If “our similarities bring us to common ground,” (Tom Robbins) we’ve reached our destination.
No doubt, you have quite an assembly of tools in your MarTech stack acquired in various stages of your company journey. Each technology offers a different solution for your organization, but they all share a common ground: they access your data. Is the GDPR alarm going off in your head? It ought to be, as GDPR considers any technology provider in your stack— i.e. Marketo, Salesforce, Ringlead, ReachForce, Bizible —as well as agencies and service providers who can access your data, a “data processor.” And GDPR has a lot to say about this role and the responsibilities that come with it. Welcome to GDPR land.
GDPR Compliance: All Aboard
By GDPR definition, a data processor is “any person, public authority, agency or other body which processes personal data on behalf of the controller.” So, all of your external systems, companies, agencies, service partners or contractors who are enriching your data, collecting data on your behalf, mining, segmenting, or analyzing records—even handling payroll or other outsourced HR activities–are data processors. Which means… (sound the major GDPR alarm) …each one must be GDPR compliant.
But wait, there’s more.
Did you catch those last few words of the data processor definition,”…on behalf of the controller?” If your MarTech tools, agencies and service partners are data processors, that makes your organization the data controller. And with great responsibility comes greater accountability: it is the data controller (AKA you) who calls the shots on what data is collected, why, and how it is used. Ultimately, YOU, the data controller, are responsible for ensuring that personal information is processed in accordance with GDPR, and, YOU can be subject to corrective measures and penalties should something go awry. Additionally, YOU are responsible for ensuring that these data processors can provide sufficient documentation of their abilities to comply with GDPR requirements for both technical and organizational measures. YIKES!
Takeaway: GDPR has a much broader impact on our operations and organizational structure than what’s on the surface.
How can you mitigate your risks?
Develop your Itinerary
- Take inventory and document your MarTech landscape, identifying all of your processors. Any company from agencies to Marketo to deduplication vendors to data enrichment to ABM, CRM…you get the idea.
- Request documentation from each Data Processor demonstrating that they are GDPR compliant. Most of the established Data Processors have already prepared the documentation to show that they’re compliant with GDPR and all you’ll have to do is review it. For instance, Salesforce provides the following information on Trust and Compliance. If you work with a Data Processor that doesn’t have the documentation readily available, you’ll need to be proactive in requesting documentation. Here is an example questionnaire that you could adjust to your specific needs.
- Categorize the returned documentation. Keep a record of all documents and either work with non-compliant processors to help them become compliant, find a new processor, or decide what to do to protect yourself if they are not.
- Sign a data processing addendum with ...