GDPR Implications for Your MarTech Stack

If “our similarities bring us to common ground,” (Tom Robbins) we’ve reached our destination.

No doubt, you have quite an assembly of tools in your MarTech stack acquired in various stages of your company journey. Each technology offers a different solution for your organization, but they all share a common ground: they access your data.  Is the GDPR alarm going off in your head?  It ought to be, as GDPR considers any technology provider in your stack— i.e. Marketo, Salesforce, Ringlead, ReachForce, Bizible —as well as agencies and service providers who can access your data, a “data processor.”  And GDPR has a lot to say about this role and the responsibilities that come with it.  Welcome to GDPR land.

GDPR Compliance: All Aboard

By GDPR definition, a data processor is “any person, public authority, agency or other body which processes personal data on behalf of the controller.”  So, all of your external systems, companies, agencies, service partners or contractors who are enriching your data, collecting data on your behalf, mining, segmenting, or analyzing records—even handling payroll or other outsourced HR activities–are data processors. Which means… (sound the major GDPR alarm) …each one must be GDPR compliant.

But wait, there’s more.

Did you catch those last few words of the data processor definition,”…on behalf of the controller?”  If your MarTech tools, agencies and service partners are data processors, that makes your organization the data controller. And with great responsibility comes greater accountability: it is the data controller (AKA you) who calls the shots on what data is collected, why, and how it is used.  Ultimately, YOU, the data controller, are responsible for ensuring that personal information is processed in accordance with GDPR, and, YOU can be subject to corrective measures and penalties should something go awry. Additionally, YOU are responsible for ensuring that these data processors can provide sufficient documentation of their abilities to comply with GDPR requirements for both technical and organizational measures. YIKES!  

Takeaway: GDPR has a much broader impact on our operations and organizational structure than what’s on the surface.

How can you mitigate your risks?

Develop your Itinerary

1. Take inventory and document your MarTech landscape, identifying all of your processors.  Any company from agencies to Marketo to deduplication vendors to data enrichment to ABM, CRM…you get the idea.

2. Request documentation from each Data Processor demonstrating that they are GDPR compliant. Most of the established Data Processors have already prepared the documentation to show that they’re compliant with GDPR and all you’ll have to do is review it. For instance, Salesforce, who may be hosting your CRM data, provides the following information on Trust and Compliance. If you work with a Data Processor that doesn’t have the documentation readily available, you’ll need to be proactive in requesting documentation. Here is an example questionnaire that you could adjust to your specific needs.

3. Categorize the returned documentation. Keep a record of all documents and either work with non-compliant processors to help them become compliant, find a new processor, or decide what to do to protect yourself if they are not. 

4. Sign a data processing addendum with your data processors once you are satisfied with their documentation. Work with your legal department to prepare such an addendum and execute it with each processor you want to keep onboard. For example, Salesforce has already prepared a pre-signed Data Processing Addendum that your legal department can review and execute.

5. ALWAYS have your legal team review all contracts to make sure your organization is protected should your processor make a mistake.

Additional Direction: Get a Data Protection Officer

I would be remiss in this post if I didn’t also mention the role of the Data Protection Officer (DPO).  GDPR requires both controllers AND processors to hire a DPO if you are processing or storing vast amounts of personal data, if you are using online behavioral tracking or if you are a public authority.  The DPO advises your organization of GDPR obligations, monitors compliance, leads Data Protection Impact Assessments (DPIA), and acts as the liaison with GDPR supervisory authorities.  Given the magnitude (and complexity) of GDPR compliance, this role probably isn’t a bad idea.  But note, your DPO does not have to be a full-time employee; you might opt for an external or shared DPO instead.  (Just make sure your company has sufficient access to a shared DPO.)

Are We There Yet?

GDPR…so many details to consider, so many impacts on your organization.  Some are obvious, and some are not.  For best results, be thorough in your preparations, survey your data processors and take steps to mitigate your risks. Eventually, we will arrive.  In the meantime, embrace the journey and don’t forget to occasionally roll down your window and take a breath of fresh air.

Need help with your GDPR compliance journey? Get a readiness assessment by our team of Marketo Certified Solutions Architects.

Keep in mind; we’re marketers, not lawyers. Be sure to have your lawyers review your practices and procedures to ensure your direction is aligned with GDPR.