Breaking Silos: How Marketo CRM Synchronization Transforms Sales and Marketing Strategies
Synchronization between Marketo and a CRM is a cornerstone of marketing automation strategy for many companies. This article explores in depth how this integration can transform your approach to marketing and customer relationship management, with a particular focus on “Marketo CRM synchronization”.
Sylvain opens up his Marketing Automation – Marketo – and CRM – Salesforce – to show us the secrets of this native integration, and the best practices for getting the most out of it.
- 00:00 The end-to-end lifecycle. What happens when Marketing Automation is integrated into CRM? Definition of the Qualification / Enrichment / Conversion / Deduplication processes.
- 06:30 The difference between Lead and Contact. Why Marketing prefers to use the Lead to receive information from the Lead.
- 08:30 Question: can we send an alert to sales when a lead is converted?
- 12:25 The Revenue Cycle Model becomes available when synchronization is implemented.
- 13:20 Marketo’s Program Analyzer and Revenue Attribution Engine
- 15:10 The Opportunity Influence Analyzer
- 16:36 How Marketo CRM synchronization works
- 18:50 Impact of synchro on Marketo fields
- 20:30 Question: I have MS dynamics and some fields are not mapped.
- 21:30 Possibility of remapping or merging fields with Marketo support
- 22:08 Choice of default synchronization parameters on the Marketo side
- 24:25 Marketo iframes to insert into CRMs and Interesting moments
- 25:50 Transferring people from MArketo to CRM and the Lead Life Cycle program
- 27:20 Filters, triggers and actions possible in CRM from Marketo thanks to synchro
- 30:00 Impact of partitions on the lead life cycle and scoring
- 31:30 Question: why only one campaign to drive leads to CRM? and key management between Marketo and CRM
- 37:48 Question: what happens if a sales rep adds a person to a Salesforce campaign that is synchronized with Marketo?
- 41:19 Salesforce – Marketo custom object synchronization – Quizzes example
The importance of Marketo CRM synchronization
Synchronization between Marketo and a customer relationship management (CRM) system creates an essential bridge between marketing and sales, enabling a unified view of the customer journey. This integration offers a multitude of benefits, including improved lead qualification, sales and marketing alignment, and optimized marketing campaigns.
How does synchronization work?
Marketo CRM synchronization enables a two-way exchange of information. On the one hand, lead data generated by marketing activities in Marketo is transmitted to the CRM, where it can be used by the sales team for targeted follow-up. On the other, information gathered by the sales team in the CRM can be sent back to Marketo to refine marketing automation strategies.
Benefits of Marketo CRM Synchronization
- Improved lead qualification: By synchronizing lead scores and demographic data from Marketo with the CRM, sales teams can prioritize the hottest leads and increase conversion rates.
- Campaign personalization: Information gathered in the CRM can help personalize Marketo campaigns, ensuring that marketing messages are aligned with the specific needs and interests of each prospect.
- ROI tracking: The integration makes it possible to track the effectiveness of marketing campaigns by directly measuring their impact on sales, making it easier to optimize marketing spend.
Steps to successful synchronization
- System preparation: Before synchronization, it’s crucial to ensure that data fields in Marketo and CRM are correctly mapped, and that data is cleansed to avoid duplication.
- Lead management: Clearly define how leads will be transferred between Marketo and CRM, including qualification criteria and handover processes between marketing and sales teams.
- Monitoring and optimization: Once synchronization has been implemented, it is essential to monitor data flows between systems and continuously optimize processes to maximize efficiency.
Challenges and solutions
While Marketo CRM synchronization offers many benefits, it can also present challenges, particularly in terms of data management and communication between teams. To overcome these obstacles, we recommend establishing clear data management protocols, training teams on synchronization processes, and encouraging close collaboration between marketing and sales departments.
Conclusion
Marketo CRM synchronization is a powerful practice that can significantly improve the effectiveness of your marketing and sales efforts. By ensuring seamless integration between these systems, companies can deliver a consistent, personalized customer experience, increase conversions and accurately measure the ROI of their marketing campaigns. With careful planning and careful execution, Marketo CRM synchronization can become a major strategic lever for your business.
