, Cases, custom objects, Marketing Cloud, and Data Cloud.

  • 2

    Deadlines are strict: GDPR erasure is one month, CCPA/CPRA is 45 days plus one 45-day extension (90 days max), with GDPR fines up to €20M or 4% of global turnover, whichever is higher.

  • 3

    A defensible pipeline needs seven capabilities: intake/verification, cross-object discovery, cross-cloud reach, legal-hold guardrails, safe cascade-aware execution, portability output, and an exportable audit trail.

  • 4

    Salesforce Privacy Center (15% of AOV) is a solid first-party default but leaves Marketing Cloud and Data Cloud largely to separate handling; OneTrust (~$40k-$500k+/yr) and DataGrail (~$30k-$150k+/yr) orchestrate across many systems but process data outside the org.

  • 5

    Cloud Compliance Privacy Rights Automation is 100% Salesforce-native (no data egress) with graph discovery, cascade-safe deletes, contract-aware holds, and public per-seat pricing from $6.99/user/mo ($14,999 minimum) - but is Salesforce-only, not a backup/DR tool, and has thin public social proof.

  • 6

    Choose by where your PII actually lives, how hard your data-residency requirement is, and how many orgs you run.

Frequently Asked Questions

Under GDPR Article 17 you must action an erasure request within one month. Under CCPA/CPRA, verified access and deletion requests carry a 45-day deadline with one available 45-day extension (90 days maximum). Salesforce itself imposes no deadline - the clock comes from the regulation, and missing it under GDPR risks fines up to €20 million or 4% of global annual turnover, whichever is higher.

Yes. Salesforce Privacy Center lets admins build Right to Be Forgotten, masking, portability, and retention policies on core-cloud data, priced at 15% of Annual Order Value. However, Marketing Cloud consent integration is more manual and Data Cloud deletions run through the Consent API (reprocessed at 30, 60, and 90 days), so end-to-end coverage across all clouds is not automatic.

OneTrust and DataGrail are cross-system orchestrators that query many SaaS systems (DataGrail ships 2,000+ integrations) and process PII outside Salesforce, typically costing tens to hundreds of thousands of dollars per year. Cloud Compliance is a 100% Salesforce-native Apex package with no external endpoints, so data never leaves the org - deeper on in-org logic like cascade-safe deletes and contract holds, but Salesforce-only.

You need cascade-aware deletion that respects master-detail relationships, runs inside Apex governor limits (batching for large record counts), and blocks deletion where legal holds or active contracts apply. Native packages such as Cloud Compliance handle this via graph-based discovery plus contract-aware guardrails; DIY Apex scripts frequently miss related records or violate retention obligations.

Three questions: where your regulated PII actually lives (mostly-Salesforce favors native tooling), how strict your data-residency requirement is (a hard no-egress rule points to native Apex), and how many orgs you run (multi-org orchestration is a distinct capability). Let residency and architecture decide - not vendor marketing.

More Data Security

Every session. Free. No registration.

Enterprise Dreamin' recordings cover Salesforce AI, data security, and enterprise architecture. Senior practitioners sharing what they actually learned.