Anybody already has GDPR implementation best practices? I will start with the ones we have.
Getting and storing consent
In certain situations under the GDPR you have to get consent from the individual for using their personal data. The best know example is the checkbox in a webform.
With every form submit Act-On already stores the following data: Ip adress, time and date stamp, reffering URL. This has to be extended with three extra fields:
- Optin type = How did the individual give consent? Was it ticking a checkbox? Then store the value checkbox.
- Optin text = What was the exact text that the individual gave consent to? Store the exact text.
- Optin = Did the person optin (tick the checkbox)? Store Yes or No.
You could end up with several different consents from one individual. We are figuring out how to deal with this. You could copy them to one general optin list.
Act-On tracking beacon
The Act-On tracking beacon collects personal data of all the known and unknown individuals. This means that an individual has to give consent for Act-On collecting this data on behalf of you. So the Act-On tracking beacon can only be loaded after a website vistor has clicked YES (giving consent) in a cookie banner. Act-On has standard functionality for this see https://university.act-on.com/User_Guides/Inbound_Marketing/Using_the_Website_Prospector/Managing_Opt-In_Cookie_Options_and_Disabling_Beacon_Tracking
The individual rights
The GDPR gives the individual certain rights that are connected with personal data being available in Act-On: The right of access, The right to rectification, The right to erase (the right to be forgotten), The right to restrict processing, The right to data portability, The right to object and Rights in relation to automated decision making and profiling.
Basically you must put the processes in place to delete, alter and export personal data from Act-On. Deletion and altering personal data is standard functionality in Act-On, but not yet for behavioural data.
Always keep a note of every request made by an individual. Create an extra field that keeps note of all changes made to personal data based on GDPR rights.
The right to data portability (export data) is in Act-On not yet as a standard functionality available for behavioural data. I am guessing this is part of the personal data so must be included in a request of data portability.
DPA (Data Processing Agreement)
Whenever a controller uses a processor (a third party who processes personal data on behalf of the controller) it needs to have a written contract in place. Act-on is a processor so you need a contract which is often reffered to as a Data Processing Agreement. Act-On has a standard contract (DPA) which you have to request and sign.
DPIA (data protection impact assessment)
Data protection impact assessments (DPIAs) help organisations to identify the most effective way to comply with their data protection obligations and meet individuals' expectations of privacy.
Our feeling is that when using marketing automation you have to make a DPIA. See also https://www.thehouseofmarketing.be/blog/the-impact-of-gdpr-on-marketing-data-protection-impact-assessment
Additions / comments are welcome!
Any addition or comment is welcome.
Stan and Stacy