Understanding & Working with the GDPR: Engaging Your EU Audience

Matthew Fischer Associate General Counsel,

Chief Privacy Officer

The European Union (EU) legislation discussed in this webinar, the General Data Protection Regulation (GDPR), is broad in scope and compliance will vary greatly between organizations. Your own legal team will need to offer counsel as it relates to your business. This webinar is provided for informational purposes. It should not be relied upon as legal advice.

Peter BellSenior Director, EMEA Marketing

Page 2© Marketo, Inc.

The GDPR – An Overview

• Objective: strengthen the rights of EU citizens with regard to how their personal data is used and protected.

• “Personal data” means any information that relates to an identified or identifiable natural person.

• The GDPR is structured around 6 key principles (detailed in Article 5 of the legislation):

1. Lawfulness, Fairness & Transparency

2. Purpose Limitation

3. Data Minimization

4. Accuracy

5. Storage Limitation

6. Integrity & Confidentiality

Page 3© Marketo, Inc.

The GDPR – An Overview

• Applicability - The GDPR applies to any organization

• Inside or outside the EU who is marketing goods or services to, and/or tracking the behaviors of, EU citizens

• That does business with Europeans that involves the processing of their personal data

• Accountability - Controllers must be able to demonstrate how compliance with the principles is being managed and tracked

• Maintain records of how and why personal data was collected and document the processes put in place to protect it

• Penalties - Fines for non-compliance are significant

• The maximum fine for a single breach is €20 million or 4% of annual worldwide turnover, whichever is greater

Page 4© Marketo, Inc.

The GDPR – Marketo’s Commitment

• Marketo understands the importance of putting privacy and data protection in the hands of the data subject.

• As with other data protection laws, GDPR compliance requires commitment from both Marketo and our customers.

• Marketo will be in compliance with the GDPR by May 25th, 2018 and Marketo's services already include the functionality necessary for our customers to comply with the GDPR's consent requirement.

Page 5© Marketo, Inc.

The GDPR & the Marketer

• This is an opportunity to execute higher quality marketing, by respecting the rights of our customers, and going on to earn their trust.

• To build and maintain that trust we, as marketers, need to be attuned to the how, when and why our customers want to be engaged and respect their preferences.

• There are two key areas where Marketing needs to review past, current and future practices.

• Consent by the individual to use their personal data

• Accountability, namely being able to demonstrate how they comply with the principles of the GDPR.

• How Marketing addresses these higher expectations around the collection, use and security of the personal data that is routinely used in the course of your work is key.

Page 6© Marketo, Inc.

Implications for Marketing

• Link to online Privacy Policy/Notice/Statement on every form

• If personal data is obtained from sources other than the data subject, such as third party data providers, you must provide some additional information about the data and source. Refer to Article 14 if applicable.

• Consent Fields Added to Every Form

• Lead Fields for Documenting Consent:

• Consent to Processing

• Consent Last Updated

• Consent Notes (purpose of processing and history of consent provided should be documented here)

• GDPR Consent Operational Program

• Correspondence Opt-Out (subscription center)

• Link that enables Web Tracking / Cookie Opt-Out

Page 7© Marketo, Inc.

Privacy Policy/Notice/Statement• The identity and contact details of the controller and, if applicable, its EU representative

and DPO

• The purpose of the processing and legal basis for the processing

• The recipients or categories of recipients with whom the data is shared

• Information on any international data transfers

• The retention period or criteria used to determine the retention period

• A data subject’s rights: the right to access their personal data; the right of correction, erasure; the right to object to and restrict the processing of their personal data; the right to lodge a complaint with a supervisory authority

• The right to withdraw consent at any time (if processing is based on consent)

• Whether the provision of personal data is a statutory or contractual requirement, a requirement necessary to enter into a contract or other obligation, and the possible consequences of failure to provide such data

• The existence of automated decision-making, including profiling, and information about how decisions are made, as well as the significance and the envisaged consequences

Page 8© Marketo, Inc.

Transparency in a Privacy Notice

• The information in a privacy notice must be:

• Provided in a format that is concise, transparent, intelligible and easily accessible

• Written in clear and plain language

• Provided free of charge

Page 9© Marketo, Inc.

Consent: Additional Lead Fields

• Consent to Processing: this value will contain ‘yes’ or ‘no’ based on consent given

• Consent Last Updated: this value will contain the date and time the GDPR Consent field was updated.

• Consent Notes: this value will contain any notes and should capture:

• The purpose of processing for which consent was obtained,

• The way in which consent was obtained (e.g. ticked box online, in person at event),

• Previous consent purposes

• Note: This field can be split according to user preference.

Page 10© Marketo, Inc.

Consent: Scenarios

• Collecting customer Personal Data to maintain and use

• Collecting customer Personal Data to use for a time limited period in order to provide access to a resource

• Collecting customer Personal Data to maintain and use for limited purposes

• An individual has provided consent in the past, but wishes to withdraw consent

• An individual wishes to opt-out of Marketo tracking

• Documenting consent provided through alternative means

Page 11© Marketo, Inc.

Accountability

• Roles & Permissions

• Audit Trail

• Encryption at Rest

• Data Management

• Subject Access Requests

• Process, Process, Process !!

Page 12© Marketo, Inc.

Further Resources

• GDPR & Marketo

• SiriusDecisions Data Privacy Compliance Model

• Email Preference Center

• Coming soon, a Practical Guide for the Marketo Customer

Page 13Marketo Proprietary and Confidential | © Marketo, Inc. 12/4/2017

THANK YOU !

The European Union (EU) legislation discussed in this webinar, the General Data Protection Regulation (GDPR), is broad in scope and compliance will vary greatly between organizations. Your own legal team will need to offer counsel as it relates to your business. This webinar is provided for informational purposes. It should not be relied upon as legal advice.