Skip navigation
All Places > Champion Program > Blog > Authors Michelle Miles

Champion Program

15 Posts authored by: Michelle Miles Champion

Just when you thought the topic of GDPR might settle down, it’s still hot news. A little more than a month after the enforcement date, big names are reported for compliance violations, major US publishers block European visitors, and data privacy measures get a little closer to home.

Forced Consent Complaints

It wasn’t much past midnight on GDPR’s official enforcement date when the first complaints were filed. Apparently, tech giants make for easy targets with a slew of complaints filed against Google and Facebook, claiming forced consent. In other words, both platforms require users to give “all or nothing” consent in order to use their respective software vs. parsing data consent areas and allowing users to provide individual consent for each use. Similar complaints have since been filed against Apple, Amazon and LinkedIn. Are the violations legitimate? All are still pending; no resolution or fines have been assessed.

Blocked Media Sites

Some major US publishers have taken a different route to GDPR compliance by blocking EU visitors entirely. The Los Angeles Times and the Chicago Tribune are two of the bigger media companies blocking EU visitors due to non-compliance of ad targeting practices. Other publishers, including USA Today, are displaying non-targeted ads while Meredith and The Washington Post have started asking permission to new site terms to view their sites, including an upsell ad-free option. Publishers—particularly The Los Angeles Times—need to get this figured out as the data privacy landscape is about to get even more complicated.

The Golden State Adopts GDPR-Like Legislation

Barely one month after GDPR went into effect, California Governor Jerry Brown signed The California Consumer Privacy Act, aimed at protecting the data privacy rights of California residents. Much like GDPR, California’s act seeks to give consumers more control over personal data usage, including the right to know how data will be used, what data is being collected and sold, and the right for complete data deletion. The bill, still in early stages, will likely be amended before the enforcement date of January 1, 2020. And if you think this is just hype or California making noise, keep in mind California was the initiator of anti-spam email statutes, later to be replaced by the federal legislation we now know as the CAN-SPAM Act. Privacy legislation is coming to United States—be prepared!

GDPR—Still on the Radar

In just the first month of enforcement, we’ve seen complaints filed, organizations suspending service to Europeans, and copy-cat legislation emerge. The bottom line in all of this is, best data practices need to be our baseline standard. GDPR’s enforcement date is just the beginning; taking proactive measures now will ensure you’re prepared for new legislation, without interruption to your business operations. Recommended reading:

 

How to Avoid a €20 Mistake with your Data: Tips for ensuring your database is clean, junk records removed, and country data normalized.

 

Requirements for Consent – What You Need to Know: Understand what GDPR requires for consent plus how it compares to CASL requirements.

 

And of course, leave your comments below and together, we’ll support each other through another round of compliance preparations.

 

 

As originally published on the Perkuto blog.

Years in the making, months of blogging and it’s finally here: GDPR becomes officially enforceable in a matter of hours. Are you ready?

 

If not, here are a few quick pointers and resources to assist in your efforts.

 

Consent

The topic of consent is easily the most discussed. Key points:

 

Explicit permission is required; implied consent no longer qualifies.  If you are claiming legitimate interest, consult your legal team first.

 

Documentation is just as necessary as capturing consent.  All EU records in your database should have:

  • Opt-in date and timestamp
  • Opt-in source
  • Opt-in IP address (if available)

 

Remember, you can’t “buy” consent.  In other words, you cannot make consent a requirement to downloading a promoted white paper.  You CAN include a consent option on your form as an unchecked checkbox.

 

Be sure to Link all your forms and communications to your privacy policy.  Let your privacy policy do the heavy lifting, meaning contain all the details about data usage, storage, and protection.

 

Transparency in Data Usage

 

Under GDPR, lead scoring is considered user profiling, which now requires user consent. The same thing with any other propensity to purchase calculations—if you are using this to schedule follow-up sales calls, you must have permission to use an individual’s data in this capacity.

 

Data enhancements must also be declared, and past data audited. If you are enriching your data from a third party source, you need to state the origin and purpose.  Also think about where in the cycle your enrichment occurs, to avoid paying for enhancement if you do not have permission to retain records in your database or if data is kept for a limited period. (Ex: event reminders)

 

Munchkin code / Cookies

GDPR changes how we can use cookies but does not entirely rule it out. Cookie usage must be declared; “by using this website you agree…” messages no longer comply.  Visitors must be given the option to accept or decline cookie tracking.  If they refuse, then you have no choice but to disable cookies.

 

Just a reminder too, you will most likely need to change your setting that loads munchkin code as this is a departure from the current Do Not Track legislation.

 

Adjustments you’ll need to make:

  • Turn on ‘Do Not Track’ Settings in Marketo Admin
  • Post a Cookie Policy
  • Evaluate API Cookie Management Platforms - this will become more important with upcoming EU ePrivacy Directive legislation, which has different requirements for various types of cookies.

For more information, see the Marketo Dev site for details on configuring Munchkin code settings.

 

Preference Center

You will need to build a preference center to process the requests from individuals exercising their GDPR rights.