Our other articles Integration 😉
Webinar best practices
Webinar best practices
Deciphering the GDPR Full Form: Venturing into Merlin/Leonard’s Communication Preference Centre
In the boundless realm of data protection, the GDPR full form – General Data Protection Regulation, emerges as a meticulously crafted lock, designed to safeguard the treasure trove of personal data. Our odyssey into unraveling the intricacies of this lock was vividly demonstrated during Marketo’s Office Hours on January 29, 2021, where I, Sylvain Davril, navigated through the enchanted waters of Merlin/Leonard’s Communication Preference Centre.
This followed the Communication Preference centre visit we did in 2019.
A Gentle Voyage into the GDPR Full Form:
As we embarked on our journey, a recapitulation of the GDPR full form and its essence was paramount. Unveiled in May 2018, the General Data Protection Regulation was envisioned as a uniform shield across Europe for managing and protecting personal data. Over time, slight divergences have surfaced amongst European nations, especially in the realms of B2B and B2C communication. Our quest underscored the necessity of embedding an easy opt-out link within our emails to navigate the GDPR tides, ensuring a harmonious communication flow.
The Craft of Communication Preference:
At the heart of our alchemist’s laboratory lies the Communication Preference Centre, akin to a well-forged key, designed to navigate through the GDPR lock. This centre is the realm where recipients can manage their communication preferences, a pivotal element in GDPR full form compliance. Check here Leonard’s advices for an efficient and compliant Preference Centre.
A closer inspection of the email you received from us will unveil a small yet potent link leading to this centre. It’s a conduit enabling the recipients to voice their preferences, a pathway ensuring clarity and consent in our communication journey.
Creative Conduits and GDPR Compliance:
Our Communication Preference Centre is a canvas where creativity melds with compliance. Whether placing the opt-out link at the beginning, the footer, or crafting a longer page showcasing what can be done, the essence is to make the unsubscription process as straightforward and pleasant as possible for the visitor.
In the realm of GDPR full form compliance, consent is the golden key. The granularity of consent, whether having two, three, or five consent checkboxes, aims to ensure that the visitor knows precisely what they are consenting to. It’s an art of balancing between GDPR full form compliance and a user-friendly experience.
The Pathway of Consent and Compliance:
As we navigate through the GDPR full form compliance journey, the element of consent morphs into different forms. From managing personal information to handling unsubscribe requests, every step is a blend of precision and compliance, ensuring a seamless interaction between us and our audience.
The artistry in managing unsubscribe requests, pausing communications, or handling the ‘right to be forgotten’ requests is akin to crafting a master key capable of unlocking the most intricate locks. Our technique is devised to ensure an easy and efficient management of these requests, echoing the GDPR full form’s ethos of data protection.
GDPR Full form functionalities
Sylvain detailed the main lines of information management and the automated campaigns to be set up to do this:
- Management of personal information + email change
- Management of company information and the trap of Marketo not mastering CRM
- Center of interest and consent management
- Best practices for using consents in campaign forms
- Management of communication breaks, right to information and right to be forgotten
- How does it work in Marketo on the Field Management side?
- How does it work in Marketo on the Smart Campaigns side? e.g.: email change
- Smart Campaign Optin Consent + special channel Preference Center
- Unsubscribe + Re-subscribe (Smart Campaign)
- Break management (Smart Campaign)
- Right to information management (Smart Campaign)
- Smart Campaign for managing the right to be forgotten
- Visitor notification management
- Acquisition tracking management
The list is not exhaustive, of course. However, just by applying all these smart campaigns, you will ensure your business an optimized data management while remaining within the GDPR framework. You can also find some best practices for your preference center on our blog.
GDPR Full Form Compliance: An Ongoing Quest:
The realm of GDPR full form compliance is an ever-evolving landscape. Our dialogue during Marketo’s Office Hour was a step further into mastering the art of GDPR full form compliance within Marketo’s sphere, a step closer to providing a seamless and compliant communication experience to our audience.
