35 Replies Latest reply on Apr 26, 2018 7:58 AM by Michelle Miles

    GDPR - What are you doing to prepare?

    Sierra Summers

      Curious to hear how others are preparing for General Data Protection Regulation (GDPR)?

        • Re: GDPR - What are you doing to prepare?
          Brittany Stover

          Katie Pope  

          I know that our company also is in the weeds trying to prepare for this. I also know that Grégoire Michel has included this in an ideas forum. Any update or active project from the Marketo side of things?

          1 of 1 people found this helpful
          • Re: GDPR - What are you doing to prepare?
            Iryna Zhuravel

            I spoke with Marketo folks about it at the Summit, they are preparing for GDPR and should share some info in the near future.

             

            We are hiring a third-party company to do an audit of our process to make sure we are compliant, fines go up to 20 million euros, so we are trying to be extra careful.

            1 of 1 people found this helpful
              • Re: GDPR - What are you doing to prepare?
                Brittany Stover

                Yes the fines are astronomical! Definitely not something you to play around and merely get slapped on the wrist for. We also are having a third party from Europe help us outline our process to confirm we are compliant. I want to tag Janet Dulsky on this post to see if she can shed any light on this. May is still a ways off but it will be here before we know it.

                  • Re: GDPR - What are you doing to prepare?
                    Janet Dulsky

                    Brittany Stover, yes, Marketo is absolutely preparing for GDPR and, in fact, my colleague Jack Yusko is leading the charge and can give you more color.

                     

                    Thank you, Janet

                    2 of 2 people found this helpful
                      • Re: GDPR - What are you doing to prepare?
                        Brittany Stover

                        Jack Yusko I would love to connect with you and discuss this further if possible.

                         

                        - Brittany

                          • Re: GDPR - What are you doing to prepare?
                            Dan Stevens

                            I would as well.  Better yet, would love to see some posts here in the community - direct from Marketo - on how Marketo will be doing what they can from a platform/infrastructure perspective - in ensuring all customers are compliant with GDPR.

                             

                            2 of 2 people found this helpful
                              • Re: GDPR - What are you doing to prepare?
                                Peter Bell

                                Hi Dan,

                                 

                                Noting these comments do not constitute legal advice (that needs to come from your legal team) a couple of comments for you and others in this discussion.

                                 

                                As with all data protection laws compliance requires commitment from both technology providers and their customers, to one of the points in this thread we (Marketo) can't "make you compliant". Specific to the GDPR there are new requirements on “Data Processors” such as Marketo. We will be in compliance with the GDPR by May 25th, 2018 (the date it comes into force) and Marketo’s services already include the functionality necessary for our customers to comply with the GDPR’s requirements on them.  To the latter point I'm in the process of documenting  the functionality that will help with that that but if you know your Marketo then this is about modifying forms to include the correct consent and privacy notices and  having your programs respect the end customer preferences.

                                 

                                There are two key areas of the GDPR that are particularly pertinent to Marketers that I'd draw your attention two and that consequently require careful assessment of past, current and future practices. The first is consent by the individual to collect and use their personal data and the second is accountability, namely being able to demonstrate how they comply with the principles of the GDPR.

                                 

                                As I mention above we will be publishing more on this topic, the deeper content will take a while but we'll have updates coming though via Marketo.com, I can link to those as we publish. For now there is a useful resource we have licensed for our customers here 

                                 

                                Peter

                                4 of 4 people found this helpful
                                  • Re: GDPR - What are you doing to prepare?
                                    Dan Stevens

                                    Appreciate your input Peter, totally agree.  Not only do we have a well-staffed legal team working with us on this, but a formal steering committee consisting of functional leads from around the world and recruiting data privacy officers for our various regions.  But as Marketo is the "data processor" we're glad to finally get some perspective on this from Marketo (and glad that Marketo will be fully compliant).

                                     

                                    I guess what's most concerning (not from Marketo) is some of the uncertainties that still exist (some of the final legislation may not be complete until early May 2018).  Most specifically around "legitimate interest".  Google it and you'll find so many interpretations of what this means.  Again, why it's so important that every company have the proper resources in place (legal, data privacy officers, consultants, etc.).  For example, I found this as one of the various interpretations of LI by a certain company (which I will not disclose).  Something tells me this will not hold up under GDPR - but we'll see.

