Mautic and GDPR

By DB Hurley · PUBLISHED April 26, 2018 · UPDATED April 26, 2018

Originally published: http://dbhurley.com/mautic-and-gdpr

One of the hottest topics circulating the internet these days is the upcoming legislation surrounding GDPR being put into effect on May 25, 2018. Companies of all sizes are closely watching what this legislation means and taking a hard look at their software to see what is affected. Given the hefty fines, this scrutiny and concern is completely understandable. Mautic, as an open source marketing automation platform and community also holds these concerns and possibly to a much higher degree than others. Our community has hundreds of thousands of businesses running Mautic, and our software is powering their marketing automation effort and customer data collection.

As a result, Mautic is of course highly interested in not only understanding, but also complying with any and all new regulations put forth that promote openness and transparency. Interested isn’t really the right word - more like actively engaged. We are dedicated to ensuring that our software not only complies but stands out as a model by which others gauge their own level of implementation.

Before I get too far into those details, let me give a very brief refresh on what GDPR means and what it represents.

GDPR

GDPR, or General Data Protection Regulation, is a new European regulation that enforces the protection and accessibility of personal data for all European citizens. [Read more](https://www.eugdpr.org/)

## Four basic user entitlements
1. Every individual is allowed to know what data is kept by any business; why that data is kept and for how long it’s stored by the business.
2. Every individual has the “Right to Access” their own information and data.
3. Every individual has the “Right to Data Portability” of their information (they can request a copy of their data as it’s stored.)
4. Every individual has the “Right to be Forgotten”. (Request a business change and permanently delete any stored data)

Now you may be one of the shrewd ones and recognize a specific phrase in the original definition: that’s right the word European. But if you’re reading this from the US, you’re not off the hook just yet. Keep reading.

This new regulation applies to European citizens regardless of where they are located at any time. US companies must abide by these guidelines for any and all customers, contacts, accounts associated with the European Union.

Personal Data

There is one last aspect of the GDPR we need to consider before getting into some specifics. What is personal data? That’s right the GDPR is concerned with the data so obviously we need to understand what that data is. And this is where things get a little bit muddy. Here’s a short list of the most commonly recognized types of information that falls under this regulation.

  • Online identifies (IP addresses, mobile device IDs, browser info, MAC addresses, cookies, account IDs, and other forms of system generated user identifiable data)
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union memberships
  • Health data
  • Sex life or sexual orientation
  • Past or spent criminal convictions
  • Genetic & biometric data
  • Location data
  • Pseudonymized data

Whew, what a list! Now that we have a bit of a handle on what the GDPR is about (at least at a high level) and you may be sufficiently uneasy about your current software I want to share how Mautic as a product is already compliant and continues to seek the best and most proactive approach in these new guidelines.

Dual Approach

Based on the four principles listed above let’s look at an optimal Mautic configuration that complies with them. There are two options that existed for Mautic and my desire was to set a precedent for our community, our product and the entire marketing automation space. As I dug into this issue I met with more individuals in our community and in business than I could mention. My desire was to get a better understanding of the regulations and their implications myself. And I am excited to share with you the conclusions I’ve come to. And of course I’m always interested in more discussions on the subject and welcome the opportunity to chat with anyone that has questions, ideas or thoughts on this subject. It’s an important one.

Okay, with all that said, let’s dig in. As I mentioned there are 2 paths we can take. The real trouble lies in the uncertainty. I alluded to it earlier when I mentioned the “muddy” aspects of the data. There is a balance that must be struck. Mautic should be proactive and a leader in the implementation of these new guidelines. But time spent on unclear work, or without good direction is wasted and the time of our community developers is far too important to waste.

In order to make the absolutely best use of the developers in our community’s time; and in an effort to make the wisest decision in time and resources I believe the smartest strategy is to take a dual-prong approach. This is exciting because Mautic software can be easily configured for GDPR regulations today with just a few simple steps.

Instant GDPR Compliance

This dual prong approach involves an immediate step and a longer term software feature enhancement. The first step is quick and relatively painless. And with the implementation of a few simple changes to how you currently setup your Mautic instance you’ll be instantly compliant!

Here’s all you will need to do:

  1. The very first thing is to plan how to convey and accept explicit data collection consent, usually done through a focus element in Mautic, this step is potentially already being done in the case of cookie collection. As such you may only need to modify the language of your existing focus item.
  2. Configure two new segments within your Mautic software, name these segments, Request to be Forgotten and Data Requested.
  3. Setup a new form that allows an individual to submit their name/email and select the options they wish to submit (Request for Data, Request to be Forgotten)
  4. After each form submission associate them with the correct segment and take the necessary steps to either delete the contact from the database or export their record to a CSV.
  5. Notify the individual of the action taken.