Concluding Alchemy:
The theme of The Locksmith’s Alchemist’s Laboratory resonates through our GDPR full form compliance journey. It’s a world where every regulation, every consent, and every preference is a lock waiting to be decoded. Our Communication Preference Centre is one such master key, meticulously crafted to navigate through the GDPR full form realm, ensuring a harmonious, compliant, and enriching interaction between our clients and their audience.
The discourse during Marketo’s Office Hours was a glimpse into our ongoing quest to blend the magic of Merlin with the genius of Leonardo, ensuring GDPR full form compliance while enhancing the user experience, reflecting the true essence of Merlin/Leonard’s ethos.
Our other GDPR articles
Join us for Marketo Office Hours 😉
Sylvain offers you one hour every Friday to ask all your questions and share best practices in Marketo and Marketing Automation.
Building effective customer segmentation
GDPR consent: 5 ideas to turn your preference center to your advantage!
The General Data Protection Regulation – GDPR – has been subject to many interpretations even before it came into force in May 2018.
One thing remains certain: obtaining GDPR consent from your prospects is now key.
At Merlin/Leonard, we’ve consulted extensively with our lawyers. And we have assisted more than twenty clients in setting up a GDPR-compliant preference center.
This varied experience has convinced us that a preference center, far from being a thorn in the side, can be a real boon for companies that want to build a lasting relationship with their customers and prospects based on trust.
Here are five ideas that summarize what our experience has taught us.
1. There is no such thing as the perfect preference center / GDPR consent model
If you’re looking for a template to copy, you’ll be disappointed.
That said, we’re pretty proud of our preference center, as you saw at our Office Hour on this topic (if you missed it, the replay is here).
It’s a good example but not a universal template because the elements of the form need to reflect the specifics of your offerings and communication methods.
So it’s up to you to determine which elements you’ll need to collect consent for (see point 4 below) or which ones just deserve an indication of areas of interest (see point 5).
2. A relationship based on trust
The metaphor between relationship marketing and married life is inescapable.
You could say that your customers and your company are in a relationship between consenting adults that will hopefully last longer than a one-time transaction.
For the relationship to endure, everyone must abide by the terms of the contract:
- one entrusts his or her personal data and agreement to receive communications;
- the other commits himself to hold on to this data as the apple of his eye and not to communicate anything without this agreement – and, above all, not to communicate anything in case of disagreement (see our previous article on this subject).
This marriage contract is the preference center.
3. Between total consent and total refusal, propose alternative ways
The opt-down: I want this but not that
If you can’t get your customers and prospects to opt in, you can avoid the global opt out by offering a selective opt down.
Avoid the unsubscribe divorce by offering an extra level of granularity: okay, I’m sick of your event invitations but I’m willing to keep receiving your newsletters (I’m willing to keep hearing about your day at the office if you’ll dispense with Sunday lunches at your mom’s house).
This is called compromise, a real pillar of the relationship.
I need a break
Another way to avoid a break-up is to propose a temporary separation: for three, six or nine months, for example, the customer or prospect no longer wishes to receive anything but agrees to be automatically re-subscribed at the end of this period, during which he or she will have had time to “take stock”, to determine if he or she misses your communications
4. Collect GDPR consent by campaign type rather than by offer category
The question companies often ask is: do I need to collect consent for each family of products and services?
The answer is yes, if your company operates in silos and remains product-oriented (no judgement, right).
But it is still necessary that customers and prospects do not miss an offer that could have interested them at the time of their choice.
However, if your company is customer-oriented, your communications will necessarily be transversal and your speeches will often go beyond the simple framework of the offers.
In this situation, don’t lock yourself into product consent and instead ask your customers and prospects what types of communication they would prefer to receive: invitations to events, announcements about offers, feature articles…
This is the example above “GDPR consent optin optout purposes”.
This gives you the freedom to communicate about all offers or none in particular, and of course, within the chosen communication channels.
We recommend that you treat the offer categories as areas of interest, not subscriptions: the customer will be able to tick off the subjects that interest him/her without this being taken as consent in the strict sense.