 

These rights include:

  • Opt-in and unsubscribes
  • Data exports and transfers
  • Data breach notifications
  • Policy requests
  • Data erasure (AKA “the right to be forgotten”)

 

Marketing

Marketing messages and analytics will change. Between consent for cookies (which may limit the behavioral data you have to score from) and the right to be forgotten, many of us are concerned that we won’t be able to track marketing performance and customer journeys for our websites accurately. In all honesty, your internal KPIs and goals will need adjustment. Make sure you know all of your April numbers and conversion rates so that you can see how to reset your goals to account for GDPR changes.

 

For other marketing ideas and tips, download our free GDPR Toolkit, loaded with helpful information and practical resources, including:

  • GDPR Marketing Communications LookBook- creative suggestions and visual examples for post-GDPR marketing.
  • A recording of my Marketo Summit presentation, Fearless Marketing in a GDPR World, which includes screenshots of how to set-up a preference center and data rights flow in Marketo.
  • GDPR FAQ eBook: Legal Questions. Straightforward Answers.
  • The Marketo Client’s Guide to GDPR Compliance
  • GDPR Data Processor Compliance Assessment

 

Get your free toolkit: http://bit.ly/2wvF1OZ

 

Stay informed

 

GDPR is just beginning, updates (and fines!) are sure to follow.  Learn from the missteps of other companies and adjust as grey areas are clarified—to stay informed on GDPR news, decisions and enforcement updates, subscribe to the ICO RSS feed: https://ico.org.uk/global/rss-feeds/

 

 

GDPR is here; it’s not the end but only the beginning.  Are you ready?

The GDPR compliance deadline is looming…have you prepared for the different data rights scenarios in your database?

 

Screen Shot 1.png

 

It is likely that within your database, you’ll have varying levels of data processing rights. Common scenarios you’ll need to account for in your data rights center Marketo program:

 

  • Personal data to maintain and use - this encompasses both consent & legitimate interest.
  • Personal data to use for a limited time period, such as access to a webinar or event.
  • Personal data to maintain and use for limited purposes, such as only for transactional or account communications, and not for marketing messages or scoring.
  • Lapse in consent or legitimate interest. This could be time or action based.
  • Offline consent given, perhaps from direct mail, a live event, a phone conversation or a personal meeting.

 

There are many options and your data rights center needs to accommodate all the scenarios.

 

Building a Data Rights Center

 

Screen Shot 2.png

 

Just as you have a subscription center in Marketo, you’ll also want to build out a data rights center, detailing the rights you have to retain and process data, encompassing the scenarios previously mentioned.

 

To do this, there are a number of fields I find helpful and useful to retain:

 

  • Most recent activity date, most recent activity detail - important for supporting the “as long as necessary” data storage clause

 

  • GDPR data rights (Y/N) plus rights DateTimestamp - again supporting the “as long as necessary” clause

 

  • GDPR data rights source and notes - good for recordkeeping and using in smart list filters to limit processing, or define your audience for WTD nurtures, whitelisting, or data deletion.

 

If this sounds like a lot, it is. But remember, GDPR loves documentation!  If you’re ever subject to a compliance inquiry, you’ll be in a better position by having a complete data trail.

 

Data Rights Campaigns

 

Screen Shot 3.png

 

In the example above, these fields are populated if you have full data consent acquired with opt-in email consent. You would use something like this flow for populating fields with either consent or legitimate interest.

 

When setting up the smart list, remember, email consent CAN constitute data consent. And if you are claiming legitimate interest, be sure to consult with your legal team first. If going this route, you would set up a similar smart campaign for legitimate interest as defined with legal, such as legitimate interest via sales activity or an active contract.

 

In the data flow, populate each of the fields outlined. In this example, the data rights source is populated with the email opt-in source description. Then in the notes, categorize this as “opt in email consent.” It’s useful to have different fields for source and notes as the source could explain why you have legitimate interest or where consent came from. You can then populate your notes section with common phrases you can use in filters, such as “limited processing consent - no scoring” or “retain for 30 days only”. This helps adapt to the various data rights scenarios.


When establishing rights lapses: time stamps are important-- review consent date and most recent engagement. You might discover it’s time to send a whitelisting or wake the dead nurture to these records! If consent or legitimate interest does lapse, you’ll need campaigns to properly process the records, either deleting or marketing suspending them as appropriate.

 

Building a Preference Center to Manage Individual GDPR Rights

 

Screen Shot 4.png

 

Finally, you’ll also want to build a Preference Center to automate how you’ll process requests from consumers exercising their individual GDPR rights, including:

 

  • Opt-in and unsubscribes
  • Data exports and transfers
  • Data breach notification
  • Policy requests
  • Data erasure

 

 

Want more actionable tips plus other helpful GDPR resources? 

 

Download our Ultimate GDPR Toolkit, which contains:

 

  • The on-demand recording of my Marketo Summit breakout session, “Fearless Marketing in a GDPR World: Tips to Thrive Amidst New Regulations.”
  • Our new GDPR LookBook, chock full of creative suggestions and visual examples for post-GDPR marketing
  • The Marketo Client’s Guide to GDPR Compliance Whitepaper
  • GDPR FAQ eBook: Legal Questions. Straightforward Answers.
  • GDPR Data Processor Compliance Assessment

 

Get your copy now...it’s free!  http://bit.ly/2wvF1OZ

What a difference a day makes. In just 24 hours, the course of business can radically change. Two examples come immediately to mind, one from recent headlines and the other, (of course!) the looming GDPR deadline.

