• Emily Malone

Our GDPR-compliance action plan

The GDPR comes into effect a mere 23 days from now, so in the name of transparency — and perhaps to even help you form your own plan — we thought we’d share what we’ve been up to behind the scenes to make sure we’re GDPR-ready.

In a nutshell, The GDPR is all about giving our contacts the ongoing choice and control about how we use their data. Learning about this wasn’t easy; there was a helluva lot of research involved — including a really great GDPR training course. Once we’d gathered all the information we needed and applied it to our own business, we created a handy Trello board titled ‘GDPR Compliance Action Plan!’, y’know, just to give it a little pizzazz. Oh, and we even made memes…


We set this plan out into 4 sections:

Salesforce CRM

Salesforce is where we store all of our data. There were a number of tasks we needed to complete to make sure we’re GDPR compliant. Luckily, Salesforce has some pretty handy tools to help support this.

First, we needed to do an audit to make sure the data we’re keeping is both legitimate and secure. As we suspected, there were some older contacts in there which we’d not done business with for a few years and wouldn’t legitimately need to hold. We needed to decide how we were going to regularly clean up our database, and what information we would legitimately need to keep.

As per the GDPR legislation, we decided we’d securely delete all contacts that we have no legitimate business reason to hold or store data on. By this, we mean anyone who we no longer do business with and don’t subscribe to our marketing communications.

This means we also needed to set out how long we retain a customer’s data for. It was decided that we’d securely delete old accounts and contacts that we’ve not done work for in the past five years. Why five years? Because due to invoicing, that’s how long we have legitimate business reason to keep data for.

On top of this, any contacts linked with accounts that we’ve never landed work with, but who have still been in the database for over two years will also need to be securely deleted. These might be people who have contacted us via a form on the website, for example, but didn’t quite get to the purchasing decision.

We monitor who enters data into the CRM, and how that data gets entered, and we’ve also chosen who is responsible for keeping our data clean and tidy. However, just because we have an individual’s information in our database, doesn’t mean we can send marketing communications to them. We’ve always needed our contacts to actively opt-into receiving our blog updates or newsletter, but now it’s time to really be certain. That’s where marketing comes into the bigger GDPR picture.


First, we wanted to make sure that everyone in our newsletter list has consented to be in that list. To do this, we sent out a permission passing email asking them to actively opt in. Sigh. I know, I know, these emails are filling up everyone’s inboxes right now, but they are necessary. We combined it with our regular monthly newsletter by embedding a CTA which, when clicked, would set their contact property to ‘Newsletter Subscriber’ when clicked via an internal workflow. This made it really quick and easy for our subscribers to tell us they still wanted to keep receiving our monthly newsletters. The response was fantastic, and we’re now totally confident that we’re honouring our contacts’ wishes.

We then set up a Pardot campaign for all of our contacts, to give them the option to let us know what actions they’re happy for us to take with their information. We wanted to do this to respect their data and show them how easy it is to select their preferences. This was basically an email linking to a landing page with these three options:

  1. You consent to your information being stored in our Salesforce database for legitimate business reasons (such as for a project we’re working on together or a future project you might need our help with) and marketing communications (like our blog subscription or monthly newsletter subscription)

  2. You consent to your information being stored in our Salesforce database for legitimate business reasons only

  3. You do not consent to your information being stored in our Salesforce database, and you’d like for us to securely delete you from it.

After our contacts select their preference, Pardot automatically pings this over to Salesforce, adding them to three lists; one for each option. This then creates a task in Salesforce to make sure the records in each list are updated (or are removed from our database) by GDPR-day.

While we set up this permission pass campaign, we also did a review of our current privacy notices to ensure that they align with requirements under GDPR before it takes effect. To be totally transparent, we’ve now stated where, how, and why we store certain data, and what that data is. We’ve also stated how long we keep that data for, the data which we will never store, and the rights of our contacts regarding their data. You can see our updates to this right here!

On top of this, we needed to state how we use cookies on the site, which luckily, we’d already done. However, before we’d simply slapped the classic ‘by using our website, you accept the use of cookies’ statement on our privacy policy, which is now a big ol’ NOPE. Under The GDPR, inaction is not consent, so we’ve now given our visitors the option to accept or reject cookies when they first visit our website.

Lastly, we made sure that it’s as easy as it is to opt-out as it is to opt-in, and that all of our forms have a link to the privacy policy. We also ensured that all checkboxes aren’t pre-ticked for opting into our newsletter and blog subscriptions.

oe:gen HR

Internally, we’re going to provide an induction on The GDPR for any new employees as we grow. This is so the whole team is up-to-speed with the new legislation. We’re also working on a letter for each member of the oe:gen team stating what info we have on them, where it’s kept, and for what purpose — just to make sure the team is aware and personal files are up-to-date.

Client data

We’re currently drawing up some lovely contracts between us (the processors of our clients’ data) and our b2b clients (the controllers of the data they hold) for the times where we might process their data for them. This is so everyone’s on the same page about their certain obligations, responsibilities and liabilities, and so both parties can demonstrate how they’ll be GDPR-compliant.

This contract is really important, even though it’s rare that we handle and process a client’s data for them. This only really happens if a client has asked us to migrate their existing data over to a new system which we’ve built for them — but even then, we always try to use test-data in our build and train our clients on the process of data-migration.

So there we have it! Once each task on our Trello board has been ticked off, we’ll be GDPR-ready. Our plan might not be right for your business, but it could give you some ideas on how to start forming your own. If you need any guidance on what you can and can’t do when the new legislation hits, there are so many resources out there to help. Why not see our related articles below to get started?

Related blogs:

  1. Why the GDPR is the best thing to happen to your email marketing

  2. GDPR tip: How to create Individual records in Salesforce

  3. Salesforce Community Cloud and GDPR