4/28/18
In this article, I detail how we solved for GDPR (General Data Protection Regulation) directives that came down from a client's legal team. With GDPR right around the corner, a lot of clients are asking how we can ensure Pardot is configured to meet these new requirements for EU Prospects and Customers.
While this client in this article does not actively solicit or do business in the EU, they do get visitor and prospect activity events logged in Pardot. They want to make sure they're ahead of the regulation, and potential changes to other Countries, including the US.
GDPR goes into effect on 5/25/2018, and puts regulatory teeth behind existing data protection guidelines. Specifically, the client's marketing team was tasked with:
The client uses both Salesforce and Pardot to store Prospect and Customer data, and while the scope of this article is focused on compliance with marketing data and activities, it should be noted that sales side data and activities are impacted by GDPR as well.
Please note! This article should NOT be construed as legal advice, nor what your company should be doing with regards to GDPR compliance. Rather, it's a technical explanation of how to use Pardot features and functionality to achieve this client's GDPR directives per their legal team.
Here is a summary of the GDPR directives:
To start, we had to understand where Pardot fits in with GDPR compliance. This is Pardot's position on GDPR. A couple of concerns (as of this publishing)...
We segmented the work ahead into the following efforts:
Website Tracking Opt-in
If you haven't set this up in your Pardot Org, this is an easy win. You're providing website visitors with an opt-in option for allowing cookies to track activities. This is required in the EU, but not a bad statement on your part to enable this everywhere.
Go to Admin | Overview, and click on the Edit Tracking Opt-in Preferences button. Click on the "Request opt-in if a visitor comes from specific countries", and select European Union. You can also apply this to other Unions and geographical areas.
This adds a pop-up to the website when anyone visits from these Countries, giving that visitor an option to turn off cookie tracking.
Company Statement of Data Privacy Policy and GDPR Compliance
This client created a navigation link on all of their website assets specific to data privacy and linked to a discoverable page from their website based on direction from their legal team.
To process data deletion and portability requests, we created a Pardot Form that routed all submissions to the Compliance Officer in the company via notification. The Prospect was added to a Suppression List to ensure no marketing activities would result from the form submission (more on this below).
Lastly, they put into place a way to process the request. Here are the fields they used on the Form:
Keep in mind, this is a manual process until we have built in functionality in which we can process the request via workflow. The form is submitted and the Compliance Office processes the request and communication with the requestor. They are also removed from future marketing Lists and activities if they indicated FALSE on the Confirmed Opt In field.
We also append a link to this page on all future emails going out (in addition to email preferences and subscriber opt out links).
With this process, the client feels comfortable that they are adhering to the GDPR requirements around right to be forgotten and data portability.
New EU Prospects going forward
The following actions were taken to ensure all NEW Prospects coming into the client's Pardot Org were 1) aware of the data privacy policy and 2) had the ability to confirm opt in provided they were from an EU country. It could be argued that this is a good policy for all Pardot Prospects, but the focus was on EU based Prospects.
Since most Prospects are created in this client's Pardot Org via Pardot Form, we made the following changes to the Form processing and actions based on EU status. (We did not address records being synched down from Salesforce via the Connector, or imports into Pardot).
Existing EU Prospects
Lastly, we dealt with the existing Prospect database specific to those who are from EU countries. We built a Dynamic List where Country contains (the EU countries) and created an email with the following content:
Again, we applied these four actions specific to EU Prospects pursuant to an aggressive stance, but could have easily expanded these same constraints to every Prospect.
This certainly cut into the number of marketable Prospects the client had to work with, but they felt the impact was worth the risk of penalties for non-compliance.
Hopefully this gives you an idea how to technically construct your marketing operations inline with a similar stance on GDPR your company may adopt. If you're looking to implement GDPR compliance with your company's policy before the deadline, let us know how we can help!
We didn't cover Sales side impact (Salesforce CRM), but since there is a synergistic relationship between Salesforce and Pardot, it's worth exploring compliance with your sales data and processes. Salesforce's position is here, as well as a Trailhead article.