5. Use Select/Yes/No lists instead of check boxes
With a checkbox (or Boolean field), the absence of an answer will be considered as a refusal.
With a value list, in addition to Yes and No, there is a third possible response: no response.
We believe that there is a significant difference between clients who have actively indicated their refusal to communicate and those who have not yet indicated their preference.
Thus, we recommend collecting consent (by communication mode, if you follow) via Yes/No lists and handling topics of interest (such as offer categories) via checkboxes (see example above).
It will be possible to send invitations to events to those who have agreed to receive them as well as to those who have not yet given their opinion, but not to those who have specified that they do not wish to receive them.
This rather flexible interpretation of the opt-in rule has been confirmed by the CNIL for business-to-business (B2B) services.
Think of your preference center with your future marketing actions in mind, and make it the basis of a win-win relationship with your customers.
Design your program and integrate it with your CRM so that your customers’ wishes are really taken into account.
In this video, you will find a lot of tips to make your preference center successful.
How Merlin/Leonard can help you with your GDPR consent issue
When we help a company create its preference center, we do it in three steps:
- On a paperboard, definition of the elements of the preference center: which subscriptions, which areas of interest, which possibilities for the customer to update his personal data, which temporary suspension periods… in this phase, it is necessary to put oneself in the customer’s shoes, while ensuring that marketing will be able to meet the expectations expressed.
- In CRM and/or Marketo, agree on the fields to be created or modified, their format and the impact of synchronization between the different systems that will use them.
- In Marketo, create the form and the smart campaigns that underlie all the actions triggered by the choices made in the preference center.
This last phase is more complicated for our international customers operating in countries, such as Germany, where the double opt-in rule is in force. In these countries, the consent of customers who have answered “yes” in the preference center will only be recorded after they have also clicked on a link in a confirmation email.
It is true that the General Data Protection Regulation was the result of an effort to harmonize the rules within the European Union. But pre-existing local rules, where they are stricter, continue to apply!
Our other GDPR articles
GDPR: Visit of Merlin/Leonard Communications Preference Center
How to build a GDPR-compliant communications preference center with Marketo?
How to limit unsubscribes from your customers/prospects?
How to collect the consents and preferences of your leads?
We talked about it here before May 2018 and there after.
The Communications Preference Center is the cornerstone of your GDPR compliance
Question
How did Merlin/Leonard build its preference center?
The Facts
GDPR has forced companies to rethink how they handle unsubscribing and migrate to a more constructed page that allows the visitor to set their consents and preferences.
The solution
The preference center we have adopted at Merlin/Leonard aims to :
- have a tone that is consistent with Merlin/Leonard’s personality,
- allow the visitor to fill in/correct their personal information (and to be able to change their email)
- to define his communication preferences, i.e. the topics on which they want Merlin/Leonard to communicate to,
- and above all, to specify their consents: what types of communication they authorize Merlin/Leonard to send them,
- to manage a break in communications,
- or to exercise their right to information,
- but also to exercise their right to be forgotten,
- and finally to unsubscribe from all communications
We take you on a tour of the underground of our “Giant Registry of Preferences and Rights” in this video. Enjoy the journey!
Want to find more magical ideas for your forms? Discover how to supercharge your forms!
Our other GDPR articles
Join us for Office Hours 😉
One hour every Fridays to ask all your questions and share around Marketo best practices.
Econocom: Marketo support boosts digital transformation
Discover how Merlin/Leonard orchestrated the deployment of the Marketo solution within Econocom, a European group expert in digital transformation. Merlin/Leonard allowed Econocom to benefit from a robust solution to initiate marketing automation and lead generation mechanisms over time. Read the feedback from Clara Guénand, marketing manager at Econocom.
The deployment of Marketo by Merlin/Leonard
Marketo is a very complete marketing automation solution… but also quite complex! To be accompanied on these subjects is essential. For Clara Guénand, who wanted to control her budget, benefit from a trusted partner and more prosaically be able to use her training budget, the support offered by Merlin/Leonard was almost an unavoidable choice.
