Pardot and GDPR Compliance Checklist: Can You Score 10?

MarCloud Apple iPad retina favicon

GDPR   •  Pardot

The concept of GDPR has been at the forefront of marketing automation in the last few years. Companies using Pardot now must pay significant attention to how they collect, store and process customer data. When it comes to Pardot and GDPR compliance, there are at least ten crucial things to consider, which I’ve outlined in this blog.

Before we get started with the checklist though, let’s emphasise the importance of GDPR by taking a look at some of the potential penalties if you aren’t compliant:

GDPR Penalties

OK, so this is a big one. If you are in breach of the GDPR then penalties can be up to 4% of annual global turnover OR €20 million. Whicheveratever is the greater amount. Pretty scary, right? 

However, this is the maximum fine you can get for violating the regulations and will be imposed for only the most serious of offences. It is important to remember that the GDPR fines work on a tiered approach and the lower cost is 2% of annual global turnover OR €10 million. Still a punch.

As you might expect, there are many caveats to being GDPR compliant in Pardot – here are ten of the most important ones to get you started.

  1. Cookie Policy
  2. Privacy Policy
  3. Opting Out
  4. Opting In
  5. Data Retention
  6. Data Breaches
  7. Right to Access
  8. Data Protection Officers
  9. Extra-territorial Scope
  10. Privacy by Design

The Pardot and GDPR compliance checklist

1. Cookie Policy

You might be familiar with the ‘We use cookies to track activity’ message that pops up on web pages asking visitors to accept the tracking. Here’s a snapshot of the one we use at MarCloud:

MarCloud cookie notice

What most people aren’t familiar with is the fact that this can be enabled and customised from right within Pardot. 

Why do we need a cookie notice?

Just to dial it back a bit, GDPR means companies have to be transparent about the information they collect on people. This information includes cookies and tracking data – which is why you need to consent to have your activities tracked in the first place.

How do we enable it in Pardot?

Head to your Admin > Overview settings and select Edit to configure this. You should see the following configuration options:

Cookie policy configuration

Here you’ll be able to configure the message, styling of that message, and also the countries you would actually like this message to pop up in. 

Remember, different countries have varying regulations with regards to GDPR – you may find that you need to be more, or less stringent in terms of the messaging and frequency of your messaging. 

As a general rule of thumb, I would advise that you are requesting opt-in to tracking from all visitors to your site – it’s not worth the hassle if someone slips through the cracks. 

Salesforce provides some really useful documentation about cookie tracking policies

TIP – Another thing to be aware of is the cookie duration policy. ‘Pardot admins can adjust the duration of Pardot visitor_id and pi_opt_in tracking cookies from 180 to 3650 days’ – 

This is important as it may differ from what is specified within the Privacy Policy settings (mentioned below). If this is the case, either must be altered and aligned.

2. Privacy Policy

There needs to be a link to the Privacy Policy wherever you are collecting personal information. 

It comes down to the expectation that when someone gives you consent to handle their personal information, you need to be informing that person how that data will be used. 

It’s advised that you keep on top of this by making the link obvious and accessible underneath every form you use.

TIP – Get into the habit of putting this link in your layout templates. This means you are less likely to forget it and also means it’s easy to update across multiple assets if you need to.

3. Opting Out

There are a few (important) points to consider with regards to how opt-outs are managed in Pardot. Firstly, it’s vital that we are actually giving prospects the ability to opt-out. For example, there has to be a link in all emails that allows the prospect to unsubscribe (such as via the preference centre for example).

Unsubscribe link in an email

Don’t take any chances here, make sure that this functionality actually works by testing thoroughly. When a prospect opts-out or unsubscribes from a preference list, has this actually happened in the back-end?

Profile of prospect who opted out

See our blog on the resubscribe process here.

Furthermore, prospects might ask to be opted out manually rather than doing it themselves – in this case, the company must do so. There may also come a time when a prospect requests their data to be deleted – if this happens your company must also oblige.

If an individual requests to have their data erased or withdraws consent then you have up to one month to do so. 

There are certain circumstances where you can refuse to erase the personal data such as if the information is needed for public health purposes. It is also your responsibility to inform any third party who may have required the personal information of the individual about the request to be forgotten.

Remember, simply putting a prospect in the recycle bin is not the same as deleting them. Prospects need to be hard deleted from the recycle bin in this case. More info on recycle bin behaviour in our Pardot Prospects and the Recycle Bin post.

4. Opting In

One key thing to remember about prospects and their opt-in status, is that they actually have to give you this confirmation in order for you to mail them. The leash has been tightened, with consent now having to be clear, distinguishable and explicit.  

If you are asking them to opt-in via a form, there a few things you must consider;

  1. If you are using a GPDR checkbox to manage opt-in from a form, make sure this isn’t a required field. Forcing someone to opt-in is not GDPR compliant. Furthermore, don’t pre-tick the checkbox!
  2. If you are opting prospects in off the back of a form submission, make sure they are made aware of it, and you tell them what they should expect as a result of opting in:
  3. It’s also important to make sure that you are collecting a timestamp for when a prospect opts-in. We can always refer to the prospect’s audit log to find this out, but it’s best practice to capture this information in an easily accessible field. Consider an automation rule to update this field value when a prospect opts-in.

