Curious to hear how others are preparing for General Data Protection Regulation (GDPR)?
Noting these comments do not constitute legal advice (that needs to come from your legal team) a couple of comments for you and others in this discussion.
As with all data protection laws compliance requires commitment from both technology providers and their customers, to one of the points in this thread we (Marketo) can't "make you compliant". Specific to the GDPR there are new requirements on “Data Processors” such as Marketo. We will be in compliance with the GDPR by May 25th, 2018 (the date it comes into force) and Marketo’s services already include the functionality necessary for our customers to comply with the GDPR’s requirements on them. To the latter point I'm in the process of documenting the functionality that will help with that that but if you know your Marketo then this is about modifying forms to include the correct consent and privacy notices and having your programs respect the end customer preferences.
There are two key areas of the GDPR that are particularly pertinent to Marketers that I'd draw your attention two and that consequently require careful assessment of past, current and future practices. The first is consent by the individual to collect and use their personal data and the second is accountability, namely being able to demonstrate how they comply with the principles of the GDPR.
As I mention above we will be publishing more on this topic, the deeper content will take a while but we'll have updates coming though via Marketo.com, I can link to those as we publish. For now there is a useful resource we have licensed for our customers here
I know that our company also is in the weeds trying to prepare for this. I also know that Grégoire Michel has included this in an ideas forum. Any update or active project from the Marketo side of things?
I spoke with Marketo folks about it at the Summit, they are preparing for GDPR and should share some info in the near future.
We are hiring a third-party company to do an audit of our process to make sure we are compliant, fines go up to 20 million euros, so we are trying to be extra careful.
Yes the fines are astronomical! Definitely not something you to play around and merely get slapped on the wrist for. We also are having a third party from Europe help us outline our process to confirm we are compliant. I want to tag Janet Dulsky on this post to see if she can shed any light on this. May is still a ways off but it will be here before we know it.
Brittany Stover, yes, Marketo is absolutely preparing for GDPR and, in fact, my colleague Jack Yusko is leading the charge and can give you more color.
Thank you, Janet
I would as well. Better yet, would love to see some posts here in the community - direct from Marketo - on how Marketo will be doing what they can from a platform/infrastructure perspective - in ensuring all customers are compliant with GDPR.
I second that!
Appreciate your input Peter, totally agree. Not only do we have a well-staffed legal team working with us on this, but a formal steering committee consisting of functional leads from around the world and recruiting data privacy officers for our various regions. But as Marketo is the "data processor" we're glad to finally get some perspective on this from Marketo (and glad that Marketo will be fully compliant).
I guess what's most concerning (not from Marketo) is some of the uncertainties that still exist (some of the final legislation may not be complete until early May 2018). Most specifically around "legitimate interest". Google it and you'll find so many interpretations of what this means. Again, why it's so important that every company have the proper resources in place (legal, data privacy officers, consultants, etc.). For example, I found this as one of the various interpretations of LI by a certain company (which I will not disclose). Something tells me this will not hold up under GDPR - but we'll see.
XYZ Company processes only non-sensitive personal data that is aggregated from publicly available sources and relates to only what the PECR refers to as corporate subscribers. Under both the current PECR and the new PECR, opt-in consent will not be required for B2B email marketing so long as recipients can easily unsubscribe/opt-out. This will be honored by ensuring very clear opt-out / unsubscribe options are available to them in all communications sent to them. XYZ Company will be conducting an impact assessment to further underline and support its position of legitimate interests such as under GDPR Recital 47, which states that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
I am not a lawyer, i am a marketer who has been studying UK ICO guidance and other sources to learn how GDPR will will affect our handling of personal data related to Marketing within our company.
From my readings, the opt-in or out requirement for email marketing to B2B market has not yet been fully defined. The wording is not prescriptive and neither is current guidance. I agree that the current UK position is that opt-out is the norm. BUT, Germany have i am led to believe, stated that it will need to be opt-in. And as PECR and GDPR will need to adhere to the one central EU standard, rather than the current national standard, it is thought that SHOULD the UK interpretation (OUT) ever be tested in the EU courts it could be challenged as a higher standard exists, and therefore legally vulnerable. ie prepare for opt-in requirements for Email B2B marketing, as well as opt-in consent to actually store marketing data, though i realise there are 5 other definitions under which personal data can be stored without consent being required.
What concerns me is the scope of GDPR is not understood.
- A data controller or processor WITHIN the EU protects ALL DATA SUBJECTS REGARDLESS of their nationality, residency, location and place of processing
- A data controller or processor NOT IN THE EU protects any data subject in the EU where processing relates to offering goods or services (MARKETING) or monitoring behavior which takes place in the union
I can imagine it will come as a shock to any non-EU marketing team to learn that they need to handling personal data under guidelines determined by European Law, and that failure to do so 'could potentially' result in either fines of 4% group turnover, or €20m - whichever is higher... though quite how all of this will be policed outside of EU.