Clara Guénand
Marketing manager at Econocom
Generate leads with marketing automation
To build a fluid mechanism to generate leads, it is not enough to equip yourself with a beautiful coach (Marketo): you must also develop your strategy, train your teams, define and refine your scoring rules, etc. Merlin/Leonard proposed to Econocom a series of 5 workshops to make the teams operational and bring them towards more autonomy with Marketo. For more details, Léonard himself – Clara Guénand’s reference – invites you to download the Econocom case study!
Want to know the secret of Merlin’s magic potion? Like Econocom, you want to benefit from Leonard’s genius to deploy Marketo in your dungeon? Start by downloading the Econocom use case.
Marketing automation project failure: how to recover?
Often poorly deployed or oversized, marketing automation tools can lead you straight into the wall, and make you spend a lot of resources for nothing. Choosing the right tool is not enough to set up an automated marketing mechanism that works… and that pays off.
The main causes of marketing automation failure
Vade retro market auto
I meet many prospects, and recently one of them invited me to discuss his problems. He gave me this speech:
“We do some marketing, push a few emails to our customer base through an emailing tool, we have a website, an in-house developed CRM. We would like to do better, listen to our customers and prospects, personalize our communications and speak up at the right time, better align our marketing and sales… But I definitely don’t want marketing automation! I have a friend who deployed a solution and it cost him a lot of money, with no return. What would be your best advice?”
I spent the rest of the interview trying to figure out what might have happened, and ended up presenting the top causes of marketing automation failure that we’ve seen on over 80 projects of all sizes.
The lack of a marketing strategy
Too often I’ve seen a marketing department “buy marketing automation” thinking it will be a panacea; a bit like “buying CRM” at the end of the 20th century thinking it would be a sales strategy.
What you should do
A good marketing strategy, a clear vision of your offers, your buyer personas and their journey, interesting and well-positioned speaking engagements, and involved sales are all prerequisites to prevent marketing automation failure.
Lack of marketing-sales alignment
Too often, I still find that my clients have two departments, marketing on one side and sales on the other, working in silos and ignoring each other.
Yet, friends of marketing, your strategy should start with a good discussion with sales to describe the people they meet every day and their problems. They know the customers and prospects best (along with customer service). Without alignment with sales, your hard-earned hot leads will fall into the moat that separates your two departments.
What you should do
If you’re wondering what marketing strategy to design, you might as well start by building one that will help sales. This involves :
- building together the profiles of your targets (the buyer personas), in relation with your different offers
- mapping out the ideal customer journey that you would like to see them follow (the buyer journey)
- identifying together the pain points, their problems, at different moments of their reflection
- It’s up to you, the marketer, to produce the right content for these pain points
- precisely define the transition process of the leads that marketing will generate towards sales: when is the transition made, what information is essential, who to pass the lead to for the first qualification…
The lack of a content strategy
The lack of a content strategy is the most common cause of marketing automation failure… And by content, I don’t mean your brochures, flyers, corporate videos or product demos.
The other mistake is to try to address all offers, all buyer personas and all customer journeys from the start, and produce content by “sprinkling” the effort. You’ll burn out and never finish any journey from start to finish.
Without a content strategy, you end up doing more and more outbound, “push” campaigns that exhaust your base and damage your brand.
What you should do
A content strategy consists in responding precisely to the irritants of your targets, all along their journey.
The lack of good marketing automation practices
Going it alone and unprepared… It’s rarer, but the consequences are usually disastrous: some customers decide to deploy their marketing automation solution alone, without putting in place the right practices.
Of course, we are not in a CRM project, the IT department does not necessarily need to be heavily involved and you can start to run your campaigns very quickly with SaaS solutions. But this does not exempt you from a little support. The most serious symptoms after one year without support are :
- an inability to measure results in terms of acquisition or influence of marketing on revenue
- Increasing waste of time (especially if the team is large)
- Increasingly frequent errors: “But why do we have two “Country” fields in the database? Which one do we use?”
