The Buzz Word ‘GDPR’

Rikke Hovgaard 10. April 2018 Marketing, Spring 18 2

If you are involved in any technology implementation or if you store any data about your contacts I am sure you have heard the word “GDPR”. Implementing marketing automation solutions and working in Europe I sure have heard of “GDPR”. When I heard the word the very first time I thought, I don’t have to worry about that, but as I’ve learned more about what it is I realize I do need to worry about it and so should you.

I don’t want to go into the details of what GDPR is, there are plenty of sources for that online (I like this one). But in short, GDPR stands for “General Data Protection Regulation”, it’s a new European law that aims to address privacy and data protection issues and protect us as citizens. The idea for us as European citizens is great because let’s be honest we have data about our behavior, our likes, and dislikes, who we are and so much more stored with different companies since most companies are data-driven. However, we don’t have any insight or real control over that data though it is about us. GDPR aims to correct this. But what does that mean if you are collecting data about your users or customers? Well, you now have a set of rules you need to obey by May 25th, 2018 or pay up.

My aim for this blog post is not to explain what GDPR is, there are many people that are more capable and qualified of that. If you want to read more about GDPR in a Salesforce context I can recommend the following sites:

What I would like to address is how do this effect the Salesforce marketers? I’ve done my research looking at above sites as well as attended a few webinars, but I do have to say I am not a certified GDPR Practitioner. This post focuses on how you as a marketing user can ensure you are GDPR compliant in terms of your marketing efforts, there are many more elements to GDPR, so if you wondering how to become GDPR compliant on a broader level consult with a GDPR Practitioner. And to make sure that you are 100% compliant I would recommend that you cover any changes including those you may take from this blog by a certified GDPR Practitioner. As I am not certified I cannot take on the responsibility of you being GDPR compliant, besides the rules may have changed or be interpreted differently for your business.


In any marketing department, you collect information about your prospects and customers in order to better target content and offers to them. While it’s perfectly okay to ask for information with GDPR you need to justify the information you are asking for. One way this is done is by forms. Now it’s never been best practice to ask for 15 pieces of information when downloading a whitepaper, now the law also prohibits you from doing so.

Implementation Tasks

One major task for you to be GDPR compliant is to go through every single one of your forms and make sure you only ask for information you can justify your need for. For instance, do you really need a date of birth for your contacts in a B2B context? However, the task doesn’t stop here make sure that the forms collect consent as well, which is covered below.


While collecting information about your prospects and contacts are okay there are two things to remember:

  1. consent needs to be given for you to store their data,
  2. consent for marketing purposes is not automatically given.

When collecting a contact’s details they need to give you specific consent for you to contact them. But that consent is not til the end of time either. Rather the consent is for a limited time. Now GDPR will not determine the timeframe, you would need to be able to justify the timeframe you set. And finally, you need to remember to specify what they are giving consent to in a privacy and consent statement in your form, which most likely is linked to your preference center.

Introducing this concept of consent, of course, means that you would need to:

  1. only email those that have given consent for you to email them and,
  2. not email those prospects and contacts where the consent has expired.

Implementation Tasks

Consent is something that doesn’t natively come out of Pardot and Marketing Cloud with the exception of how global opt-out is handled, which of course still applies. However, there are ways to implement a flow that allows you to be GDPR compliant in regards to consent.

  • Create a consent field to hold the right to store data, this is typically the privacy statement.
  • Create one or multiple consent field for each type of consent (email, phone, sms etc.) and a related timestamp as well as expiration for each consent field.
  • Create rules to update the consent fields as well as their related timestamp and expiration fields.
  • Update forms to include the different types of consent.
  • Create a suppression or exclusion list for anyone where the consent is not given or has expired.

As Pardot and Marketing Cloud rarely is used without Salesforce make sure that consent data is kept in synch between Pardot/Marketing Cloud and Salesforce. Also be aware that the standard opt-out field in Salesforce is linked to the global opt-out function in Pardot and Marketing Cloud. Hence you want to make sure that this field is not checked unless you truly mean to opt them out of everything.

Verification Process

As mentioned there are two types of consent needed; privacy agreement and marketing consent. Where the consent to store data can be mandatory the marketing consent can’t. And it’s good practice to verify that the marketing consent given is accurate – this is where the much hated double opt-in process comes into play. When I say much hated it’s because I often get the feedback from marketers that “we can’t email as many”, while that is true that doesn’t mean more people will engage with you. If people have confirmed their subscription they will most likely engage with you on a higher level.

Implementation Tasks

We already talked about the different types of consent fields that are needed above, which is what we can extend on for the verification process.

  • Create a marketing verification field also known as the double opt-in field.
  • Create an email template with a tracked link to update the double opt-in field.
  • Create a rule to send the email if marketing consent is given but it hasn’t been verified.

Preference Center

Since GDPR is about giving control to the individual it seems only natural for marketers to implement a preference center, if you do not already have it. This allows the individual to opt in and out of different streams of communication and not just plainly opt out of any email communication placing them on the global opt-out list. A preference center is also a brilliant place for the individual to maintain their information such as interest area, the spelling one’s name etc. Evaluate what information is changeable in the preference center, some information is too personal to allow to be on an open preference center. Instead, you may want to consider introducing those changes to be done in a community where you are forced to sign in first to verify the right to access and change that data.

