Marketing automation and GDPR: comply or die

Marketing automation and GDPR: comply or die

With GDPR just a matter of weeks away, compliance efforts are on overdrive. The more prepared have been planning for over a year, leaving those ‘more agile’ companies on the back foot now as they consider how to meet their compliance needs.

For marketers, the framework is a game changer, as we set out in our previous blog post. As inbound marketers, we’re clearly interested in how this will affect the inbound marketing methodology and the systems we use that underpin it all.

We’re not going to cover the basics of GDPR compliance. We’ve already been over that in our blog post and checklist. What we are going to do is consider the role of marketing automation in helping organisations to comply. And more specifically, how it could or indeed should be used.

Marketing automation and GDPR should be a great fit. Indeed, a Marketing Automation System (MAS) can be a great tool in a business’ arsenal when it comes to meeting GDPR compliance requirements. Note the word can. In itself, running a MAS, much like any system, is not going to magically make you compliant. Similarly, the way that many businesses use a MAS currently, it would actually be more of a hindrance than a help. Here we’re going to be talking about process rather than systems not least because there are literally hundreds of MAS vendors out there all flogging their wares (with admittedly varying degrees of success!).


Opt in

“Unambiguous consent by a statement of clear, affirmative action.” If anyone can think of an alternative way for someone to give clear affirmative action on a website other than a tick box I’m all ears at this point. Until then, let’s just take this as meaning you need to make sure people have opted in to receive emails from you.

Many companies will take the fact that someone has downloaded a checklist or a white paper from their website as being a reason to subscribe them to general marketing lists flogging their wares. We can’t do that any longer. We need to make sure that if there is a form, and a landing page, that the ability to download that content offer is not linked as a matter of course to subscribing that person to receiving future communications.

On the Inflowing site, and for our customers, we’re achieving this by adding a simple checkbox to each of our landing pages and forms. If someone wants to download a content offer, they can. This in itself does not opt them in to receiving anything. They simply receive a link to download that piece of content. If someone ticks the box to subscribe to our newsletter, then they get added to the newsletter.


Landing page form GDPR opt-in

We’re explicitly getting consent for sending them comms in the future.

Specific line of processing

A worrying amount of B2B organisations haven’t ever had any type of opt-in process for their marketing communications. For those that have, there’s probably a large proportion who have had some sort of ‘catch all’ opt-in. So you accept a pre-ticked box (also not allowed going forward) or they ticked a box that’s loaded with a broad “opt-in to receive marketing” message. We can’t do this any longer. We need to give specific guidance on how the data is doing to be proceeded. What marketing materials? How will they be sent? At what frequency? With our opt-ins on landing pages, we’re being very specific that it’s an email and that it’s at a frequency of 1 per month. We can’t then use that data for other purposes.


The audit trail

One area that most MAS vendors should excel in is that of the audit trail. Not only do we need to make sure we have this consent, we have to make sure that the information of who gave it, when and in what context is stored in a secure location and available for audit from the Information Commissioner’s Office should they wish to validate your processes.

This is about ensuring your ship is in order:

  • Make sure your MAS supports time and date stamps against subscriptions. You need to be able to see against an individual contact record when they subscribed. If it doesn’t, customise it to do so or move systems. There’s no way around this – so get it done!
  • Linked to the previous point, your MAS has to have a way of identifying what they have specifically consented to.


The right to be forgotten

This is an area where some MAS vendors, particularly those that are part of a broader CRM system or integrated with a CRM system, fall over. One of the more prominent areas of GDPR is the right to be forgotten. That is, if your personal data is held by a company, you can make a request with that company to completely delete that data record.

The tricky part here is that some systems don’t support record deletion…at all. Some systems support merging, or deactivating, but not deletion. This is particularly common if there is an order date within the system, as removing a contact from the record can have knock on effect elsewhere in their wider enterprise systems.

Again, if your system doesn’t support this, it needs to. Either with customisation or vendor change. I’ve heard some people hacking around this by replacing contact data in this situation with a series of random ‘XXXs’. This requires a lot of of human intervention, which may or may not be a good idea depending on the level of esteem you hold humanity in. Ultimately, the more human intervention there is the more scope there is for human error. I’d say it was probably a bad thing!



GDPR is forcing organisations to ensure they have “sufficient guarantees to implement appropriate technical and organisational measures” to meet the GDPR’s standards and and protect the rights of individuals.

Suffice to say, if you go through all the steps above and end up with a breach because you’ve got a historic employee operating with malice who can still access the system, or you’ve left your system open to the wrong type of person, then all this process work will be in vain.

  • If you’re running your MAS on a private cloud, make sure access to the system is encrypted. So when users authenticate, they’re doing so on a secure server.
  • On your website, if you’re running forms and landing pages, an SSL certificate becomes an absolute necessity.
  • Audit your users: run through who has access to the system. Get rid of anyone who doesn’t need daily access to your system and make sure you have a formal process for users to request access and for it to be granted, with access being on a time limited basis where relevant.
  • If your system supports it, consider forcing users to use ‘safe’ passwords. Train your people on basics like using credentials different to other systems such as your website CMS and social media management tools. You might want to consider supporting employees’ use of password wallets as a matter of course.
  • Two-factor authentication – again if your system supports it, consider a verification step –  where a  code is sent via phone or SMS to the user. It provides that additional security step.


Get compliant now

We’ve produced a handy checklist which sets out some of the common areas of consent. It lists what you need to do and gives you the chance to smugly tick them off as you rattle through your business and address them.

Alternatively, if you need specific help on marketing automation and GDPR, or doing some system configuration to meet this very real need, reach out. We’ve already done tonnes of this work and we’d be happy to get you on track.