Errors in scoring and the lead life cycle
The scoring program is an essential part of the marketing automation solution. It is the one that will allow you to automatically analyze the huge amount of data you will collect and transform it all into a score that is easy to analyze: the higher the score, the more the lead has interacted with you, your site, your campaigns, and seems interesting or hot. One mistake on this program and you will either have too many – falsely – hot leads, or too few.
The lead life cycle program builds on the scoring program to automatically move your leads along the path you have modeled; one mistake on this program and your leads will be misdirected, mature leads will receive end-of-cycle campaigns, customers will receive lead campaigns…
What you should do
Define scoring rules precisely and refine them over time.
Capping the marketing team’s progress
I sometimes “launch” a client on their journey into digital marketing and marketing automation, conduct the initial training, which allows the first campaigns to be put into the solution, and set up the best practices. Then, in accordance with my promise, I let the client fly on his own.
I come back a year later and the client is pretty much where I left him a year before; he’s running the same types of campaigns we did and hasn’t matured, and in particular hasn’t started an inbound marketing strategy.
The typical thought is “It’s a bit expensive to do what we do, isn’t it?
What you should do
The journey of digital transformation and marketing automation is a long one… And you must not stop in the middle of the road: you must refine your campaigns over time, use your content strategy to offer expert content to your prospects and take care of the different interactions. Otherwise it’s sure to cost a bit to send 3 emails…
Marketing team organization problems
Starting a marketing automation project, or worse, an inbound marketing strategy without measuring the consequences on the team and the budget is a sure source of failure.
If you think…
- “We’ll put an intern in charge of marketing automation, that will be enough”, or
- “We’ll put an intern in charge of marketing automation, that’ll be enough”, or “She’ll do marketing automation in addition to her tasks, she’s still got some slack” (yes, I say “she” because it’s often women I meet for operational marketing, please don’t see here any misogynistic remarks from me)
- “For the content, we’ll work it out between us: I’ll do some and I’ll ask product marketing/consultants/production to write some too”
… you’re in for a serious setback!
What you should do
All of these situations will eventually blow up and you’ll either find yourself unable to launch your campaigns, or with a stop-and-go strategy, or worse with serious errors and misdirected emails. As far as in-house content production goes, you’ll just get bored (if that’s not your job) and stop producing it.
Yes, implementing a marketing automation solution is not a magic wand. Marketing automation is not just a tool to send emails automatically: it is part of a new strategy and a rethought organization. There are a lot of pitfalls and ways to cause marketing automation to fail. The easiest way is to start by getting (good) support… Why not call us?
GDPR: what to expect and how to prepare?
The new General Data Protection Regulation (GDPR), you’ve heard about it at the local coffee shop, in the media, everywhere on the web, in presidential speeches…
Ah, no? Then let me give you a little recap. Because if you have a marketing function, this will inevitably impact you in the next few months.
What is changing with the GDPR
On May 25, 2018, a new regulation will go into effect throughout the European Union. It aligns European countries on the subject of personal data processing and management. To the point that all companies, even non-European ones, wishing to operate on the territory of the Union will also have to comply. Beware, the penalty can be quite harsh and can amount to 4% of the company’s worldwide turnover!
The objectives of the GDPR
They are as follows (see CNIL):
- Strengthen the rights of individuals, especially minors
- To make the actors dealing with personal data accountable
- To give credibility to the regulation through sanctions and transnational processing
It is information relating to a natural person (not a legal entity!) identified or identifiable directly or indirectly (with a cookie or IP address for example) by an “identifier“.
The main areas of application of the GDPR for companies
- The right to be forgotten: on a simple request, and unless there is a legitimate reason to keep them, a person can ask a company to erase his personal data. This company will also have to transmit the request to the other parties duplicating the data.
- The citizen (or lead, in our case), must also give his clear and explicit consent for the collection and processing of his data: for example, a checkbox, if it clearly and simply indicates how you will process the data. The “default” opt-in in the absence of an opt-out is therefore no longer relevant.
- Data portability: thanks to this law, people can transfer their data to another provider easily and without loss.
