Two simple steps to keep Partners GDPR compliant at Dreamforce

BD (before Dreamforce)

1. Agree what marketing you are going to send the person as follow-up — “xx & yy” — so when your show workers scan them they can say “Is it ok to scan you so we can send xx & yy?”

2. Train the show workers on the scanners and to ask “Is it ok to scan you so we can send xx & yy?” Clearly if the person says no, then do not scan them.

That wasn’t hard, was it?

AD (after Dreamforce)

1. Load the leads /contacts into Salesforce or Pardot AND Salesforce — or update existing leads/contacts.

2. Add a permission record (custom object) for each lead / contact that says “Scanned at DF18” with a date. Associated with this permission record are child optin records (another custom object) for the marketing you have agreed to send them –i.e. which mailing lists you are putting them on; “Product Updates, Webinar invites” These records also need an expiry date that is based on your own marketing policy i.e. you can contact them for 6 months or 12 months.

Now you can send follow-up emails. The email needs a link so the person can unsubscribe from the different lists independently. The unsubscribe needs to update the permission records in Salesforce.

Pardot vs. Salesforce

GDPR permissions will be coming from a number of different areas of the company marketing (signups and consents), sales (in the sales cycle), legal (signed contract). Therefore, Salesforce needs to be the central source of permissions, rather than Pardot.

That means that people are added and removed from Pardot lists by their permissions in Salesforce. This is not difficult but does require a few tweaks to the integration. This article explains what customization of Salesforce is required to fully comply with GDPR.

Getting into detail

If you want to really understand how to implement GDPR including integration with Pardot, here is a more detailed article that explains what customization of Salesforce is required to fully comply with GDPR.

FAQ

Do I really need to do this?

No. Like all legislation, there is nothing forcing you to do it. You could take the view that you are unlikely to be fined. But there are strong business reasons for implementing the principles behind GDPR

1. Sales focus: Have engaged conversations with qualified leads rather than collecting emails of people who i) have no interest ii) have no need iii) have no budget. These are not the people you want to waste your SDR and Sales Teams time on. So don’t scan them.

2. Competitive advantage: Post-Facebook/Cambridge Analytica, customers are more aware of how their data is being exploited and are more likely to work with companies who respect their data. Demonstrating you are complying with GDPR gives a VERY strong message.

3. Trickle down: Many of your customers or potential customers will be committed to complying with GDPR. They will require you to be GDPR compliant to support them. It may even be a mandatory requirement of working with them.

What if the person is not European? Do I need to worry?

The issue is it is very difficult to tell if the person is a “member of the European Union” — this is the GDPR clause. They may be a UK citizen living in the US (like me), they might an American living in the France, they could a European living in Europe. The bottom line is you can’t tell so you need to treat EVERY person you scan under GDPR.

Is a simple scan enough?

Yes, provided you don’t scan those who are have not given you permission to contact them.

What about the Individual object?

The Individual object is a great way of getting a single picture of a person who is stored Salesforce but in different roles; customer, supplier, partner, lead. That way their permissions can be managed more consistently. However, you still need to add the custom permission and opt-in objects to track the permissions

This article explains what customization of Salesforce is required to fully comply with GDPR.