                                    XYZ Company processes only non-sensitive personal data that is aggregated from publicly available sources and relates to only what the PECR refers to as corporate subscribers. Under both the current PECR and the new PECR, opt-in consent will not be required for B2B email marketing so long as recipients can easily unsubscribe/opt-out. This will be honored by ensuring very clear opt-out / unsubscribe options are available to them in all communications sent to them. XYZ Company will be conducting an impact assessment to further underline and support its position of legitimate interests such as under GDPR Recital 47, which states that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

                                     

                                     

                                      • Re: GDPR - What are you doing to prepare?
                                        Mark Knight

                                        I am not a lawyer, i am a marketer who has been studying UK ICO guidance and other sources to learn how GDPR will will affect our handling of personal data related to Marketing within our company.


                                        From my readings, the opt-in or out requirement for email marketing to B2B market has not yet been fully defined. The wording is not prescriptive and neither is current guidance. I agree that the current UK position is that opt-out is the norm. BUT, Germany have i am led to believe, stated that it will need to be opt-in. And as PECR and GDPR will need to adhere to the one central EU standard, rather than the current national standard, it is thought that SHOULD the UK interpretation (OUT) ever be tested in the EU courts it could be challenged as a higher standard exists, and therefore legally vulnerable. ie prepare for opt-in requirements for Email B2B marketing, as well as opt-in consent to actually store marketing data, though i realise there are 5 other definitions under which personal data can be stored without consent being required.

                                         

                                        What concerns me is the scope of GDPR is not understood.

                                        - A data controller or processor WITHIN the EU protects ALL DATA SUBJECTS REGARDLESS of their nationality, residency, location and place of processing

                                        - A data controller or processor NOT IN THE EU protects any data subject in the EU where processing relates to offering goods or services (MARKETING) or monitoring behavior which takes place in the union

                                         

                                        I can imagine it will come as a shock to any non-EU marketing team to learn that they need to handling personal data under guidelines determined by European Law, and that failure to do so 'could potentially' result in either fines of 4% group turnover, or €20m - whichever is higher... though quite how all of this will be policed outside of EU.

                                        2 of 2 people found this helpful
                                          • Re: GDPR - What are you doing to prepare?
                                            Dan Stevens

                                            Good points Mark.  I think many are so focused on "consent" in terms of email opt-ins, and not realizing the implications of the other type of consent: the ability (or I should say "inability") to track known users online - in this case, placing the Munchkin tracking cookie on a user's browser to track ongoing behavior/engagement.  Today, many of us who have country-based sites (in addition to our global site), are able to get by with implied consent (if they click the "x" to hide the banner and continue to use the site, we can place cookies on their device):

                                             

                                             

                                            But with GDPR, tracking users is now going to require explicit consent (including the ability to opt-out in the future) and will require a much more complex opt-in process, for example:

                                             

                                             

                                             

                                            Not only does that add technical complexity for us (since we'll need to offer the ability to opt-in/out of each type of cookie), but negatively affects the overall visitor experience with these annoying pop-ups.  This will also significantly diminish the value that Marketo - and other marketing automation platforms - brings to marketing organizations since we'll basically have to disable this "non-essential" tracking by default.  And only enable it when someone opts-in.

                                            3 of 3 people found this helpful
                                              • Re: GDPR - What are you doing to prepare?
                                                Mark Knight

                                                All great points - i agree.

                                                Its also the implication i am trying to understand.

                                                How will Marketo allow website owners to manage preferences for website visitors.

                                                What will the impact be if they opt-out of profiling

                                                Will consent to email marketing require double opt-in to verify the address in the form submitted is the person who submitted the form (ie need to click link in email) - what happens to that data in the meantime, is it temporarily stored in Marketo until verified and then added to our account?

                                                 

                                                My understanding of the problems, leads me to beleive the answer lies in a 'preference management' page for a user, whereby they can opt-in / out to tracking (profiling) and email marketing, AND also see their registration data, and amend as they wish.

                                                 

                                                But then this changes the data model for Marketo from a one-way submission and store on a cookie, to a user management, two-way comms flow that is able to pull information from Marketo(?) and show on a page.

                                                From my limited understanding of Marketo, thats not possible? Marketo only pushes from website to Marketo to CRM?

