Pardot and GDPR Compliance

Do you know what to do with Pardot and GDPR compliance? What does it mean? Does it impact you? If you collect any information about your website visitors and some of those visitors are from Eurpe, then yes. GDPR applies to you. 

GDPR has a large reach

More than a big buzzword, GDPR stands for General Data Protection Regulation. It is a regulation enacted by the EU Parliament on 14 April 2016. In brief, it is a data privacy regulation which governs how companies collect and store data about EU residents.

It affects companies outside the EU

It is tempting to assume it does not affect you, because you or your company do not operate in the EU.

Do not make that mistake.

The GDPR has a longer reach than any other privacy regulation to date. It states that it applies to the personal data collected about any of the data subjects residing in the Union.

It specifically mentions that this rule will apply even if you do not have a business presence in the EU:

The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU.

This means that if your database contains any details about residents of the EU, you are subject to this regulation.

The overarching theme of GDPR

In layman’s terms, the GDPR boils down to one concept: People own their data. Not companies.

Following that theme, the regulation also declares the following Data Subject Rights:

  1. Breach notification. Companies must inform customers of data breaches within 72 hours of becoming aware of the breach.
  2. Right to access. Individuals must be allowed to see what data a company has on them, and the company must provide it in a digital format (this goes to the right to data portability below).
  3. Right to be forgotten. Individuals can request that the company delete the data about them.
  4. Data Portability. Companies must provide data to an individual in a ‘commonly used and machine readable format.’
  5. Privacy by Design. Companies are obligated to design their data collection systems with data protection in mind, and to limit the amount of data collected to only data absolutely necessary, and limit access to personal data to only the people who need to have access to it.
  6. Data Protection Officers. Establish individuals responsible for data, who are to train others on security protocols and more.

Pardot and GDPR

How are Pardot customers affected by GDPR?

Pardot has released a page outlining what their customers should know about Pardot and GDPR: https://www.salesforce.com/gdpr/pardot/

This page outlines how Pardot addresses the Data Subject Rights, and also contains a mini checklist you can take to your internal stakeholders to develop a plan around the data you collect in Pardot and process for your marketing efforts.

Pardot and the Right to Be Forgotten

Long-time Pardot customers will wonder how Pardot is complying with the Right to be Forgotten.

Pardot has always said that ‘delete’ in Pardot actually means ‘Send to Recycle Bin’ and that nothing is ever truly deleted in Pardot.

The good news is that times have changed, and now you can permanently delete someone from Pardot. Simply open a support ticket with the Pardot Support team, and they can permanently delete the Pardot record for you.

Much more to Pardot and GDPR compliance

This is only a small look at how Pardot is affected by GDPR. There are many more issues at stake, and we will take a closer look in future posts.

Need assistance with Pardot and your company’s GDPR compliance efforts? Contact us for a GDPR plan.