As a company operating in the EU (and globally), we're trying to get prepared for GDPR and keep getting stuck in the same place. We can't ever avoid our data being transferred outside of the EU because 1. Marketo is hosted in the USA (correct?), and 2. we have multiple regions across the globe using the same instance.
As GDPR dictates that we need to be explicit in how we handle contact data, our Data Protection Officer had previously advised that we should have a checkbox on all forms which says 'I agree that my personal information can be made available to Argus Group companies and Argus services providers outside of the EEA'. Sounds fine in principle, but essentially, even if they don't check that box and submit, their data will still be available to other regions - we can't physically lock it down can we? And often wouldn't want to as we run cross-regional campaigns.
What to do in this scenario? We can't make people check the box just to be able to submit the form. Equally, we don't want to stop people accessing the info behind a form, just because they don't want their data to be made available outside of the EEA. Want to avoid changing forms individually and go for a one size fits all sort of approach.
Any feedback on what similar companies are doing would be great. Are we worrying unnecessarily?
Hi Carly Stevens,
This doesn't answer your entire question but can you not use the one form and dynamically hide and show elements based on country drop down. If theyselect a certain country you show a different terms and conditions box and then choose whether or not to make it required in order to access the content.
Hi Gerard, thanks for this - yes we have thought about displaying dynamically. Either way still stuck with the fact that for EEA members, I don't feel we're really giving people an option to opt out of that data sharing because it happens anyway...
There's also some risk in using a "country" value to determine if GDPR applies to the individual. GDPR applies to anyone in the EU. Including US travelers or those in Europe on extended business. Which is why most DPOs and legal teams - including those at our company - are treating GDPR as global law. Not to mention, if you're going through all of this effort now to comply, you might as well apply it everywhere since there's a pretty good chance that other regions like North America and APAC, will adopt similar laws eventually.
And it also applies to all E.U. citizens, wherever they are in the world (even living or on extended business trip outside of the EU), so +1 on Dan's about having different policies depending on the country.
Hi Greg - that's actually contradictory to what we've been told (both externally and from our internal legal teams). For example, if a German citizen is living in NY for JP Morgan/Chase and is being marketed to by us here in the US. GDPR compliance does not apply to this individual.
The location of your data depends on your Marketo pod. You can know it from the URL in your browser when you are connected to Marketo. It will usually start with app-XX and XX will tell you the pod. "sj" for san Jose, "lon" for London, etc...
There are 2 aspects to the RGPD : agreement to the storage of the data and agreement to the usage of that data for specific treatments (such as sending batch emails). Some of our clients have decided to have 2 checkboxes on their forms, one for each aspects and the first one being mandatory to be able to validate the form (in other terms, if you do not agree with the vendors storing the data somewhere, you cannot get access to the content).
Some of our customers, on the opposite, have preferred to have only 1 checkbox for both aspects and have a smart campaign that erases the data from Marketo immediately after the form submit if the box is unchecked.