GDPR is now fully enforceable and individuals can now specify how their data is used. Have you prepared for the different data rights scenarios in your database?
It is likely that within your database, you’ll have varying levels of data processing rights. Common scenarios you’ll need to account for in your data rights center Marketo program:
- Personal data to maintain and use – this encompasses both consent & legitimate interest.
- Personal data to use for a limited time period, such as access to a webinar or event.
- Personal data to maintain and use for limited purposes, such as only for transactional or account communications, and not for marketing messages or scoring.
- Lapse in consent or legitimate interest. This could be time or action based.
- Offline consent given, perhaps from direct mail, a live event, a phone conversation or a personal meeting.
There are many options and your data rights center needs to accommodate all the scenarios.
Building a Data Rights Center
Just as you have a subscription center in Marketo, you’ll also want to build out a data rights center, detailing the rights you have to retain and process data, encompassing the scenarios previously mentioned.
To do this, there are a number of fields I find helpful and useful to retain:
- Most recent activity date, most recent activity detail – important for supporting the “as long as necessary” data storage clause
- GDPR data rights (Y/N) plus rights DateTimestamp – again supporting the “as long as necessary” clause
- GDPR data rights source and notes – good for recordkeeping and using in smart list filters to limit processing, or define your audience for WTD nurtures, whitelisting, or data deletion.
If this sounds like a lot, it is. But remember, GDPR loves documentation! If you’re ever subject to a compliance inquiry, you’ll be in a better position by having a complete data trail.
Data Rights Campaigns
In the example above, these fields are populated if you have full data consent acquired with opt-in email consent. You would use something like this flow for populating fields with either consent or legitimate interest.
When setting up the smart list, remember, email consent CAN constitute data consent. And if you are claiming legitimate interest, be sure to consult with your legal team first. If going this route, you would set up a similar smart campaign for legitimate interest as defined with legal, such as legitimate interest via sales activity or an active contract.
In the data flow, populate each of the fields outlined. In this example, the data rights source is populated with the email opt-in source description. Then in the notes, categorize this as “opt in email consent.” It’s useful to have different fields for source and notes as the source could explain why you have legitimate interest or where consent came from. You can then populate your notes section with common phrases you can use in filters, such as “limited processing consent – no scoring” or “retain for 30 days only”. This helps adapt to the various data rights scenarios.
When establishing rights lapses: time stamps are important—review consent date and most recent engagement. You might discover it’s time to send a whitelisting or wake the dead nurture to these records! If consent or legitimate interest does lapse, you’ll need campaigns to properly process the records, either deleting or marketing suspending them as appropriate.
Building a Preference Center to Manage Individual GDPR Rights
Finally, you’ll also want to build a Preference Center to automate how you’ll process requests from consumers exercising their individual GDPR rights, including:
- Opt-in and unsubscribes
- Data exports and transfers
- Data breach notification
- Policy requests
- Data erasure
Want more actionable tips plus other helpful GDPR resources?
Download our Ultimate GDPR Toolkit, which contains:
- The on-demand recording of my Marketo Summit breakout session, “Fearless Marketing in a GDPR World: Tips to Thrive Amidst New Regulations.”
- Our new GDPR LookBook, chock full of creative suggestions and visual examples for post-GDPR marketing
- The Marketo Client’s Guide to GDPR Compliance
- GDPR FAQ eBook: Legal Questions. Straightforward Answers.
- GDPR Data Processor Compliance Assessment
Get your copy now…it’s free! GDPR Toolkit