In this article, I detail how we solved for GDPR (General Data Protection Regulation) directives that came down from a client’s legal team. With GDPR right around the corner, a lot of clients are asking how we can ensure Pardot is configured to meet these new requirements for EU Prospects and Customers.

While this client in this article does not actively solicit or do business in the EU, they do get visitor and prospect activity events logged in Pardot. They want to make sure they’re ahead of the regulation, and potential changes to other Countries, including the US.

GDPR goes into effect on 5/25/2018, and puts regulatory teeth behind existing data protection guidelines. Specifically, the client’s marketing team was tasked with:

• Configuring marketing data and activities to be compliant with GDPR, and
• Documenting compliant processes and procedures

The client uses both Salesforce and Pardot to store Prospect and Customer data, and while the scope of this article is focused on compliance with marketing data and activities, it should be noted that sales side data and activities are impacted by GDPR as well.

Please note! This article should NOT be construed as legal advice, nor what your company should be doing with regards to GDPR compliance. Rather, it’s a technical explanation of how to use Pardot features and functionality to achieve this client’s GDPR directives per their legal team.

Here is a summary of the GDPR directives:

• Ensure all web assets provide a way for EU Visitors and Prospects to opt out of tracking (cookies)
• Ensure all existing EU Prospects have confirmed opt-in (explicitly) before future marketing activities are enabled
• Ensure all future EU Prospects have the ability to confirm opt-in (explicitly) before any future marketing activities are enabled
• Provide a method for new and existing EU Prospects to 1) access the company’s position statement on data privacy (and specific GDPR language), and 2) request data deletion and/or data portability
• Ensure an audit trail of opt-in or opt-out activities to support interactions with EU Prospects

To start, we had to understand where Pardot fits in with GDPR compliance. This is Pardot’s position on GDPR. A couple of concerns (as of this publishing)…

• Right to be forgotten. Currently Pardot does not permanently delete record data. Anything “deleted” goes into the Recycle Bin and remains there forever. While Pardot is addressing this, their workaround is to create a ticket and request that specific records be permanently deleted. Pardot Users cannot do this themselves.
• Data Portability. If someone were to request a download of all of their marketing data, this would be complicated task! There is no export function on the Prospect record to make this easy. You would literally have to download each activity type that Prospect has been associated with into a CSV file and isolate that User. Hopefully Pardot (and Salesforce CRM) create a portability function to make this easier!
• Consent. Pardot details how to create a confirmed opt in process, which we leverage, but there is no baked in “double opt in” process yet.

We segmented the work ahead into the following efforts:

• Website session tracking compliance
• Company’s statement on data privacy and method for requesting data deletion and/or portability
• New EU Prospects going forward
• Existing EU Prospects

Website Tracking Opt-in

If you haven’t set this up in your Pardot Org, this is an easy win. You’re providing website visitors with an opt-in option for allowing cookies to track activities. This is required in the EU, but not a bad statement on your part to enable this everywhere.

Go to Admin | Overview, and click on the Edit Tracking Opt-in Preferences button. Click on the “Request opt-in if a visitor comes from specific countries”, and select European Union. You can also apply this to other Unions and geographical areas.

This adds a pop-up to the website when anyone visits from these Countries, giving that visitor an option to turn off cookie tracking.

Company Statement of Data Privacy Policy and GDPR Compliance

This client created a navigation link on all of their website assets specific to data privacy and linked to a discoverable page from their website based on direction from their legal team.

To process data deletion and portability requests, we created a Pardot Form that routed all submissions to the Compliance Officer in the company via notification. The Prospect was added to a Suppression List to ensure no marketing activities would result from the form submission (more on this below).

Lastly, they put into place a way to process the request. Here are the fields they used on the Form:

• First Name
• Last Name
• Email Address
• Country (we can infer Country from a submitters IP address via this setting in Pardot, but we wanted to explicitly require the country of selection)
• Request Type (data deletion, data portability)
• Confirmed Opt In (boolean field for future marketing)
• Comments

Keep in mind, this is a manual process until we have built in functionality in which we can process the request via workflow. The form is submitted and the Compliance Office processes the request and communication with the requestor. They are also removed from future marketing Lists and activities if they indicated FALSE on the Confirmed Opt In field.