 

March 16, 2018: A dark day for social media as news spread worldwide about Facebook’s illegal data harvesting practices. As a result of the scandal, the social media giant’s market value dropped by $80 billion and negatively impacted stock for other social media leaders, including YouTube, Google and Twitter. One day. An $80 billion difference.

 

May 25, 2018: The date many marketers have circled on their calendars—the day GDPR becomes enforceable. Lots of changes are coming our way, including how we collect, use and store data. And here again, the impact of 24 hours is significant. More precisely, from May 24 to May 25, your previous marketing practices could cost you €20 million or 4% of your global revenues, if you don’t make appropriate adjustments. Lead scoring and data enhancements—get ready for a very different landscape. Leveraging content to capture data? Better rethink that one, too. GDPR is unavoidable but you can proactively prepare.

 

What’s the most common question marketers are asking as they get ready for GDPR? Get the answer and a few helpful tips in this short video.

 

Carpe GDPR

Some disruptors are out of our control—GDPR is happening, whether we like it or not. But how you prepare for it can change your business outcome, which brings me to another significant day.

 

April 30, 2018: Join me for peer-to-peer GDPR learning opportunities at Marketo Summit. It starts at 11:30 with my breakout session “Fearless Marketing in a GDPR World: Tips to Thrive Amidst New Regulations” immediately followed by a GDPR meet-up in the Moscone South Hall during lunch. This will be an excellent opportunity to build your GDPR support network, share your frustrations, ask your questions and get clarity on GDPR’s confusing requirements. Pre-registration for the breakout session is encouraged as I’m told it will be standing room only. And if you’re not yet registered for Summit, we’ve got you covered. Register with our VIP code, Perkuto 300, to save $300 off a full conference pass.

 

Marketo Summit is just days away—seize the opportunity to prepare yourself for GDPR, learn more about Marketo and meet the Perkuto team. I hope to see you there!

 

You can find a GDPR Resource Center with all of my GDPR content on the Perkuto site here.

We’re in the final stretch with the GDPR compliance deadline looming ahead. “Are you Ready for GDPR?” is still the question of the day, and the topic of an upcoming webinar that I’ll be presenting in partnership with Marketo and Uberflip. I’ll be teaming up with Marketo’s Sr. Director of EMEA Marketing Peter Bell and Uberflip’s Director of Revenue Marketing Tara Robertson to help marketers understand what’s required for compliance, discuss the topic of “consent” and explore the implications of GDPR on your operations and the systems you use every day. This free presentation runs live on April 4 at 11:00 am EDT and we’d love for you to join us. Additionally, get a sneak preview of what we’ll be covering on Uberflip’s blog where Tara and I have a conversation about consent, data collection and the always popular question: is there any workaround to GDPR? Check it out, and, don’t forget to sign up for the webinar!


For those of you who need a little GDPR comic relief, check out the latest Perkuto blog post—we’ve scoured Twitter to find creative tweets from around the world about the angst of preparing for GDPR. If nothing else, it will make you smile.

Just when you thought GDPR was confusing enough, enter the topic of “legitimate interest.” Many of you have asked about it, wondering if you can bypass obtaining express consent opting for legitimate interest instead.

 

I can almost hear the glimmer of hope in your voice as you ask...could legitimate interest be my saving grace for updating permission requirements? Has GDPR provided organizations like mine with an escape clause? Approach with caution here. If you’re considering skipping express consent and claiming the GDPR provision for legitimate interest, you first must understand what legitimate interest entails and when you can use it. 

 

From Article 6(1) of GDPR, legitimate interest can be used to process records if:

 

  1. Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
  2. Processing is necessary for compliance with a legal obligation
  3. Processing is necessary to protect the vital interests of a data subject or another person
  4. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  5. Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. (ex: if the data subject is a child)

 

Clear as mud, right? Many marketers think they’ve found a loophole to collecting explicit consent with option A, the first clause. So is it? No—but it is a common misconception about GDPR and one that can get you into a whole lot of trouble.

 

Legitimate Interest Pie

 

Let’s look at a hypothetical situation when legitimate interest can be used. Say you are shopping online—maybe ordering a pizza. Rather than create an account, you opt to check out as a guest and only provide the necessary information to get your pepperoni pie delivered to your doorstep, or in this case, your name and delivery address plus payment information. Does the pizza place have legitimate cause to process your data? Yes, absolutely. Can they continue to communicate with you and send you pizza promotions for future orders? No, because they don’t have your consent. Legitimate interest in this example only applies to processing your order; it is not permission to use your information for any other purpose.

 

I also hear marketers attempting to justify legitimate interest with clause E, claiming they have a legitimate interest in marketing their products. So let’s get another opinion. The UK Information Commissioner’s Office (ICO) asserts that: “[Legitimate interest] is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.”