If you already have a preference center implemented I would still evaluate how it is being used and if you need to make any optimizations. Maybe the communication streams you have on the preference center do not match the actual communication you carry out. Or maybe you don’t even listen to the preferences given and send any and all communication that you seem fit. The key point is that you respect the choices of your subscriber, so if they have opted out of the product communication stream, then do not email them about it.

Implementation Tasks

Depending if you are using Marketing Cloud or Pardot there are different ways to create a preference center. In Marketing Cloud you can use the default preference center, but in my experience, most companies rarely do simply because it’s not changeable and it often doesn’t match the company’s visual identity. So all the implementations I have been part of have created a custom preference center using either cloud pages or Pardot only really has the default one, however, you can modify the layout template to make it have the look and feel as your website. You can even do a smaller hack and include a form in the layout template, allowing the user to update their email preferences as well as their personal details.

  • Make sure to create lists and/or fields to match the communication streams a subscriber can opt in to. Pardot demands you use lists, where you technically can use both in marketing cloud. I’ve also seen scenarios that Pardot list opt-in’s should be available in Salesforce fields. In that case, you would need to use automation rules to make sure that list and fields are in sync.
  • Create any other fields you want available in the preference center. A typical example goes back to the types of consent and allowing for the subscriber to define opt-in and out of phone communication.
  • Review existing lists/segmentation and make sure they are based on the selections from the preference center.

And if you have a preference center already you should still review it looking at the same points as if you were to implement a new preference center.

Consent Expiration

Since consent can expire you want to make sure that you have a way to regain it – preferable before you lose it! Remember this is only really for the marketing consent. If there are contractual reasons for you to email them then you are of course allowed. Most marketing automation tools will have a way of doing this and I would recommend having a journey in Marketing Cloud or an Engagement Program in Pardot set up to regain the consent.

If you do not manage to extend the consent you need to make sure you do not email them when the expiration date has passed by adding them to a list or opt them out. Personally, I prefer the first one as it makes it easier if they at a later stage do wish to receive marketing communication again.

Implementation Tasks

The only thing that is actually required here is to make sure you don’t email anyone where the marketing consent has expired. But why not see if you can extend the consent.

  • Create a suppression/exclusion list for all prospects where the expiration date is in the past.
  • Remember to use this suppression list.
  • Create one or several automated emails with a trackable link to update consent if clicked.

What about my existing database?

This is a fun one. You have now implemented a flow for all new prospects to gather consent and make sure you in a marketing context GDPR compliant, but what about all the prospects you already have in your database? Well, I would recommend that you start gathering that consent. You can create an engagement program or a journey to collect and capture consent. But I would also say take this as a chance to “clean up” if you have prospects you haven’t emailed in over a year or who haven’t engaged with you in over a year then it may be time to say “goodbye”. Once you have the clean up done that is when I would put the remaining prospects on a consent journey telling them that you want to make sure you have their consent and know what communication they want to receive going forward. Be creative! Personally, I like the emails that are a little cheeky, but either way make sure you explain why you are doing this as well. I have only gotten one GDPR email so far (I obviously hope to get more) from my friends at Jitterbit and I quite liked how they explained it.

Be Creative

With the new set of rules as you might have noticed you are becoming restricted. You cannot just gather all the information in the world and use it as you please. You can no longer assume you have the consent just because a prospect has shown interest in an event. You may think “this is [insert bad word]”. But remember if a prospect has given their consent and this has been confirmed, they are more likely to engage in your communication than if you email them because you think you have an offer they cannot refuse. Hence your email open and click rate should improve.

So what does that mean for the marketer? Well, I say “be creative”. By this, I don’t mean find the gray areas, which I am sure there are plenty of. Instead, I mean think of ways to convince your prospects that they need to give their consent. Maybe you can create specific journeys tailored to their needs. If I were to convince my readers to give me consent to email them I could convert this blog into a Pardot Engagement Program or a Marketing Cloud Journey that contains a flow of emails sent to subscribers educating them on GDPR in terms of forms, consent, verification process etc. including tasks to complete. Now that is not the purpose of my blog, so all this content is for free and ironically not hidden behind a form like other GDPR content I’ve seen. Enjoy!

How useful was this post?

Click on a star to rate useful the post is!

Written by

2 thoughts on “The Buzz Word ‘GDPR’”

  • 1
    Chuck Henrich on April 19, 2018 Reply

    Really helpful article with practical tips for GDPR compliance. While the specific focus is on Salesforce, the processes of collecting, managing, using data are common across all sorts of applications and organisations. Thanks!

    • 2
      Rikke on April 19, 2018 Reply

      Thank you! And yes, you can apply it to any of the marketing automation tools. However, GDPR is more than marketing, so make sure you go through how you store data, establish processes for giving prospects access to their data and for deleting data etc.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.