7 Replies Latest reply on Apr 23, 2018 7:49 AM by Michelle Miles


    Vineela Maram

      Hi All,


      As part of our GDPR prep, I have come up with few scenarios on how we obtain and  could process our data in compliance with GDPR. I would really appreciate your inputs and correct me if I am doing something wrong.

      Below are the fields that I have created for this purpose.


      GDPR Consent

      GDPR  Consent date and time

      GDPR Consent  purpose



      Online Lead: Web forms and Marketo forms

      Offline Lead: Manual uploads


      All our Marketo and web forms will have a Checkbox and we will update the above field values if the checkbox is marked. However, I stumbled on few scenarios that I have listed below:


      1. Our CMS that hosts web forms will still pass the information into Marketo even though the checkbox is not marked(if they don’t opt-in) as it is  not a required field and the user will be able to submit the form. Can we have user information who have not opted-in as part of our marketo db?
      2. If I have a returning or existing lead that previously have/have not provided consent, as part of form fill or a manual upload, could we override GDPR values with the new Consent value, date and purpose or should we maintain history?

      Ex: I have a lead who filled out our Marketo form and provided consent and the GDPR values were updated as True etc. In future, if I get the same lead as part of a tradeshow upload or if they fill out our web form, system would override previous value with the new one. Is this ok or should we maintain history by creating additional fields and append all the data for auditing purposes.




        • Re: GDPR
          Josh Hill

          Lots of potential issues. Depends on how you want to handle it.

          • Logs: Marketo logs the form fill data if it occurs directly.
          • Logs: Marketo records CDV
          • Logs: API data will be recorded as well
          • Toggles vs Workflows: yes, you could get booleans that go on/off and it could create scenarios where the person overwrote permission with new value or you ended up with the wrong values. Recommend using the Checkbox Toggle to trigger workflows to handle the above scenarios. We created a separate field "Ok to Email" along with some of the fields you wrote about to ensure that the triggers were re-set, but the scenario of the actual usable value only changed when appropriate.
            • Re: GDPR
              Vineela Maram

              Thanks for your response Josh.


              Our CMS pushes into List and is not captured as Form fill.

              Could you provide with the list of additional fields and recommended approach to take here. Will i need any other field additionally to what you have suggested "Ok to Email"

              I would highly appreciate if you could share your rules so i can replicate some of them for my scenarios.




            • Re: GDPR
              Dan Stevens.

              In addition to what Josh provided, you'll want to be familiar with this as well (since some of this log data is purged after 90 days - and therefore, it will be up to you to capture this in another data warehouse for longer term auditing purposes):


              Marketo Activities Data Retention Policy - Under the Hood

                • Re: GDPR
                  Vineela Maram

                  Thanks Dan.


                  Thanks for pointing that out. I am aware of this and will definitely have to take that into consideration. Do you suggest having some jobs to pull data either using Zap or exporting it into either a db as i think spreadsheet might not be scalable solution.




                • Re: GDPR
                  Michelle Miles

                  Hi Vineela Maram


                  1) It depends if you have Legitimate Interest to retain and process the data. You will need to conduct a Legitimate Interest Assessment with your legal team. For more insights, see my post:  Is Legitimate Interest a Legitimate Loophole for GDPR Consent?


                  2) I would be inclined to overwrite the data recording the most recent consent. The reason is because under GDPR data cannot be kept forever, it can only be kept "as long as necessary". You will need to define this period in your privacy policy when someone provides consent. For example, one year after the last interaction date. Having this more recent opt in will help. I would also track email and data consent separately.


                  I hope this helps,



                  1 of 1 people found this helpful
                    • Re: GDPR
                      Vineela Maram

                      Hi Michelle,


                      Thanks for your reply.


                      I will talk to our Legal team to see if they can add verbiage as part of privacy policy that clearly states purpose of data usage.


                      I was leaning towards  the second option to override the previous consent value and with the latest one. However, to be on a safer side, i also plan to create additional history fields that could capture this information incrementally and have them appended.


                      Still have to figure out best way to export and maintain this data at our end.


                      I would definitely be interested to see how others are implementing rules. Hope to get more ideas during the summit.