 

In other words, I expect Joe’s Pizza  to deliver my pizza (hot, please) so therefore I also expect Joe’s Pizza to process my order and charge my credit card. But that’s where my expectation ends—so if Joe’s Pizza started sending me special promotions, sold my data to another company, or began tracking my pizza purchases for their rewards program, they would be using my data in ways that I would not reasonably expect, and that would have more than a minimal impact on my privacy. The ICO addresses this scenario, saying if the customer “would not reasonably expect the processing or if it would cause unjustified harm, their interests are likely to override your legitimate interests.” Did you catch that? “Their interests override…” In other words, if you use the customer’s data in an unexpected way or a way that goes beyond your initial reason for gaining access to it, the GDPR supervisory authorities will likely take a big slice of your financial “pie,” - which as we all know can add up to a lot of dough!

 

Legitimate Checklist (because who doesn’t love a good checklist?)


Still thinking about taking the legitimate interest route? The ICO offers a checklist before you consider opting to claim legitimate interest. And as you know, we like checklists, so we thought it appropriate to share this one—you’ll find the checklist and the rest of this article on Perkuto’s blog.

For those of you who missed our recent webinar, “Fearless Marketing Strategies for GDPR World,” you missed a good discussion. The most popular topic of the day was “consent.” We had many questions regarding GDPR compliance requirements—everything from permission to retain personal data, to what to do if you are unsure if consent exists or are missing the documentation to back it up, as well as how GDPR consent compares to CASL. All very valid questions!   As for the answers:

 

GDPR Documentation for your Database

 

We’ve covered the topic before, but it’s worth another mention—auditing your database for GDPR compliance may be painstaking and time-consuming but it is also highly recommended; appropriate documentation is just as necessary as capturing consent. To verify consent, all records in your database should have:

  • opt-in date and timestamp
  • opt-in source
  • opt-in IP address (if available)

 

For records that are questionable, better safe than in doubt is the rule of thumb. Run a whitelisting (verification) campaign now, so there’s no question regarding if, how or when consent was obtained. No one wants to be fined €20 million or stop European marketing operations due to records you thought were compliant but are not.

 

And just a reminder, track BOTH data consent and email consent as one does not guarantee the other. Having said that, email consent can constitute data consent, if appropriate privacy policies are acknowledged.

 

Bundling Consent: What to Do and What to Avoid

 

When using content (such as a white paper) to attract interest, per GDPR, opting-in to marketing communications cannot be assumed or bundled with another action. You may however, include it as a separate action on the same form if your opt-in checkbox is unchecked and not required to download the promoted content asset. And always ALWAYS link your forms to your privacy policy!

 

GDPR vs. CASL

 

As we talk more and more about consent, we’re frequently asked another question: does CASL (Canadian Anti-Spam Law) compliance mean you are also GDPR compliant? Aren’t the two processes for capturing consent very similar? In a word, yes and no. (OK, two words) The opt-in process is similar, as both consent intake process should include an unchecked checkbox on a form and capturing date/timestamp, opt-in source and opt-in IP, and a link to your privacy policy. If you’re already using this methodology for CASL, you can extend it to your GDPR operations.

 

However, while both regulations are permission-based, that’s where the similarity ends. We like to think of GDPR as “CASL on steroids”—GDPR extends much further than CASL and with stiffer penalties. GDPR goes beyond permission to email, extending into cookies, data processing and other elements that are not governed under CASL.

 

See how the two legislations compare on the Perkuto blog.

From your comments, emails and phone calls, I think marketers are in need of a little GDPR TLC right about now. Trust me, I’m right there with you. Preparing for GDPR is not an insignificant undertaking, and when coupled with the responsibilities of your “day job” it can be an overwhelming load. In my ongoing effort to help and encourage my fellow marketers, I offer you a little Chicken Soup for the GDPR Soul.

GDPR Words of Wisdom

Eat a live frog first thing in the morning and nothing worse will happen to you the rest of the day. – Mark Twain, author

Perspective is everything, isn’t it? Surely, when Mark Twain made this statement, he was directing his comments to marketers feeling the stress of GDPR—get the task you’re dreading most done first. If you’re just starting out in your GDPR compliance journey, I recommend your first frog is a pre-preparation assessment of your database. This includes taking inventory of records that have (and don’t have) normalized country data attached to them, noting the quantity and compliance status of EU records in your database, and assessing the viability of questionable records. If you’re further along in your GDPR preparations, Twain also has advice for your situation: “If it’s your job to eat two frogs, eat the biggest one first.”  Little did we know, GDPR would be an all-you-can-eat frog buffet!

Go to bed smarter than when you woke up. – Charlie Munger, vice chairman, Berkshire Hathaway

Whether GDPR is keeping you up at night or you’re actually able to get some rest, the point of this quote is spot-on: gain as much wisdom as you can about GDPR. Read. Listen to podcasts. Attend a webinar. And speaking of webinars, be sure to register for our free presentation, “Fearless Marketing Strategies for a GDPR World.” We’ll be covering hot topics such as consent and what it means for your marketing communications, plus the impact of GDPR on common technologies like cookie usage and lead scoring. GDPR language is ambiguous and confusing; the worst thing you can do is stick your head in the sand and rely on what you think you know. Stay informed, seek out learning opportunities and ask questions along the way. Register for our webinar now.

