As a company operating in the EU (and globally), we're trying to get prepared for GDPR and keep getting stuck in the same place. We can't ever avoid our data being transferred outside of the EU because 1. Marketo is hosted in the USA (correct?), and 2. we have multiple regions across the globe using the same instance.
As GDPR dictates that we need to be explicit in how we handle contact data, our Data Protection Officer had previously advised that we should have a checkbox on all forms which says 'I agree that my personal information can be made available to Argus Group companies and Argus services providers outside of the EEA'. Sounds fine in principle, but essentially, even if they don't check that box and submit, their data will still be available to other regions - we can't physically lock it down can we? And often wouldn't want to as we run cross-regional campaigns.
What to do in this scenario? We can't make people check the box just to be able to submit the form. Equally, we don't want to stop people accessing the info behind a form, just because they don't want their data to be made available outside of the EEA. Want to avoid changing forms individually and go for a one size fits all sort of approach.
Any feedback on what similar companies are doing would be great. Are we worrying unnecessarily?