                                                - so suddenly website managers will need to find a way of PULLING user profile data / preferences from the CRM to display on their websites, whilst still ensuring all values are in synch, consent is stored (and dated and noted where consent was given from (ie specific website activity))

                                                 

                                                Anyone got any data models showing the required flows for this?

                                                I am trying to get an understanding now, but my Marketo contact doesnt seem to understand the issue (perhaps as based in USA and therefore unaware of the potential impact of GDPR).

                                                1 of 1 people found this helpful
                                                • Re: GDPR - What are you doing to prepare?
                                                  Peter Bell

                                                  We will address Consent in both contexts - namely consent to digital communication and consent to monitoring. In relation to monitoring we can honor DNT today and you can provide the site visitor the choice to opt out of tracking, both are standard functionality within Marketo today.

                                                   

                                                  However this is broader and complex topic and you'll have many cookies performing various functions on your website, Marketo is but one of those. I'm sure your legal teams will be aware but the ePrivacy directive, which is still in draft, will offer further legal guidance on the topic and our legal team are monitoring and assessing that guidance. Proposed amendments to the draft were published this week. This is a useful summary.

                                                  2 of 2 people found this helpful
                                                    • Re: GDPR - What are you doing to prepare?
                                                      Dan Stevens

                                                      Peter, will there be any enhancements made in Marketo to offer "do not track" at the user level (and coincide with some sort of preference center)?  The current implementation of DNT in Marketo is to honor this at the BROWSER level, not the user level.

                                                       

                                                       

                                                      Edit "Do Not Track" Browser Support Settings - Marketo Docs - Product Docs

                                                       

                                                       

                                                      1 of 1 people found this helpful
                                                        • Re: GDPR - What are you doing to prepare?
                                                          Peter Bell

                                                          Hi Dan,

                                                           

                                                          As DNT is a browser setting (where the browser when DNT is turn on sends at HTTP heading requesting that no tracking be performed)  it is not possible to overcome the natural limitations of of shared browser use, etc.

                                                           

                                                          More accurate and closer to user level is Munchkin Tracking, but we're still talking cookies and the limitations thereof. We can place a mkto_opt_out cookie on browser which tells Munchkin to no longer track the user for that website.

                                                           

                                                          The simplest way to do this is to place a link on a page (typically a privacy page or similar)  that redirects them to a landing page containing the opt out parameter (can be added to a Marketo landing page or a page with Munchkin tracking on):

                                                           

                                                          http://”customerpage”?marketo_opt_out=true

                                                           

                                                          The same can be done via API if you're building a a more comprehensive solution to cookie behaviour on your site.

                                                           

                                                          Peter

                                                           

                                                          1 of 1 people found this helpful
                                                • Re: GDPR - What are you doing to prepare?
                                                  Peter Bell

                                                  Just a quick update for everyone on this thread. We have published a formal update in our legal section on marketo.com

                                                   

                                                  This makes many of the same points I made here last week but may be useful with your own legal teams as it is a formal statement from us.

                                                   

                                                  Again we'll be publishing more as soon as possible.

                                                   

                                                  Peter

                                                  • Re: GDPR - What are you doing to prepare?
                                                    Boone White

                                                    Hi Peter,

                                                     

                                                    You mentioned you would be creating documentation on GDPR compliance processes. Have you published/made on any headway on that?

                                                     

                                                    "documenting  the functionality that will help with that that but if you know your Marketo then this is about modifying forms to include the correct consent and privacy notices and  having your programs respect the end customer preferences."

                                                • Re: GDPR - What are you doing to prepare?
                                                  Stacy Nawrocki

                                                  Me too.  We are behind in these preparations and it's nearly upon us.

                                          • Re: GDPR - What are you doing to prepare?
                                            Jack Yusko

                                            Hi everyone, hope you’re all doing well. I’m with the Privacy team here at Marketo and we are hard at work implementing a comprehensive GDPR compliance program, leveraging resources from across the organization to ensure that Marketo is GDPR compliant and that all Marketo customers have the tools they need to bring their Marketo instances into compliance with all relevant GDPR provisions. While I wish that I could connect with each of you individually, with 5,000+ customers I would quickly run out of time to actually implement our compliance initiatives!