One of the biggest (and simplest) mistakes I hear is people getting caught up in the thinking that this process needs to be instantaneous. While of course each request does need to be handled with expediency, nothing states it needs to be automated. To the best of my understanding, the above 4 step process gives you a GDPR compliant Mautic! Congratulations, you can sleep a little easier.

GDPR Mautic Software Improvements (Future)

Of course being compliant in this manner is only the first of the two-phase strategy. The second involves some modifications and improvements to the Mautic software. And while this is yet to be fully determined I can share a few ideas that have been circulating.

  1. New configuration section for GDPR.
  2. Configuration options that add the necessary acknowledgement checkboxes to forms automatically.
  3. A semi-automated contact deletion process

This is just for starters and only a few thoughts I’ve had as I’ve listened to some of our European community members share their concerns and their ideas. As I stated earlier I would love to speak with you and continue this discussion. Mautic is committed to being a leader in this regard and demonstrating to others how proper GDPR should be handled. *We have the knowledge of a global community and the power of a flexible and open source development platform enabling us*. Our software can be proactive and our software can demonstrate how others should consider GDPR compliancy. I trust this helps, join our Slack channels to learn more and make your voice heard.

Comment

sushlingo
Permalink

Thank you for this post. Good to hear about your efforts in this area. I still wonder if you will update your self-hosted Open-Source version with a proper implementation of an easy-to-use double-optin process soon?
Philip
Permalink

My perspective from here in the UK is that it's not quite as clear-cut as you are suggesting. The guidance from the UK Information Commissoner's Office paints a more complex picture. I understand that consent is only one of the legal grounds from which you can process personal data and send marketing messages to people. In some cases you don't need consent. In some you do. For some types of recipient an opt-out is acceptable but for others they have to opt-in. In some countries they insist you implement a double opt-in process. If you are working in Europe or selling into Europe, I think you really need to take the time to understand what you are and aren't allowed to do in the context of your own business and customers. And do bear in mind that the new e-privacy regulations haven't been released yet.
Analytics Expert
Permalink

This is a really good article. From my understanding, people who use Mautic need to do 4 things: 1) Update their privacy policy so that it states what type of data gets stored (according to section "Personal Data" from this post); 2) Add a checkbox to every form which should state that user grands us permission to store the information he entered in the form according to our privacy policy; 3) Create a new contact field (ie: GDPR consent) in Mautic that will store this consent when the form is submitted; 4) As the post explained we need to create a list of "Right to be forgotten" users and a form for users to be submitted to that list; If I forgot or understood something wrongly, please share your comment.
Ian
Permalink

This is so extremely helpful, love the simplicity. Can't wait for the updates, love that Mautic is being proactive about this!
martin
Permalink

a focus element unfortunately is not enough, the visitor should also be able to decline and disable cookies. focus items do not offer this option
Holger Theymann (Eigene Homepage erstellen)
Permalink

Nice approach. Will double opt in also be on your agenda? Starting my website with mautic integration for european users, it would be a great help, having a simple integration of the double opt in process, i otherwise have to implement for each segment again and again :( I really love mautic and i am looking forward to mautic getting conform with EU regulations in an easy to manage way :)
Tony Hegewald
Permalink

Hi guys, thanks a lot for this post and the thinking about GDPR compliance. From my work with other marketing-tools, I got some insides how GDPR compliance can look like. One challenge are the detailed permissions for different channels. So a user can accept the usage of his data for specific purposes only, depending on the given agreement. So I would love to have like an overview with given permissions divided by phone, email, direct mailing, twitter and so on. Every permission with a seperate date and source channel assignment. It would be nice to segment the contacts, who did not give an email permission but a direct mail permission instead. Another idea is to have a report of all data of a contact (including visited pages and so on) additional to the deletion process. The last (and probably most complex) idea is different behavior depending on the contacts origin country. So I want to choose between implicit and explicit permissions depending on the country. In a campaign mautic will use all the contacts from e.g. germany only with an explicit permission and all australian contacts with explicit or implicit permissions. Just some ideas to think about. Have a great day! Tony
Michael Stark
Permalink

Can't wait to see this feature in Mautic so i can finally use it in Europe!