GDPR- Report on How you can ensure company-wide data compliance standards (including GDPR legislation)

Anonymous
Not applicable

GDPR- Report on How you can ensure company-wide data compliance standards (including GDPR legislation)

Hi Guys,

Today I received an email to download "Implementing the SiriusDecisions Data Privacy Compliance Model". Sounds great right?! Then, I noticed on the page 8 an example of the data capture form.  I am trying to get my head around how to implement all the aspects of GDPR into Marketo but that looks a bit wrong to me. Only email address can be a mandatory field, right?

Screen Shot 2018-01-19 at 11.25.52.png

Many Thanks

Gabby

Tags (1)
7 REPLIES 7
Level 10 - Champion Alumni

Re: GDPR- Report on How you can ensure company-wide data compliance standards (including GDPR legislation)

On our forms, "Country (of residence)" is also a required field as it helps us to understand who, within our database, is covered by GDPR law.  Obviously not 100% foolproof, but still a key data point.

I'm really surprised this is the guidance provided by SiriusDecisions (who I look to often for best-practice marketing guidance).  On the form above, you cannot make specific consent fields mandatory (the last two on the form).  This is illegal.  GDPR specifically states that "consent must be freely given" and "organizations cannot prevent the performance of a contract (in this case, downloading the toolkit) conditional upon consent".  Here's more detail around this:

pastedImage_0.png

Source: Chapter 8: Consent – Unlocking the EU General Data Protection Regulation | White & Case LLP Internat...

Anonymous
Not applicable

Re: GDPR- Report on How you can ensure company-wide data compliance standards (including GDPR legislation)

Great sum up Dan. Yes I was as surprised as you are.

There is many grey areas when it comes to GDPR but making mandatory fields in data capturing is one of the clearest section.

Only email address can be mandatory , consent tick box or profiling tick box can not be ticked by default or mandatory.

Level 10 - Champion Alumni

Re: GDPR- Report on How you can ensure company-wide data compliance standards (including GDPR legislation)

Other fields can be made mandatory as well.  As long as they fall within the "legitimate interest" definition of GDPR.  The "country" example I provided above is an example of this.

Level 10 - Champion Alumni

Re: GDPR- Report on How you can ensure company-wide data compliance standards (including GDPR legislation)

I took a look at the report referenced here.  I don't believe SD is saying this is a compliant form shown here.  This may have been taken out of context from the objective of the report.  Instead, the form showed here was simply used as an example during one of the steps outlined in the report - specifically the "Implementation Framework: Audit" step.  In this case, it would be noted - as part of this audit - that making the consent fields on this form would be a violation of GDPR principles.

pastedImage_0.png

Level 7 - Champion Alumni

Re: GDPR- Report on How you can ensure company-wide data compliance standards (including GDPR legislation)

Great points and good discussion.

Here is something I was thinking about in relation to this.

Let's say we restrict all marketing/comms to corporate email addresses only (for sake of this argument).

If we don't have proper consent to send emails to john.smith@ibm.co.uk or something, then we are out of compliance/exposed.

Which means that IBM UK can sue us for spam. Is that right? And would they sue us for spam?

And to take this a step further, if you were located in the EU and received an unsolicited email to your corporate address, would you try to sue the sender?

Would love some additional insight on this, thanks!

Level 10 - Champion Alumni

Re: GDPR- Report on How you can ensure company-wide data compliance standards (including GDPR legislation)

Which means that IBM UK can sue us for spam. Is that right? And would they sue us for spam?

Under GDPR, a user in the EU who has not provided their consent can file a complaint with the GDPR.  And if the GDPR finds that the sender of the email in violation of GDPR compliance, they will be held liable.  From what I understand, there will be a tiered structure when it comes to the fines:

  • Issue warnings
  • Issue reprimands
  • Issue tier 1 fine (up to 10 million euros or 2% of global company revenue - whichever is greater)
  • Issue tier 2 fine (up to 20 million euros or 4% of global company revenue - whichever is greater)

The amount of the fines is based on the following:

  • The nature, gravity and duration of the infringement (e.g., how many people were affected and how much damage was suffered by them)
  • Whether the infringement was intentional or negligent
  • Whether the controller or processor took any steps to mitigate the damage
  • Technical and organizational measures that had been implemented by the controller or processor
  • Prior infringements by the controller or processor
  • The degree of cooperation with the regulator
  • The types of personal data involved
  • The way the regulator found out about the infringement

I think it's clear that those companies that will be most impacted and in violation are ones that practice old-school marketing: purchase third-party lists, guess/formulate company email addresses based on current format/structure of the email, don't capture and/or disregard opt-in consent, "batch and blast" mentality, etc.

Oh and BTW, these fines are made payable to the GDPR, not the party making the complaint.

Anonymous
Not applicable

Re: GDPR- Report on How you can ensure company-wide data compliance standards (including GDPR legislation)

Great summary Dan, I believe now its a good time ( if not already done) to run a data audit. Its a time consuming process but it will give you a pease of mind of where you stand. Especially if you are using 3rd party lists . I would also recommend to introduce a simple email campaign where you are informing your contacts that you hold their details and let them to select preferences appropriate for their needs or simply unsubscribe.

Great conversation.

Gabby