Good points Mark. I think many are so focused on "consent" in terms of email opt-ins, and not realizing the implications of the other type of consent: the ability (or I should say "inability") to track known users online - in this case, placing the Munchkin tracking cookie on a user's browser to track ongoing behavior/engagement. Today, many of us who have country-based sites (in addition to our global site), are able to get by with implied consent (if they click the "x" to hide the banner and continue to use the site, we can place cookies on their device):
But with GDPR, tracking users is now going to require explicit consent (including the ability to opt-out in the future) and will require a much more complex opt-in process, for example:
Not only does that add technical complexity for us (since we'll need to offer the ability to opt-in/out of each type of cookie), but negatively affects the overall visitor experience with these annoying pop-ups. This will also significantly diminish the value that Marketo - and other marketing automation platforms - brings to marketing organizations since we'll basically have to disable this "non-essential" tracking by default. And only enable it when someone opts-in.
All great points - i agree.
Its also the implication i am trying to understand.
How will Marketo allow website owners to manage preferences for website visitors.
What will the impact be if they opt-out of profiling
Will consent to email marketing require double opt-in to verify the address in the form submitted is the person who submitted the form (ie need to click link in email) - what happens to that data in the meantime, is it temporarily stored in Marketo until verified and then added to our account?
My understanding of the problems, leads me to beleive the answer lies in a 'preference management' page for a user, whereby they can opt-in / out to tracking (profiling) and email marketing, AND also see their registration data, and amend as they wish.
But then this changes the data model for Marketo from a one-way submission and store on a cookie, to a user management, two-way comms flow that is able to pull information from Marketo(?) and show on a page.
From my limited understanding of Marketo, thats not possible? Marketo only pushes from website to Marketo to CRM?
- so suddenly website managers will need to find a way of PULLING user profile data / preferences from the CRM to display on their websites, whilst still ensuring all values are in synch, consent is stored (and dated and noted where consent was given from (ie specific website activity))
Anyone got any data models showing the required flows for this?
I am trying to get an understanding now, but my Marketo contact doesnt seem to understand the issue (perhaps as based in USA and therefore unaware of the potential impact of GDPR).
We will address Consent in both contexts - namely consent to digital communication and consent to monitoring. In relation to monitoring we can honor DNT today and you can provide the site visitor the choice to opt out of tracking, both are standard functionality within Marketo today.
However this is broader and complex topic and you'll have many cookies performing various functions on your website, Marketo is but one of those. I'm sure your legal teams will be aware but the ePrivacy directive, which is still in draft, will offer further legal guidance on the topic and our legal team are monitoring and assessing that guidance. Proposed amendments to the draft were published this week. This is a useful summary.
Peter, will there be any enhancements made in Marketo to offer "do not track" at the user level (and coincide with some sort of preference center)? The current implementation of DNT in Marketo is to honor this at the BROWSER level, not the user level.
Edit "Do Not Track" Browser Support Settings - Marketo Docs - Product Docs
As DNT is a browser setting (where the browser when DNT is turn on sends at HTTP heading requesting that no tracking be performed) it is not possible to overcome the natural limitations of of shared browser use, etc.
More accurate and closer to user level is Munchkin Tracking, but we're still talking cookies and the limitations thereof. We can place a mkto_opt_out cookie on browser which tells Munchkin to no longer track the user for that website.
The simplest way to do this is to place a link on a page (typically a privacy page or similar) that redirects them to a landing page containing the opt out parameter (can be added to a Marketo landing page or a page with Munchkin tracking on):
The same can be done via API if you're building a a more comprehensive solution to cookie behaviour on your site.
Just a quick update for everyone on this thread. We have published a formal update in our legal section on marketo.com
This makes many of the same points I made here last week but may be useful with your own legal teams as it is a formal statement from us.
Again we'll be publishing more as soon as possible.
You mentioned you would be creating documentation on GDPR compliance processes. Have you published/made on any headway on that?
"documenting the functionality that will help with that that but if you know your Marketo then this is about modifying forms to include the correct consent and privacy notices and having your programs respect the end customer preferences."
We have documented a lot of this at learn.perkuto.com/gdpr and have a whitepaper with lots of handy checklists.
Me too. We are behind in these preparations and it's nearly upon us.
I'd have to think GDPR will impact a large percentage of Marketo's customers given how many of us operate in the global economy (even if we don't have physical locations outside of the US (we have 23, btw). I think this survey proves it thus far: How many of you will be impacted by the EU GDPR?
I think come May a LOT of companies are going to be having an OH NO moment!
