GDPR Compliant Marketing Automation

EU-US Privacy ShieldUp to now, the EU-US Privacy Shield has allowed US corporations such as Salesforce and HubSpot to operate with minimal impact to their businesses despite tightening EU privacy regulations, but its validity is being called into question by the European Commission. The Swedish Government Procurement Office went as far as stating that “the use of services delivered by US controlled entities is in breach of GDPR.” The Privacy Shield is a framework designed for US entities to lawfully transfer data from EU citizens to American soil, in compliance with European privacy requirements.

All of the major players in marketing automation, including HubSpot, Salesforce Marketing Cloud (SFMC), and Marketo are owned and operated by US companies. If you are a European firm who currently uses one of these platforms for marketing automation and CRM lead management, you should know that your data is being stored and replicated across the vendor’s US-based data centers.

While it doesn’t seem like the European Commission is immediately cracking down on using US-based email marketing services, savvy marketers in Europe are preemptively moving to EU-based services and software platforms. If the Privacy Shield agreement between the EU and US actually unravels as feared, the local authorities in Europe could take a much dimmer view towards using platforms such as SFMC, HubSpot, and Marketo.

Mautic Marketing ConsultantMautic is the only self hosted marketing automation platform out there that can replace most of the functionality of SFMC, HubSpot, and Marketo — including lead scoring, automation, and CRM integration. It is fully open source, meaning the code is public for the community to review that there are no hidden backdoors. With Mautic, the entire system remains under your organization’s exclusive control, so no third-party can data-mine your marketing data without explicit consent from your contacts.

Complying with GDPR using Mautic (for Marketing users)

Under the GDPR, a contact is known as a data subject. As with other privacy legislation around the world, such as Canada’s CASL, data subjects must provide express consent to “opt in” and receive email communication from you. The checkbox should not be pre-filled, and the consent should not be bundled with a terms and conditions or privacy notice.

Consent to data collection

Using a Mautic custom field, add a Select or Boolean field that indicates the contact’s consent to receive communications. Adding or modifying custom fields can be accessed by clicking the “gear” icon in the top-right corner of the Mautic dashboard, then clicking “Custom Fields.” For example, you could name this field “GDPR Consent” or “GDPR Opt-in.”

For the label, it is preferable to be more specific than “I agree to opt-in.” GDPR arguably requires the data subject to consent to the specific purpose for processing their data, such as “I agree to receive order updates by email” or “I agree to opt-in to the email newsletter.” It is not allowed to send the contact marketing emails, if they only consented to receiving transactional emails for a one-time transaction.

If your organization communicates with data subjects for different purposes, you should create as many customer fields as you need to record consent for each purpose separately.

Create or modify an existing Mautic form and add a “Checkbox group” field, typically above the submit button.

General tab > Label = “GDPR Consent”
General tab > Show Label = No
Contact Field tab = Select “GDPR Consent” from the dropdown.
Validation tab > Required = Yes
Properties tab > Use assigned contact/company field’s list choices. = Yes
Behavior tab > Show when value exists = “No”

Right to be Forgotten

The GDPR right to be forgotten means that data subjects may request that their personal data is completely deleted from the database. To comply with this aspect of GDPR using Mautic, create a Boolean custom field that indicates the contact made a “Request to be forgotten.”

You can create a single Mautic form that handles both the “Right to View Data Collected” and “Right to be Forgotten” requests as we have done here.

After the user clicks Submit, the message displayed could read something like “We have received your request. If you requested to view data collected, we will be in touch by email. If you requested to be forgotten, you will be removed from our contact database.”

To customize this text, select “Display message” as the Successful Submit Action in the Details tab of the Mautic form builder, and specify the desired text in the Redirect URL/Message text box displayed.

The “Right to be Forgotten” requests can be fulfilled automatically using a Mautic segment and campaign. Create a Mautic segment with the following filter.

Then create a Mautic campaign with the Contact Source as the newly created “Request to be forgotten” segment and an Action to “Delete Contact.” Select Execute this Event “immediately” in the pop-up pane that shows to configure the “Delete Contact” action.

Close the Campaign Builder, make sure the campaign is set to Published “Yes”, then click “Save & Close.”

Right to View Data Collected

The GDPR right to view data collected means that data subjects may request, at any time, a copy of all the personal data you have stored about them in your database. To comply with this aspect of GDPR using Mautic, create a Boolean custom field that indicates the contact made a “Request to view data collected.”

Create a Mautic segment with the following filter, to aggregate all of the contacts who requested to view data collected about themselves.

Create a Mautic campaign form requesting the contact’s email address (to identify them, and to send them the requested data) with a form action to “Send form results” to the inbox of the employee responsible at your organization for processing GDPR requests.

The GDPR requires you to process requests for data on a timely basis, but no specific timeframe is specified. Since the process is manual, it would be reasonable to process it within a few days. When you receive such a request, navigate to the contact’s record in Mautic and click “Export” from the dropdown arrow in the top-right corner. Finally, email the exported CSV file to the contact as an attachment to fulfill the “Right to view to view data collected” request.

Complying with GDPR using Mautic (for Mautic administrators)

The open source, community edition of Mautic can be completely hosted in a European owned-and-operated datacenter, avoiding potential issues if the EU-US Privacy Shield is invalidated for companies such as Amazon Web Services, Microsoft, and Google.

If you are already using the hosted version of Mautic Cloud sold by, or currently have your Mautic instance hosted with a US-based cloud provider, our team can help you migrate to a GDPR-compliant cloud in the EU/EEA.

Self-hosting Mautic should be the only option you are considering as a European data controller, who bears the most responsibility under the GDPR for safeguarding data subjects’ personal information. Choosing a data processor (i.e. cloud computing platform) that is established in Europe gives you the peace of mind that data is safeguarded based on changing EU standards.

OVH (France), Hetzner (Germany), and UpCloud (Finland) are our top recommendations for hosting Mautic on the public cloud or a VPS in the European Economic Area (EEA). OVH Public Cloud has regions across Europe in France, Germany, Poland, and the UK. Hetzner Cloud has a datacenter in both Germany and Finland. UpCloud has servers in Finland, Germany, Netherlands, and the UK.

OVH, UpCloud, Hetzner logos

When you self-host Mautic, you fully control how data is stored, who has access to it within your organization, what types of encryption you use, and when data is deleted (e.g. to honour “Right to be Forgotten” requests).

As a self-hosted solution, Mautic requires a third-party email gateway to send email to the contacts in your database. To keep the entire marketing automation system within Europe, it is highly recommended to use French based provider, MailJet, which supports callbacks for bounce notifications to Mautic.

Do not worry if your organization doesn’t have the IT expertise to set up, configure, and maintain a Mautic server. Autoize is the leading consulting & support company for Mautic open source marketing automation. Contact us using the form and we would be pleased to understand your requirements.