Managing GDPR Data Rights in Marketo

Michelle_Miles3
Level 9 - Champion Alumni
Level 9 - Champion Alumni

The GDPR compliance deadline is looming…have you prepared for the different data rights scenarios in your database?

Screen Shot 1.png

It is likely that within your database, you’ll have varying levels of data processing rights. Common scenarios you’ll need to account for in your data rights center Marketo program:

  • Personal data to maintain and use - this encompasses both consent & legitimate interest.
  • Personal data to use for a limited time period, such as access to a webinar or event.
  • Personal data to maintain and use for limited purposes, such as only for transactional or account communications, and not for marketing messages or scoring.
  • Lapse in consent or legitimate interest. This could be time or action based.
  • Offline consent given, perhaps from direct mail, a live event, a phone conversation or a personal meeting.

There are many options and your data rights center needs to accommodate all the scenarios.

Building a Data Rights Center

Screen Shot 2.png

Just as you have a subscription center in Marketo, you’ll also want to build out a data rights center, detailing the rights you have to retain and process data, encompassing the scenarios previously mentioned.

To do this, there are a number of fields I find helpful and useful to retain:

  • Most recent activity date, most recent activity detail - important for supporting the “as long as necessary” data storage clause

  • GDPR data rights (Y/N) plus rights DateTimestamp - again supporting the “as long as necessary” clause

  • GDPR data rights source and notes - good for recordkeeping and using in smart list filters to limit processing, or define your audience for WTD nurtures, whitelisting, or data deletion.

If this sounds like a lot, it is. But remember, GDPR loves documentation!  If you’re ever subject to a compliance inquiry, you’ll be in a better position by having a complete data trail.

Data Rights Campaigns

Screen Shot 3.png

In the example above, these fields are populated if you have full data consent acquired with opt-in email consent. You would use something like this flow for populating fields with either consent or legitimate interest.

When setting up the smart list, remember, email consent CAN constitute data consent. And if you are claiming legitimate interest, be sure to consult with your legal team first. If going this route, you would set up a similar smart campaign for legitimate interest as defined with legal, such as legitimate interest via sales activity or an active contract.

In the data flow, populate each of the fields outlined. In this example, the data rights source is populated with the email opt-in source description. Then in the notes, categorize this as “opt in email consent.” It’s useful to have different fields for source and notes as the source could explain why you have legitimate interest or where consent came from. You can then populate your notes section with common phrases you can use in filters, such as “limited processing consent - no scoring” or “retain for 30 days only”. This helps adapt to the various data rights scenarios.


When establishing rights lapses: time stamps are important-- review consent date and most recent engagement. You might discover it’s time to send a whitelisting or wake the dead nurture to these records! If consent or legitimate interest does lapse, you’ll need campaigns to properly process the records, either deleting or marketing suspending them as appropriate.

Building a Preference Center to Manage Individual GDPR Rights

Screen Shot 4.png

Finally, you’ll also want to build a Preference Center to automate how you’ll process requests from consumers exercising their individual GDPR rights, including:

  • Opt-in and unsubscribes
  • Data exports and transfers
  • Data breach notification
  • Policy requests
  • Data erasure

Want more actionable tips plus other helpful GDPR resources? 

Download our Ultimate GDPR Toolkit, which contains:

  • The on-demand recording of my Marketo Summit breakout session, “Fearless Marketing in a GDPR World: Tips to Thrive Amidst New Regulations.”
  • Our new GDPR LookBook, chock full of creative suggestions and visual examples for post-GDPR marketing
  • The Marketo Client’s Guide to GDPR Compliance Whitepaper
  • GDPR FAQ eBook: Legal Questions. Straightforward Answers.
  • GDPR Data Processor Compliance Assessment

Get your copy now...it’s free!  http://bit.ly/2wvF1OZ

5084
3
3 Comments
Amanda_Thomas6
Level 9

Michelle Miles​ these posts are amazing. Thanks again for sharing all of your knowledge!

We use short forms on our site for those that have already given all the information we request on a long form. This includes people that have agreed to terms of service & privacy policy before and after 5/25.  We've had amazing results of leads progressing through the funnel at a much faster rate.

I figure, we continue with the short form as is...and add the marketing opt in box on the form if at the time they're not opted in to marketing. Our questions are:

1. need to show the data privacy policy check box & the marketing opt in check box to UK even if they're already in our system

2. do we need to reconfirm opt in/present the opportunity to opt out for all EU citizens on and after 5/25?

3. do we need to reconfirm opt in/present the opportunity to opt out for all EU citizens with every form fill?

Amanda_Thomas6
Level 9

Hey Champion Program​ Champions...wondering what you guys are showing for opt in fields on your web forms when someone is already opted in.

We use short forms on our site for those that have already given all the information we request on a long form. This includes people that have agreed to terms of service & privacy policy before and after 5/25.  We've had amazing results of leads progressing through the funnel at a much faster rate.

I figure, we continue with the short form as is...and add the marketing opt in box on the form if at the time they're not opted in to marketing. Our questions are:

1. need to show the data privacy policy check box & the marketing opt in check box to UK even if they're already in our system

2. do we need to reconfirm opt in/present the opportunity to opt out for all EU citizens on and after 5/25?

3. do we need to reconfirm opt in/present the opportunity to opt out for all EU citizens with every form fill?

Michelle_Miles3
Level 9 - Champion Alumni

Hi Amanda Thomas​ - Sorry for the delay, I was on vacation.

1) I think you need to think about your data transparency for your entire database. Have existing records acknowledged your privacy policy? If not, you may want to present the optin and or data privacy checkbox. I generally try to do one checkbox where people opt in to communications and acknowledge a privacy policy I have linked

2) If you have a valid opt-in you do not need to re-confirm. But consider if you have the supporting documentation (opt in source, dateTimestamp, IP address) and data processing consent if someone challenges you. If not, you may need to reconfirm.

3) No, you do not need to do this with every form fill if you already have opt in consent. But keep in mind that consent does not last forever, only for a "reasonable amount" of time as disclosed in your privacy policy. For example, one year after the leads last interaction with you.

I hope this helps!

Michelle