- Right to be informed quickly, especially in case of hacking
- Limitations on profiling: according to the official text, profiling is “any form of automated processing of personal data consisting of using such data […] to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict elements concerning the work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movements of that person” .
The law provides that such profiling can only be used if the person gives consent or if it is necessary for the conclusion of a contract ̶̶̶ and not for discriminatory purposes. - Protection of children and minors: parental permission is required to open an account on social networks, and the right to be forgotten granted to them is also clearer
Long story short: Privacy becomes the norm.
But then… what to do?
Don’t panic, one of the big changes is that we go from a declarative system with the CNIL to a total autonomy on the subject, from an a priori control to an a posteriori control.
You will only be controlled if a user files a complaint with the CNIL or if an internal or external fraud is detected (cyber-attack or other).
The CNIL provides six steps to prepare for the GDPR.
Appoint a Data Protection Officer
The Data Protection Officer, or DPO for the English version, is globally the new name of the CIL (Correspondant Informatique et Libertés). If you have already elected a CIL, he/she will become the DPO.
It is only mandatory for organizations whose core business is to process or collect personal data on a massive scale, and for those who hold so-called sensitive data (see www.cnil.fr).
This measure nevertheless allows to have a referent on all the subjects related to data protection. This person is in charge with informing the different actors, verifying the compliance with the texts, but also serves as a relay between the company and the concerned authorities. A word of advice: appoint a DPO who is capable of playing a cross-functional role, ideally attached to the general management.
Identify all personal data processing
Have a record of all the processing you do with personal data. For example, list all opt-in consents to receive content by email, all cookies collected and on which website, etc.
The CNIL summarizes it simply: Who? Who? When? Where? How? Why and until when?
- Once all the processing operations have been identified, plan an action plan to align with the missing, incorrect or misinformed information.
Managing risks through data protection impact assessment (DPIA’s)
When you conduct “risky personal data processing,” you will need to conduct an impact assessment on your data. You will often see the acronym PIA for Privacy Impact Assessment.
When the CNIL talks about sensitive data “at risk”, it means that the processing carried out on these data presents a risk to the freedoms of the persons concerned. There are three main cases:
- The data collected deals with “sensitive” subjects: religion, sexual orientation, judicial data, genetic data, biometric data, political opinions, health of a person ….
- The use of profiling with legal or significant consequences for the data subject
- Data is transferred to countries outside the EU
Develop internal monitoring procedures dedicated to the GDPR
The GDPR introduces, among others, a new principle of privacy by design. It is a question of providing, from the design of an application or a data processing, the measures of protection of the personal data recovered or processed.
It also includes all the steps to follow when a person complains about accessing, correcting or deleting personal data: how to respond? Who answers? Within what timeframe?
And, as for any new internal procedure, do not forget to communicate with all the actors directly or indirectly involved in the processing of this data. Make sure that your employees know who to contact, what to do and how to react to a request or a security breach for example.
Document all of the above points
Consolidate all related files into a comprehensive file that will demonstrate your compliance with the regulations.
- The impact study if there is one
- The register of personal data processing
- All procedures in case of complaints
- The register of consents
In the event of an audit, these will allow you to prove that
- you seek to comply with the regulations in force
- you are aware of the risks generated by your various data processing operations.
In conclusion
These six steps of the GDPR can, we will not hide it, seem quite tedious.
But when you step back, you realize that it also can really be very useful:
- To clean up and clarify all the data you process
- And thus have a global view of what is happening in your database
- To review your opt-ins and unsubscribed to start again on a clean basis
- Involve and raise awareness among all the people using this data
- Anticipate the risks of cyber-attacks
An essential point to remember from this long checklist is that we are moving to an a posteriori control: no one will come to monitor you every year!
However, if a complaint is filed, the CNIL will come knocking at your door to check that you are in order. The main thing will then be to prove that you are willing to do so. And that you have started to implement appropriate processes.
If you are missing a step, but you have a well-defined action plan and can show that measures have already been put in place, you should not be sanctioned.
Bottom line? Don’t panic, take your time to get clear on your data management and integrate it into your digital transformation project.
If panic rises, « keep calm and call us » !