Re: GDPR - What are you doing to prepare?

I would as well.  Better yet, would love to see some posts here in the community - direct from Marketo - on how Marketo will be doing what they can from a platform/infrastructure perspective - in ensuring all customers are compliant with GDPR.

Hi Peter,

You mentioned you would be creating documentation on GDPR compliance processes. Have you published/made on any headway on that?

"documenting  the functionality that will help with that that but if you know your Marketo then this is about modifying forms to include the correct consent and privacy notices and  having your programs respect the end customer preferences."

We have documented a lot of this at learn.perkuto.com/gdpr and have a whitepaper with lots of handy checklists.

Just a quick update for everyone on this thread. We have published a formal update in our legal section on marketo.com ​

This makes many of the same points I made here last week but may be useful with your own legal teams as it is a formal statement from us.

Again we'll be publishing more as soon as possible.

Peter

Appreciate your input Peter, totally agree.  Not only do we have a well-staffed legal team working with us on this, but a formal steering committee consisting of functional leads from around the world and recruiting data privacy officers for our various regions.  But as Marketo is the "data processor" we're glad to finally get some perspective on this from Marketo (and glad that Marketo will be fully compliant).

I guess what's most concerning (not from Marketo) is some of the uncertainties that still exist (some of the final legislation may not be complete until early May 2018).  Most specifically around "legitimate interest".  Google it and you'll find so many interpretations of what this means.  Again, why it's so important that every company have the proper resources in place (legal, data privacy officers, consultants, etc.).  For example, I found this as one of the various interpretations of LI by a certain company (which I will not disclose).  Something tells me this will not hold up under GDPR - but we'll see.

XYZ Company processes only non-sensitive personal data that is aggregated from publicly available sources and relates to only what the PECR refers to as corporate subscribers. Under both the current PECR and the new PECR, opt-in consent will not be required for B2B email marketing so long as recipients can easily unsubscribe/opt-out. This will be honored by ensuring very clear opt-out / unsubscribe options are available to them in all communications sent to them. XYZ Company will be conducting an impact assessment to further underline and support its position of legitimate interests such as under GDPR Recital 47, which states that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

I am not a lawyer, i am a marketer who has been studying UK ICO guidance and other sources to learn how GDPR will will affect our handling of personal data related to Marketing within our company.

From my readings, the opt-in or out requirement for email marketing to B2B market has not yet been fully defined. The wording is not prescriptive and neither is current guidance. I agree that the current UK position is that opt-out is the norm. BUT, Germany have i am led to believe, stated that it will need to be opt-in. And as PECR and GDPR will need to adhere to the one central EU standard, rather than the current national standard, it is thought that SHOULD the UK interpretation (OUT) ever be tested in the EU courts it could be challenged as a higher standard exists, and therefore legally vulnerable. ie prepare for opt-in requirements for Email B2B marketing, as well as opt-in consent to actually store marketing data, though i realise there are 5 other definitions under which personal data can be stored without consent being required.

What concerns me is the scope of GDPR is not understood.

- A data controller or processor WITHIN the EU protects ALL DATA SUBJECTS REGARDLESS of their nationality, residency, location and place of processing

- A data controller or processor NOT IN THE EU protects any data subject in the EU where processing relates to offering goods or services (MARKETING) or monitoring behavior which takes place in the union

I can imagine it will come as a shock to any non-EU marketing team to learn that they need to handling personal data under guidelines determined by European Law, and that failure to do so 'could potentially' result in either fines of 4% group turnover, or €20m - whichever is higher... though quite how all of this will be policed outside of EU.

Good points Mark.  I think many are so focused on "consent" in terms of email opt-ins, and not realizing the implications of the other type of consent: the ability (or I should say "inability") to track known users online - in this case, placing the Munchkin tracking cookie on a user's browser to track ongoing behavior/engagement.  Today, many of us who have country-based sites (in addition to our global site), are able to get by with implied consent (if they click the "x" to hide the banner and continue to use the site, we can place cookies on their device):

But with GDPR, tracking users is now going to require explicit consent (including the ability to opt-out in the future) and will require a much more complex opt-in process, for example:

Not only does that add technical complexity for us (since we'll need to offer the ability to opt-in/out of each type of cookie), but negatively affects the overall visitor experience with these annoying pop-ups.  This will also significantly diminish the value that Marketo - and other marketing automation platforms - brings to marketing organizations since we'll basically have to disable this "non-essential" tracking by default.  And only enable it when someone opts-in.

We will address Consent in both contexts - namely consent to digital communication and consent to monitoring. In relation to monitoring we can honor DNT today and you can provide the site visitor the choice to opt out of tracking, both are standard functionality within Marketo today.

However this is broader and complex topic and you'll have many cookies performing various functions on your website, Marketo is but one of those. I'm sure your legal teams will be aware but the ePrivacy directive, which is still in draft, will offer further legal guidance on the topic and our legal team are monitoring and assessing that guidance. Proposed amendments to the draft were published this week. This is a useful summary.

Peter, will there be any enhancements made in Marketo to offer "do not track" at the user level (and coincide with some sort of preference center)?  The current implementation of DNT in Marketo is to honor this at the BROWSER level, not the user level.

Edit "Do Not Track" Browser Support Settings - Marketo Docs - Product Docs

Hi Dan,

As DNT is a browser setting (where the browser when DNT is turn on sends at HTTP heading requesting that no tracking be performed)  it is not possible to overcome the natural limitations of of shared browser use, etc.

More accurate and closer to user level is Munchkin Tracking, but we're still talking cookies and the limitations thereof. We can place a mkto_opt_out cookie on browser which tells Munchkin to no longer track the user for that website.

The simplest way to do this is to place a link on a page (typically a privacy page or similar)  that redirects them to a landing page containing the opt out parameter (can be added to a Marketo landing page or a page with Munchkin tracking on):

http://”customerpage”?marketo_opt_out=true

The same can be done via API if you're building a a more comprehensive solution to cookie behaviour on your site.

Peter

All great points - i agree.

Its also the implication i am trying to understand.

How will Marketo allow website owners to manage preferences for website visitors.

What will the impact be if they opt-out of profiling

Will consent to email marketing require double opt-in to verify the address in the form submitted is the person who submitted the form (ie need to click link in email) - what happens to that data in the meantime, is it temporarily stored in Marketo until verified and then added to our account?

My understanding of the problems, leads me to beleive the answer lies in a 'preference management' page for a user, whereby they can opt-in / out to tracking (profiling) and email marketing, AND also see their registration data, and amend as they wish.

But then this changes the data model for Marketo from a one-way submission and store on a cookie, to a user management, two-way comms flow that is able to pull information from Marketo(?) and show on a page.

From my limited understanding of Marketo, thats not possible? Marketo only pushes from website to Marketo to CRM?

- so suddenly website managers will need to find a way of PULLING user profile data / preferences from the CRM to display on their websites, whilst still ensuring all values are in synch, consent is stored (and dated and noted where consent was given from (ie specific website activity))

Anyone got any data models showing the required flows for this?

I am trying to get an understanding now, but my Marketo contact doesnt seem to understand the issue (perhaps as based in USA and therefore unaware of the potential impact of GDPR).