I am so over GDPR.
GDPR came into force on May 25 and it is having a profound effect on the event and corporate entertainment industry. Dreamforce is a huge user conference but also a massive exhibitor event. And as a large percentage of the attendees are from the EU, every partner exhibiting in the Expo and running parties should be concerned about GDPR.
Whilst most marketers roll their eyes and complain about the cost of supporting GDPR, it is driving the right behavior: consented engagement.
BTW It is not that hard. Keep reading.
GDPR benefits not costs
Those marketing teams who embrace the GDPR principles of Privacy by Design will come out as the winners in every area; email marketing, event marketing, exhibiting & inbound marketing.
Marketing should be about building engagement with prospects and qualifying them. It should not be measured and incentivized to collect names and emails of anyone with a pulse. Instead, marketing teams should be looking for qualified leads, because that is what sales teams want. That requires a conversation between marketing and sales to get agreement on what a “qualified lead” really is. And then constructing campaigns and questions that qualify.
Turning marketing into a metrics-driven business development machine will change your relationship with sales teams. They will see you as valuable team members, not just swag-distributors scanning anyone and everyone.
There is not much you need to do before DF
Dreamforce is 20 days away, but there is not much you need to do before Dreamforce. You can take the moral high ground vs your competitors really easily.
There are a couple of things to do after Dreamforce before you start sending out follow-up emails. So, let’s split this into BD (before DF) and AD (after DF). But first let’s understand the principles.
Under GDPR we also need to make sure that all scanned leads have genuinely given their consent to receive email follow-up, and that consent (where, when and what you said you’d send them) is stored along with an expiry date based on reasonable marketing policies. Those consents need to be stored in the Salesforce alongside the permissions that have been added by other departments (sales, support and legal). You now have a complete view of a person’s permissions. Then you can run email follow-up campaigns confidently. Ultimately, you need to be able to track the consent that was given, tie it to the marketing that you decide to send them after the event, and have an expiry date on the record. All in Salesforce and/or Pardot (more on this integration later).
BD (before Dreamforce)
Agree what marketing you are going to send the person as follow-up — “xx & yy” — so when your show workers scan them they can say “Is it ok to scan you so we can send xx & yy?”
Train the show workers on the scanners and to ask “Is it ok to scan you so we can send xx & yy?” Clearly if the person says no, then do not scan them.
That wasn’t hard, was it?
If you have simple scanning, then is it binary; “Can I send you information or not”. If you are using a more sophisticated lead scanner that has been designed with GDPR in mind – such as Zuant – then you can ask more granular qualification questions; “What communication is most valuable for you – x, y, z?”. This then drives list membership in your marketing automation.
AD (after Dreamforce)
Load the leads /contacts into Salesforce or Pardot AND Salesforce — or update existing leads/contacts, based on the permissions you have collected.
Add a permission record (custom object) for each lead / contact that says “Scanned at DF18” with a date. Associated with this permission record are child optin records (another custom object) for the marketing you have agreed to send them –i.e. which mailing lists you are putting them on; “Product Updates, Webinar invites” These records also need an expiry date that is based on your own marketing policy i.e. you can contact them for 6 months or 12 months.
Now you can send follow-up emails. The email needs a link so the person can unsubscribe from the different lists independently. The unsubscribe needs to update the permission records in Salesforce.
Marketing automation vs. Salesforce
GDPR permissions will be coming from a number of different areas of the company marketing (signups and consents), sales (in the sales cycle), legal (signed contract). Therefore, Salesforce needs to be the central source of permissions, rather than marketing automation.
That means that people are added and removed from marketing automation lists by their permissions in Salesforce. This is not difficult but does require a few tweaks to the integration. This article explains what customization of Salesforce is required to fully comply with GDPR.
Getting into detail
If you want to really understand how to implement GDPR including integration with marketing automation, here is a more detailed article that explains what customization of Salesforce is required to fully comply with GDPR.
Do I really need to do this?
No. Like all legislation, there is nothing forcing you to do it. You could take the view that you are unlikely to be fined. But there are strong business reasons for implementing the principles behind GDPR
Sales focus: Have engaged conversations with qualified leads rather than collecting emails of people who i) have no interest ii) have no need iii) have no budget. These are not the people you want to waste your SDR and Sales Teams time on. So don’t scan them.
Competitive advantage: Post-Facebook/Cambridge Analytica, customers are more aware of how their data is being exploited and are more likely to work with companies who respect their data. Demonstrating you are complying with GDPR gives a VERY strong message.
Trickle down: Many of your customers or potential customers will be committed to complying with GDPR. They will require you to be GDPR compliant to support them. It may even be a mandatory requirement of working with them.
What if the person is not European? Do I need to worry?
The issue is it is very difficult to tell if the person is a “member of the European Union” — this is the GDPR clause. They may be a UK citizen living in the US (like me), they might an American living in France, they could be a European living in Europe. The bottom line is you can’t tell so you need to treat EVERY person you scan under GDPR.
Is a simple scan enough?
Yes, provided you don’t scan those who are have not given you permission to contact them.
What about the Individual object?
The Individual object is a great way of getting a single picture of a person who is stored Salesforce but in different roles; customer, supplier, partner, lead. That way their permissions can be managed more consistently. However, you still need to add the custom permission and opt-in objects to track the permissions.