We also append a link to this page on all future emails going out (in addition to email preferences and subscriber opt out links).

With this process, the client feels comfortable that they are adhering to the GDPR requirements around right to be forgotten and data portability.

New EU Prospects going forward

The following actions were taken to ensure all NEW Prospects coming into the client’s Pardot Org were 1) aware of the data privacy policy and 2) had the ability to confirm opt in provided they were from an EU country. It could be argued that this is a good policy for all Pardot Prospects, but the focus was on EU based Prospects.

Since most Prospects are created in this client’s Pardot Org via Pardot Form, we made the following changes to the Form processing and actions based on EU status. (We did not address records being synched down from Salesforce via the Connector, or imports into Pardot).

• First, we made the Country field a required field on all Forms. We need to know where submissions are coming from.
• Next, we removed all completion actions from the Form respective to Lists and Email Auto-responders and built Automation Rules to process based on 1) Country of indication, and 2) Confirmed Opt In boolean field values.
• Next, we set a completion action on all Forms that adds the Prospect to a Static List called “Unconfirmed Opt Ins”.
• Automation Rules:
  • (Rule #1) If the Submitter completed the Form (any Form) and indicated they were from an EU Country (Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK.), they received an auto-responder email with the following content and action:
    • Company’s position on data privacy and GDPR compliance
    • Confirm Opt In Button (Custom Redirect)
  • (Rule #2) If the Prospect clicked on the Confirm Opt In Button (along the lines of this article here),
    • The Confirmed Opt In boolean field was set to true via Completion Action
    • The Prospect was removed from the Unconfirmed Opt Ins List via Completion Action
  • If the Prospect did not click on the Confirm Opt In Button,
    • The Confirmed Opt In boolean field was left “as is”
    • The Prospect was not removed from the Unconfirmed Opt Ins List
• These two Automation Rules per Form allowed the client to tailor their message in context with the Form, and provide the new Prospect with access to the data privacy policy and confirm opt in at the same time. Going forward, the Unconfirmed Opt In List is applied to any outgoing email and nurture campaign to ensure all new Prospects are marketed to in accordance with their Confirmed Opt In indications.

Existing EU Prospects

Lastly, we dealt with the existing Prospect database specific to those who are from EU countries. We built a Dynamic List where Country contains (the EU countries) and created an email with the following content:

• Added everyone from the Dynamic List to the Unconfirmed Opt In List via Segmentation Rule
• Company’s position on data privacy policy and GDPR regulations, with a link to the corporate page (and Pardot Form for data requests)
• Confirmed Opt In Button (Pardot Custom redirect)
• We re-used the same Automation Rule (#2) where if they clicked on the Confirmed Opt In button (tracked link), we
  • The Confirmed Opt In boolean field was set to true via Completion Action
  • The Prospect was removed from the Unconfirmed Opt Ins List via Completion Action
• This allowed the client to complete the backlog of EU based Prospects and expose them to the Company’s data privacy policy and confirm opt in at the same time.

Again, we applied these four actions specific to EU Prospects pursuant to an aggressive stance, but could have easily expanded these same constraints to every Prospect.

This certainly cut into the number of marketable Prospects the client had to work with, but they felt the impact was worth the risk of penalties for non-compliance.

Hopefully this gives you an idea how to technically construct your marketing operations inline with a similar stance on GDPR your company may adopt. If you’re looking to implement GDPR compliance with your company’s policy before the deadline, let us know how we can help!

We didn’t cover Sales side impact (Salesforce CRM), but since there is a synergistic relationship between Salesforce and Pardot, it’s worth exploring compliance with your sales data and processes. Salesforce’s position is here, as well as a Trailhead article.