Hi everyone, hope you’re all doing well. I’m with the Privacy team here at Marketo and we are hard at work implementing a comprehensive GDPR compliance program, leveraging resources from across the organization to ensure that Marketo is GDPR compliant and that all Marketo customers have the tools they need to bring their Marketo instances into compliance with all relevant GDPR provisions. While I wish that I could connect with each of you individually, with 5,000+ customers I would quickly run out of time to actually implement our compliance initiatives!
Our GDPR website is currently in the publishing process and we expect it to go live within the next week or two. We are also putting together guidance on consent (including a number of common scenarios involving obtaining, documenting, and maintaining consent) and the accountability principle (including information on audit trail, activity log, and role-based permissions). If you’d like more information on the compliance initiatives we’re implementing in our organization, ask your CSM for our GDPR summary document.
Our Sr. Direct of Product Marketing in EMEA wrote the following blog post that I hope you’ll find interesting:
Here’s a how-to guide on implementing a preference center:
While the GDPR may seem daunting, it is a great opportunity to put ourselves in the data subject’s shoes and position ourselves as leaders in the engagement economy.
Is there any updates on the Marketo GDPR website you are publishing?
Also i can see Marketo is talking about DNT functionality being already in place however that would disable the tracking not enable the tracking when people are agreeing to be tracked which is GDPR requirement. My understanding of it is to have a tracking switch on by default and only when people are opting in we can enable the tracking.
Moreover, as it was discussed on other discussion chain opt out parameter on the landing page only works for v152 however our version is 151.
Also disabling function of the Munchkin tracking code on the website is one thing what its your view on the Marketo landing pages, and how we could possible place pop up window on them? is there any functionality which can erase tracking from the activity log?
I would much appreciate your thoughts.
See my answers on your other thread GDPR - how to disable munchkin code from Marketo Landing pages.
Also disabling function of the Munchkin tracking code on the website is one thing what its your view on the Marketo landing pages, and how we could possible place pop up window on them?
Same way you would place a modal on any page -- Marketo templates can load the same JS you're using on your corporate site.
is there any functionality which can erase tracking from the activity log?
No, you cannot erase actions from the Activity Log.
Of course, if you only have one action logged; it was a still-anonymous session (so you would not even see it at the Marketo person level); and you never add any additional other actions, that may not reach the level of "tracking."
After all, it's not as if Marketo's webserver (or your corporate webserver) will not write a line to its HTTP logfile for that same single hit. Stitching multiple hits together via cookie- or URL-based session information is what commonly constitutes tracking an end-user. Your legal team will make the final call, but they often (or nearly always) have no comprehension of the difference between standard logging and tracking.
Thank you Sanford Whiteman. That leaves me with a question if there is a way to have a munchkin switched of by default and enabling munchkin as and when people opt in to being tracked ?
Let's switch this to your other thread GDPR - how to disable munchkin code from Marketo Landing pages. Working on old threads ends up being bad for future searches (and only the OP can mark one answer as Correct).
(Also, you don't really have to @ me as I'm always checking the Community!)
We need to collect/monitor/audit etc permissions for other non-digital channels that aren't pushed via Marketo. What systems are you integrating with to support this additional level of permissioning?
There are website compliance software solutions that can present the website visitor with the choice to allow or block cookies by type. For example, they scan your website on a regular basis and present the visitor with an update list of cookies. They inform the visitor what the cookie does and allows them to both give and withdraw consent. As long as they give consent to your Marketo tracking cookie - you can use that.
I am implementing this one: GDPR website compliance software solution - IT Trust
Best of luck!
Sanford Whiteman, I appreciate your reminder to our members about our Community Guidelines. I did reach out to Mihaela Bisnel directly.
Some documentation I've found on this...
GDPR: Ready or Not, Here it Comes
Just posted some slides and notes I took from a GDPR workshop I attended earlier this week. Link below.
GDPR Workshop From TrustArc
This is a hot topic in the Martech space and something that I am starting to have a lot of conversations around GDPR and there seems to be a lot of companies scratching their heads on what actions need to be taken to be GDPR compliant. This is something that my company Openprise can help with.
Before GDPR (General Data Protection Regulation), a couple of simple tweaks to your process, a line of text, a roll of your eyes and congratulations, you just complied with the latest acronym. But, not this time. With GDPR, the things marketing and sales teams do every day can cost you:
This is something that Openprise can definitely help with. We can help you control the flow of ED Data out of your company through find-grained data filters and permission roles. Identify leads and contacts that fall under GDPR, even without a valid country field value.
Please do let me know if this is something you would like to chat about further. :-)
GDPR Compliance - Accomplish It with Ease via Openprise
I think that everyone should consider "Consent" or "No Consent" as the most important "Interesting Moment". Interesting moments are shown in CRM, can't be deleted or overwritten and can be populated with the subscription centre information provided by the the lead and system tokens. You can also create a smart campaign to alert and ask the lead to renew the "consent" once it has expired.
Retrieving data ...