No wise pilot, no matter how great his talent and experience, fails to use his checklist.Charlie Munger, vice chairman, Berkshire Hathaway

With stress often comes decreases in productivity and efficiency. Checklists help keep you focused, ensure you don’t forget details, and give you a sense of accomplishment as you mark items as complete. If you haven’t already, put together a GDPR readiness checklist or use ours. Note: the checklist below is a small part of a much larger GDPR checklist, which you can access—along with much more GDPR information—by downloading our free whitepaper, “A Marketo Client’s Guide to GDPR Compliance.

Database Audit Checklist

Completed

Are EU records present?

Examine current opt-in sources to determine compliance (or if an opt-in campaign before the GDPR deadline is necessary)

Evaluate information stored in the lead/contact objects vs. the account object and amount of information populated

Determine the degree of missing country information and if it’s normalized

Create marketable records segmentation and inactive smart lists to assess data quality

Determine the age of records; flag those outside of your defined period for record retention

Segment the database based on current compliance status of records

Determine if your database contains records of youth under the age of 16 and age 13 in the UK

 

Additional GDPR Resource and Support

The best thing a human being can do is to help another human being know more. – Charlie Munger, vice chairman, Berkshire Hathaway

There’s no doubt that Charlie Munger is a smart guy—after all, he’s Warren Buffett’s partner.  And when it comes to sharing knowledge, we couldn’t agree with him more. Perkuto exists to help CMOs succeed—with that in mind, we’ve put together a comprehensive package of resources to support you in your GDPR preparations:

 

When it comes to GDPR, our motto is “Prepare thoroughly. Market fearlessly.Let us know how we can help you.

 

Read the full post on the Perkuto Blog.

At some point in our careers, we've all had a data mishap. A colleague recently shared a direct mail promotion he received from a high-end jeweler. The headline read, "KEVIN, this Valentine's day, give LESLEY the gift she really wants," along with an image of a beautiful diamond necklace. The only problem—Kevin and Lesley are brother and sister. (And yes, they were horrified at the jeweler's suggestion.) Was the jeweler trying to promote sibling love? Doubtful. More likely: Major. Data. Fail.

 

Obviously, this example is variable data gone wrongeither mismatched data points, misinterpreted data relationships or just plain bad data. But whatever the reason, with GDPR just around the corner, it's crucial that your data is in order. Understanding who's in your database, as well as the age and viability of each record, is a foundational piece of GDPR prep. Think of it this way: retaining junk data is a liability for you. Why risk costly fines due to keeping questionable records?

 

What's Lurking in your Data Pool?

 

Over time, junk records creep into your files and weigh down your performance metrics, create potential marketing disasters and set you up for GDPR problems. Time to scrub the pool! The best way to identify junk data and gain more insight into the composition of your database is by creating a marketable records segmentation. Any groups regularly suppressed should be pulled into this segmentation. What should you be looking for?

 

Inactive Records: Since GDPR stipulates not retaining data longer than necessary, flag outdated recordsor in the absence of a defined expiration datethose that have not opened or clicked on an email or have not visited a webpage in the last 12 months. We’ll try to reactivate these names—more on that topic in a minute.

 

Disqualified Records: Be on the lookout for trash and disqualified records especially, usually corresponding to a lifecycle stage of trash or disqualified and including names rejected by sales.

 

Role Accounts: These are email addresses for a specific role that don't have a human associated with them. Under GDPR, such records are not considered "personal data" but since they don't benefit sales, remove them. To do so, include a filter for email that starts with and contains descriptors such as news@ administrator@ unsubscribe@ customerservice@ webmaster@ info@

 

Junk Domains/Data: Just as the name suggests, these bogus domains include data strings such as "ABC," "XYZ," swear words and email addresses without an @ symbol. Dump the junk!

Undesirable Personas: Examples include students, retirees, and maybe the media. If not a viable lead, they are not worth the potential risk of retaining.

 

Country Data: Run a query to determine if all records have normalized country information. Flag those that do not or are missing country data altogether.

 

Opt-In Sources: Is consent GDPR compliant? Do you have proper record-keeping to back that up? Create a separate segmentation based on current compliance status and deploy a whitelisting campaign for records compliant with current EU Directive legislation that may fall short of GDPR standards. Remember, this may include records that have consent, but the consent is dated.

 

Preserving Potentially Viable Records

 

OK! You've done some cleaning on your database; now it's time to look at the questionable and non-compliant records to retain as many as possible before GDPR goes into effect. Campaigns you'll want to run sooner rather than later include:

 

Read the full post on the Perkuto Blog.

Preparing for GDPR: It's Not Marketing's Job...or Is It?

 

GDPR:” you’ve heard the term repeatedly and know you ought to deal with it. But you’re also wondering, does the responsibility for GDPR readiness really belong marketing?  Isn’t this more of an IT thing?  Besides, you’ve got other, more pressing tasks…good grief!

 

Good GDPR grief that is, and all the mental agony that comes along with it. If you’re like most marketers, you’re probably experiencing what we call, “The Five Stages of GDPR Grief” when it comes to navigating GDPR preparedness.

Any of this sound familiar?

 

The Five Stages of GDPR Grief

 

Stage 1: Denial.

You don’t believe you need to worry about GDPR. After all, you survived CASL, CAN-SPAM, and the US Do Not Call regulation. GDPR…no big deal, right?