                                             

                                            Our GDPR website is currently in the publishing process and we expect it to go live within the next week or two. We are also putting together guidance on consent (including a number of common scenarios involving obtaining, documenting, and maintaining consent) and the accountability principle (including information on audit trail, activity log, and role-based permissions). If you’d like more information on the compliance initiatives we’re implementing in our organization, ask your CSM for our GDPR summary document.

                                             

                                            Our Sr. Direct of Product Marketing in EMEA wrote the following blog post that I hope you’ll find interesting:

                                            https://blog.marketo.com/2017/06/gdpr-opportunity-play-win-engagement-economy.html

                                             

                                            Here’s a how-to guide on implementing a preference center:

                                            https://nation.marketo.com/blogs/marketowhisperer/2015/11/23/build-an-email-preference-or-email-subscription-center-in-marketo-in-10-steps

                                             

                                            While the GDPR may seem daunting, it is a great opportunity to put ourselves in the data subject’s shoes and position ourselves as leaders in the engagement economy.

                                             

                                            Thank you,

                                            Jack Yusko

                                            4 of 4 people found this helpful
                                              • Re: GDPR - What are you doing to prepare?
                                                Gabby Fajfer

                                                Is there any updates on the Marketo GDPR website you are publishing?

                                                 

                                                Also i can see Marketo is talking about DNT functionality being already in place however that would disable the tracking not enable the tracking when people are agreeing to be tracked which is GDPR requirement. My understanding of it is to have a tracking switch on by default and only when people are opting in we can enable the tracking.

                                                 

                                                Moreover, as it was discussed on other discussion chain opt out parameter on the landing page only works for v152 however our version is 151.



                                                Also disabling function of the Munchkin tracking code on the website is one thing what its your view on the Marketo landing pages, and how we could possible place pop up window on them?  is there any functionality which can erase tracking from the activity log?

                                                 

                                                I would much appreciate your thoughts.

                                                Gabby

                                              • Re: GDPR - What are you doing to prepare?
                                                Simone Vincent

                                                We need to collect/monitor/audit etc permissions for other non-digital channels that aren't pushed via Marketo. What systems are you integrating with to support this additional level of permissioning?

                                                • Re: GDPR - What are you doing to prepare?
                                                  Amanda Thomas

                                                  Hi All,

                                                   

                                                  Just posted some slides and notes I took from a GDPR workshop I attended earlier this week. Link below.

                                                  GDPR Workshop From TrustArc

                                                  1 of 1 people found this helpful
                                                  • Re: GDPR - What are you doing to prepare?
                                                    Aaron Anzaldua

                                                    This is a hot topic in the Martech space and something that I am starting to have a lot of conversations around GDPR and there seems to be a lot of companies scratching their heads on what actions need to be taken to be GDPR compliant.  This is something that my company Openprise can help with.

                                                     

                                                    Before GDPR (General Data Protection Regulation), a couple of simple tweaks to your process, a line of text, a roll of your eyes and congratulations, you just complied with the latest acronym. But, not this time. With GDPR, the things marketing and sales teams do every day can cost you:

                                                     

                                                    • Hit the magic button inside Salesforce to enrich a lead with an email and phone from a 3rd party provider.
                                                    • Email a spreadsheet of contacts to your trusted agency partner
                                                    • Watch data flow seamlessly from your marketing automation solution another app, exactly like it was designed to do.
                                                    if you've for personally identifiable information (PII) from anyone in the European Union in any of those, and you don't have a DPA (Data Processor Agreement) in place with those companies, your not GDPR compliant, and it could cost your company up to 4% of a company's annual global revenue.

                                                     

                                                    This is something that Openprise can definitely help with.  We can help you control the flow of ED Data out of your company through find-grained data filters and permission roles.  Identify leads and contacts that fall under GDPR, even without a valid country field value.

                                                     

                                                    Please do let me know if this is something you would like to chat about further.  :-)

                                                     

                                                    GDPR Compliance - Accomplish It with Ease via Openprise

                                                     

                                                     

                                                    • Re: GDPR - What are you doing to prepare?
                                                      Diego Lineros

                                                      I think that everyone should consider "Consent" or "No Consent" as the most important "Interesting Moment". Interesting moments are shown in CRM, can't be deleted or overwritten and can be populated with the subscription centre information provided by the the lead and system tokens. You can also create a smart campaign to alert and ask the lead to renew the "consent" once it has expired. 

                                                      2 of 2 people found this helpful