Opting in checkbox example

5. Data Retention

GDPR states that companies must pay significant attention to how long they actually keep hold of people’s personal data. Keeping hold of data for too long, despite it being secure, could result in a violation of GDPR. 

What do you need to do?

What may be confusing is that GDPR doesn’t actually define a set period to which you should hold on to data. What it does say is that you, the company, are responsible for defining how long you see fit to keep hold of people’s personal data. However, it is a requirement that you document and justify why you have chosen to adopt this particular timeframe. 

In an ideal world, this timeframe is decided by how long you need to carry out the purpose for which you collected the data in the first place. However, this concept becomes hard to interpret when businesses can’t narrow down a single-use reason for collecting the data originally.

All this considered, it’s best practice and certainly advisable to put some kind of data retention policy in place in your Pardot account. 

Being hands-on and actually acknowledging the need / implementing a simple data retention policy means you are moving in the right direction, and your chances of this coming back to bite you have been slashed significantly.

How to approach data retention in Pardot & Salesforce?

The best way to easily manage this process is by setting up a dynamic list/automation rule combination in Pardot that also incorporates the data on the Salesforce side – this way we can manage deletion in both systems. 

We often recommend to clients that they set something like the below up, whereby prospects who were created X amount of days ago and have been inactive for X amount of days, are sent to the recycle bin. 

Example of automation for recycle bin prospects

Now you have your dynamic list setup for segmenting your Pardot prospects for deletion, follow these steps to complete the process;

  1. Run an automation rule that looks for membership of the above list, with the following actions:
    1. Add tag: ‘HARD DELETE’
    2. Add to Salesforce Campaign (you’ll need to create a campaign for housing these prospects, this is how we’ll identify them from within Salesforce).
  2. Go into Salesforce, and hard delete the prospects who are in this Campaign – they will now be in the Pardot recycle bin.
  3. In the Pardot recycle bin, search for the tag ‘HARD DELETE’, and hard delete these prospects from the recycle bin. Remember, just putting prospects in the recycle bin in Pardot isn’t enough as they will remain there and their date is still technically in your system.

You’ve now got a basic data retention process in place, which is a lot better than not having one at all. Whilst there are a few manual elements to this process, there isn’t too much legwork to check in on your dynamic list / Salesforce campaign to keep track of the prospects that need hard deleting. 

TIP – There are other benefits to creating an automated data retention plan in Pardot. Remember, you will be charged extra if your database exceeds it’s limit. Why not make sure that you are always within this limit by introducing a plan to remove cold leads?

6. Data Breaches

So what is considered a data breach? Well according to the GDPR  a data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” 

To put it simply; if there is any kind of leak/loss or destruction of personal data, whether it be purposely or accidentally done, you have to inform the relevant people.

If for any reason your company suspects there has been a data breach, prospect’s must be made aware of this within 72 hours. The relevant supervisory authority must also be made aware within this timeframe. 

It’s important here to understand how to actually go about doing this. For example, you will need to contact Pardot, who can turn on operational emails allowing you to send out a communication to all prospects.

Below is a handy checklist for considerations regarding data breaches:

ICO guidelines for data breaches

Source: ICO

7. Right to Access

Prospects also have the right to see the data that your company stores about them. This must be free and needs to be provided within a month of the request. If approached for this information, you must also provide this information in a commonly used and machine-readable format. 

This is as much a process piece as anything else – it’s key that users know exactly how to access and convey this information to prospects if approached for it.

8. Data Protection Officers

If your company lies within the public authorities OR you require a large level of individual monitoring OR your data controllers deal with data relating to criminal offences then you will be required to assign a data protection officer. 

This person can be hired internally or externally but must have the relevant experience. They will be reliable for the monitoring of data, making sure your company stays compliant with the GDPR and of the training of employees. They will also be the first point of contact for both the supervisory authorities and individuals. 

For a full description of the data protection officer role and guidance on whether you should be hiring someone, visit the ICO’s website.

9. Extra-Territorial Scope

GDPR applies to all companies that process consumer data in the EU, whether or not that company is actually in the EU itself – this is called the extra-territorial scope. 

The laws have always stated that any company that processes data within the EU falls under the territorial scope and this will still apply when GDPR comes into play. 

The difference now is that the regulations will also apply to data controllers processing personal data of EU citizens outside of the EU. This has been made explicitly clear.

10. Privacy by Design

Previously, although you would have to take the correct measures to ensure that personal data was protected, you wouldn’t have to actually design it. 

What do I mean by this? 

Basically, data protection must be a core consideration from the get-go when designing and implementing software, not just an extra addition. Think back to your Pardot preference centre here – this shouldn’t just be a ‘nice to have’, but a key consideration before configuring your instance. 

Secondly, data controllers must only process data that is absolutely necessary and only store it for as long as needed.

So, these are the main aspects of GDPR that we feel are important from a Pardot perspective. Salesforce also provides some useful documentation on GDPR too.

What does your current GDPR landscape look like? Can you confidently say you have addressed all ten points in this Pardot and GDPR compliance checklist? If not, you can always schedule a free Pardot audit. We’ll happily take a look for you. 

Need a hand getting the most out of your Pardot account?

MarCloud is a team of certified Pardot specialists. We help businesses to unlock the potential of marketing automation.

Ready to save time, deliver more quality leads, and generate more revenue? Here's how we help.

VIEW SERVICES