 

Stage 2: Anger.

GDPR keeps creeping into your news feed; the topic just won’t go away. You’re annoyed—even angry—at the thought that it might actually be your job to figure out GDPR requirements and steer your team through compliance preparations. Not exactly what you envisioned for your career in marketing.

 

Stage 3: Bargaining.

You begin rationalizing that you are too busy, that your main priority is driving revenue and supporting business growth. GDPR sounds like a major “squirrel” (distraction), so you begin bargaining with others in your company to take on the task. Case of beer in hand, you approach your colleagues, “Hey…so how’s my FAVORITE IT team…”

 

Stage 4: Depression.

You realize you’re stuck with the task and begin reading through dry, incomprehensible pages of legalese filled with seemingly conflicting advice. To say you’re bored to tears is an understatement. Is it 5:00 yet?

 

Stage 5: Acceptance.

You’ve come to grips that GDPR preparation is your responsibility; you’ve accepted that marketing with different rules is the new reality for 2018. Realizing there are many adjustments and changes you must make to your processes, you begin seeking out resources to help your team. But now what?

 

The Path to GDPR Compliance

We get it. We understand you’re busy and have many responsibilities in your “day job,” none of which include becoming a GDPR expert. That’s why we’ve created a free downloadable resource, “The Marketo Client’s Guide to GDPR Compliance.”

 

Written by the Perkuto team, this guide will help you understand GDPR from start to finish. You’ll learn about data transparency, storage and security requirements of this massive legislation plus some of the lesser-known nuances that impact your marketing strategies. We’ll help make sense of the requirements for compliance and outline the consequences for not meeting them. We’ll show you the steps you need to take to prepare for GDPR and (shameless plug) provide an alternative should you decide to let GDPR experts handle it instead.

 

From Intimidated to Fearless

Feel like you already have a good grasp on GDPR basics? Take your knowledge to the next level by attending our complimentary webinar on March 1, Fearless Marketing Strategies for a GDPR World.

In this interactive presentation, I’ll discuss the impact of GDPR on the marketing technology we use every day, including cookie usage, subscription management and lead scoring practices. Learn what campaigns you should be running now, how your communications must change once GDPR goes into effect, and ask questions specific to your situation at the end of the presentation.  Registration is free, but early registration is recommended as space is limited. Registration also guarantees you will receive a link to the presentation recording and slides, even if you’re unable to attend the live webinar.

 

In Good Company

When it comes to GDPR, we feel your pain, really. Remember, we’re marketers too! And from one marketer to another, we’re ready to turn your wounds into wisdom— download the Perkuto complimentary GDPR Compliance Guide and then register for the Perkuto free Fearless Marketing webinar.

 

Download White Paper

Watch Webinar

 

As Published on the Perkuto Blog

Vast.” The dictionary definition is “very great in size, amount, degree, intensity, or especially in extent or range.” (Merriam-Webster) It’s a word you’ll hear often in GDPR discussions, and it is an accurate description. In fact, there are 99 articles in the GDPR, each stipulating new parameters and expectations for data transparency, accountability, storage, and security.  In our prior posts, we’ve highlighted many of these areas, discussing changes to your backend operations, marketing strategies, external partners and provided a graphic overview with our GDPR infographic.

 

As much as GDPR covers, it also raises an equal number of questions.  Many of GDPR’s articles use ambiguous language leaving marketers scratching their heads, and lawyers busy providing clarification. For this reason, we’ve compiled a list of some of the more frequently asked questions and a few of the lesser-known answers, as discussed with our legal team.

 

GDPR – Who?

Q: Does GDPR apply only to EU citizens?

 

A: No. GDPR applies to EU residents, regardless of citizenship. An American living in the EU for three months qualifies for GDPR protection. If your business (B2B or B2C) markets to, does business with, or simply stores or processes the personal or business information of EU residents, you are subject to GDPR requirements regardless of your business’s location.

 

Definition of Personal Data

Q: What is considered “personal” data?  Is B2B information exempt?

 

A: Generic emails, such as “info@,” “contact@” are not personal addresses so do not count as personal data.  All personal (individual) data, whether B2B or B2C, is covered under GDPR. This includes any business information that makes a someone personally identifiable, such as their business email address.

 

Limits for Storing Data

Q: How do we define the duration of storing data? What constitutes “as long as necessary?”

 

A: That depends on the purpose of the data.  Where a contractual agreement exists, (ex: I am buying on Amazon) personal data may be retained as long as the contract runs. (or in our Amazon example, as long as I am willing to keep my Amazon account, which is mandatory to purchase on their site.)  If the data subject is not a customer, then three years after the last contact is a reasonable period, per the French CNIL.  It is the Data Controller’s responsibility to set the limit on data retention and this should be specified in your privacy policy. Be careful not to run wake the dead nurture campaigns on opt-ins that have exceeded the stated time frame.

 

Bundled Consent

Q: Can you bundle consent to receive future communications with other actions, such as a whitepaper download?

