3 Replies Latest reply on Jul 11, 2018 1:54 PM by Grace Brebner

    GDPR Compliance Question

    Eric Salalmon

      I've spoken to a lawyer, but my VP of marketing wants Marketo best practices in this matter.


      Marketing is only done from the Marketo Database, calls are made from SFDC Database. If a person in GDPR opts out from being communicated they are marked as opted out that is passed to the appropriate field in SFDC, if they request to not be followed they are removed from the Marketo Database. The SFDC DB is for Business performance as well as sales leads for tracking campaign success/failure not for marketing purposes.


      Should the people who opt out be removed from the SFDC DB and all campaign monitoring be removed as well, or should there be a notation added to the campaign that they can not be contacted due to GDPR compliance?


      What would be the Advised Marketo Best Practice be in this situation?

        • Re: GDPR Compliance Question
          Grace Brebner

          Obligatory "I am not a lawyer, blah blah blah"


          My general approach to these types of things is that your system response should be as reflective as possible of the intent of the customer. In order for you to get a good sense of the intent of the customer, you need to make sure that the process is very clear and transparent to them.


          So a process that just says "opt out of our company" is a hard one to really gain a transparent view of intent on - what this means is a bit up to interpretation - they could just mean "I just don't want promotional emails anymore", or they could mean "delete all my data and don't come within 50ft of me for the rest of my life".


          A process that says unsubscribe me from marketing emails from this company is much clearer - if you tick that box, you are withdrawing consent to marketing emails, not other forms of marketing and not requesting data removal, so we will unsubscribe you, but not delete your data.


          That's not to say we prevent you from opting out/requesting removal from other features, but rather that we have separate clear processes around how those things are done, make those processes readily accessible with links to our privacy centre in comms/on website, and a dedicated contact form for more complex/comprehensive requests like that.


          I think of it kind of like the opt in process inverted - just as we should be very transparent about what people are opting into, we should do the same in opting out.


          But again - I am not a lawyer...

            • Re: GDPR Compliance Question
              Eric Salalmon

              Thanks for your insight. Also based on what you said you should be careful, because if you specify that they can only be removed from email; you will need to specify if and how they can be removed from the phone list and if you go that far you will need to specify how the data erasure should happen.


              My question wasn't so much about the removal of the individual as much as the business tracking data for campaign history to make decisions on future trade shows and events.The individual is attached to campaigns. We can't really track that person if they request to not be tracked, but data for historical research of event effectiveness should be safe, based on lawyer and articles found online, I was just curious how people managed this concept.


              If a person asked to be removed, do you remove that historical data on events? What the impact has been for those who have. What process do you use? do you create a separate list with in the system that you can use to cross-reference the data?

                • Re: GDPR Compliance Question
                  Grace Brebner

                  Oh yes absolutely - you're right abut ensuring that it's clear how they can opt out to other forms of marketing. My intention is more to make the point that those opt out points should avoid being vague


                  To your point on the data removal - this has been a topic of quite a lot of conversation in the community. If the advice that you've received is that historical data is safe as long as it's not attached to personally identifiable information, that'd be consistent with my understanding. The current problem is how to detach the PII. At this point - again, I'm not a lawyer, but this is my understanding - if a person requests explicitly to have their data removed, then your two options are either a) destroy everything or b) anonymise everything. Unfortunately, Marketo doesn't currently support anonymisation - there is a highly upvoted idea for it though: GDPR and Privacy: "anonymize person" flow step.


                  Since there's no real way of achieving (b) right now, (a) is really the only solution right now for most people - which means you will lose that historical data. So it kind of loops you back to making sure that the process for data removal requests is clearly separated from unsubscribes, etc, because while we should be making sure people can request it (as is their right), we want to ensure that we can present other solutions first so that we can keep those requests to a reasonable minimum.


                  If anyone's found a simple means of achieving (b) currently I'd be super keen to hear it