 

A: No. Consent is an independent action from a marketing action and your consent language needs to be clear. You can include an opt-in option to receive additional information on your form with an unchecked checkbox,  just make sure the checkbox is not required to submit the form. And, be sure to include a link to your privacy policy on all forms. See an example of a GDPR compliant opt-in form.https://perkuto.com/blog/marketing-strategies-gdpr?utm_source=MarketoCommunity

 

Cookie Law

Q: Does GDPR have any ramifications for EU Cookie laws or is ‘Do Not Track’ still in effect?

 

A: Yes, ...

 

Read the full post on the Perkuto Blog.

If “our similarities bring us to common ground,” (Tom Robbins) we’ve reached our destination.

No doubt, you have quite an assembly of tools in your MarTech stack acquired in various stages of your company journey. Each technology offers a different solution for your organization, but they all share a common ground: they access your data.  Is the GDPR alarm going off in your head?  It ought to be, as GDPR considers any technology provider in your stack— i.e. Marketo, Salesforce, Ringlead, ReachForce, Bizible —as well as agencies and service providers who can access your data, a “data processor.”  And GDPR has a lot to say about this role and the responsibilities that come with it.  Welcome to GDPR land.

GDPR Compliance: All Aboard

By GDPR definition, a data processor is “any person, public authority, agency or other body which processes personal data on behalf of the controller.”  So, all of your external systems, companies, agencies, service partners or contractors who are enriching your data, collecting data on your behalf, mining, segmenting, or analyzing records—even handling payroll or other outsourced HR activities–are data processors. Which means… (sound the major GDPR alarm)each one must be GDPR compliant.

But wait, there’s more.

Did you catch those last few words of the data processor definition,”…on behalf of the controller?”  If your MarTech tools, agencies and service partners are data processors, that makes your organization the data controller. And with great responsibility comes greater accountability: it is the data controller (AKA you) who calls the shots on what data is collected, why, and how it is used.  Ultimately, YOU, the data controller, are responsible for ensuring that personal information is processed in accordance with GDPR, and, YOU can be subject to corrective measures and penalties should something go awry. Additionally, YOU are responsible for ensuring that these data processors can provide sufficient documentation of their abilities to comply with GDPR requirements for both technical and organizational measures. YIKES! 

Takeaway: GDPR has a much broader impact on our operations and organizational structure than what’s on the surface.

How can you mitigate your risks?

Develop your Itinerary

  1. Take inventory and document your MarTech landscape, identifying all of your processors.  Any company from agencies to Marketo to deduplication vendors to data enrichment to ABM, CRM…you get the idea.

  2. Request documentation from each Data Processor demonstrating that they are GDPR compliant. Most of the established Data Processors have already prepared the documentation to show that they’re compliant with GDPR and all you’ll have to do is review it. For instance, Salesforce provides the following information on Trust and Compliance. If you work with a Data Processor that doesn’t have the documentation readily available, you’ll need to be proactive in requesting documentation. Here is an example questionnaire that you could adjust to your specific needs.
  3. Categorize the returned documentation. Keep a record of all documents and either work with non-compliant processors to help them become compliant, find a new processor, or decide what to do to protect yourself if they are not.
  4. Sign a data processing addendum with ...

 

Read the full post on the Perkuto Blog.

A Visual Look at GDPR Contributing Factors and Compliance Preparations

If you were to Google GDPR, your search would produce over 4 million results. That’s a lot of content! Assuming you don’t have time to read it all, the Perkuto team has compiled key stats to tell the story—consumer fears contributing to the legislation, how organizations are faring in their preparations and the ramifications of non-compliance.

From our research, the stats we found most interesting: 67% of Europeans surveyed cited they would share more personal information if brands were transparent about their intentions for data usage. (The Chartered Institute of Marketing, September 2016) In other words, GDPR is not a marketing deal-killer, but it is a game changer. Further, the stats suggest that with thoughtful data collection practices, we may even see an improvement in our data collection results.

Another interesting stat to note is that 77% of American corporations are making an investment of $1 million or more for GDPR preparedness. (GDPR Preparedness Pulse Survey, PwC US, January 2017) A significant investment, but also pennies on the dollar when considering the financial penalties at stake. We applaud their proactive approach.

Lastly, we are encouraged that 71% of organizations believe data governance will improve because of GDPR. (SAS Survey Data, June 2017) Though it may be challenging now, there is a light at the end of the tunnel—we will survive the preparation process, make the necessary adjustments and be better marketers because of it.

 

View the GDPR By the Numbers Infographic Now!

This post is part 2 of a 5-part series on GDPR readiness. In this previous post, I compared GDPR preparedness to a football game and the importance of both a solid offense and defense to win the game. To tackle the processing requirements of GDPR compliance, your defensive strategy involves operational adjustments and a well-documented game plan. Now, it’s time to turn our focus to the offense and strategies to help your marketing practices thrive in a GDPR world.

Many Marketo clients are asking questions about using marketing automation and lead scoring features given GDPR’s strict permission-based requirements to collect and store personal data. My answer is marketing operations and GDPR can coexist, with adjustments to our current methods. I believe GDPR will force us to improve our core marketing skills, and our GDPR playbook should include leveraging the benefits of our offering and easing customer anxiety associated with data collection.

Consent for Data Collection

Scenario: You are offering a free white paper or informational guide and you are collecting the customer’s name, email address, and phone number as a prerequisite to downloading. Behind the scenes, you are appending additional data to the record, including income and location as well as tracking online browsing behavior to score the lead.

Challenge: Under GDPR, brands must now have an individual’s consent before you may track and store personal data. Opt-out or implied consent forms do not comply with GDPR; further, you must also declare how you will use the data and for how long, including if you are appending information or scoring based on it. Therefore, the challenge is being GDPR compliant without introducing too much friction or anxiety with your form.

GDPR adjustment: Strengthen your landing page value proposition and incentive to increase customer motivation. Also add an unchecked opt-in checkbox to the bottom of your data collection form, including a link to your privacy policy. (Note: privacy policies must now be much more robust in detailing data usage.)

To implement: On a recent internet search, I found one suggestion to use this copy in your data collection form:

We’re collecting your name, phone number and email address so that we may follow-up with you further on this topic and provide additional assistance. We may also match profiling data from a third party with your registration information, to learn more about you and measure your product interests. Please check our privacy policy (insert link here) for details on how your information will be protected and managed.” (followed by a checkbox providing consent to collect this information)

This solution appears to be GDPR compliant and covers your bases…but it is lengthy and may “weigh down” your form and we may have also unnecessarily opened the door on customer anxiety. According to The Chartered Institute of Marketing, (September 2016), 57% of Europeans do not trust brands to use their data responsibly. Highlighting their concern will only increase apprehension. Thus, adding this verbiage to your form could reduce your conversion rate.

A common misconception, GDPR doesn’t mandate declaring everything on your form. You can state how you will use data, (including information to be appended and lead scoring practices) in your privacy policy—just don’t forget (or it will cost you big!)

A sample of a GDPR-compliant privacy policy regarding the opt-in checkbox on a form reads like this:

“The information set out in this form is registered in an electronic database for the purpose of [commercial prospection, HR…]. This information is intended to be communicated to [internal service of the company, commercial partners…] and retained for [the relationship, xxx months…]. In accordance with the applicable regulation, your rights to access and update your data, withdraw your consent or lodge complaint where applicable can be exercised by following this link [contact of the service, person or authority in charge…]

Just keep in mind a couple of things with your opt-in checkbox:

  • The opt-in checkbox cannot be a required field. Consent is an independent action from the marketing form action. In other words, if the form in question promotes a white paper, the user can download the white paper without opting in to further communication.

 

  • Consent language should make it clear that the checkbox is not needed to submit the form. (IE “Want MORE on this topic?) and should definitely link to your privacy policy. To step up your game, add a little note at the bottom of the form reminding them they can download your white paper without it.

 

Moving legal language to your privacy policy would enable you to use shorter, simpler, GDPR compliant copy on your form:

<Unchecked checkbox> “I’d like to receive more information on this topic, and understand and agree to the privacy policy. <insert link here>”

Short, sweet, to the point…on with the conversion. And the next example.

Cookie Tracking

Scenario: You are using reverse IP lookup and cookies (AKA Munchkin Code) on your site to identify repeat visitors and customize the user’s experience.

GDPR challenge: You must have consent to track visitor behavior. “By using this site, you agree to cookies” messages implying approval upon closure do not meet GDPR compliance. This is a departure from Do Not Track legislation.

GDPR adjustment: Use a banner across the top of your website notifying first-time users of cookie usage, capturing user consent. Then work with your developer to load Munchkin code with the proper settings.

To implement:

 

Read the full post and view examples of these solutions on the Perkuto Blog.

The first post of a 5-part series on GDPR, we discuss the importance of preparing your marketing operations to meet compliance requirements or aligning your “defensive” strategy. In the next post, we’ll discuss options for building your “offense,” including ideas for collecting customer information in an engaging manner that’s also GDPR compliant.

If you watch football at all, you understand the importance of a good offensive and defensive strategy. You also know the impact of penalties and play reviews, sometimes the difference between victory and defeat. One ruling can be a total game changer.

We have a major game changer looming ahead for marketers. I’m, of course, referring to GDPR. I’ve been asked by many Marketo clients how the new consent-based legislation will impact the future of marketing operations. I won’t sugar coat it: marketers need to prepare for new challenges. GDPR was created with noble intentions to protect the privacy of consumers, and it will change our marketing landscape. A few specific examples:

  • Opt-in consent is required to email and retain personal data. Additionally, appropriate record keeping to verify permission is also required.
  • Lead scoring will be considered user profiling, which under GDPR, requires consumer consent. Similarly with propensity-to-purchase calculations—if you are using this to schedule follow-up sales calls, you must have permission to use the consumer’s data in this capacity.
  • Data enhancements must be declared, and past data audited. If you are further enhancing your data from a third-party source, you may need to state the origin and the purpose. Keep in mind, anyone processing your prospects’ data must be GDPR compliant, too.
  • Data management: GDPR includes a host of consumer rights and protections, which marketers need to be prepared to accommodate.
  • Record disposal: We all hate to delete information. But under GDPR, we must delete records accumulated without opting in, and, remove data from individuals who withdraw consent or otherwise request deletion of their information.

 

Game Changer, Not Game Over

GDPR will require changes to current marketing practices, but it doesn’t have to kill your operations completely. Preparation and identifying your vulnerabilities is essential. To start:

Read the full post on the Perkuto Blog.