**This blog was first published in June 2017, and has been updated in August 2018**
Disclaimer: This web page is neither a complete resource on GDPR or legal advice for your company to use in complying with EU data privacy laws like the GDPR. This web page is designed to provide you with background information in relation to GDPR, as well as the features and tools added by HubSpot to help on the road to compliance. This information is not the same as legal advice.
What is the GDPR?
Now in force, as of May 2018, the General Data Protection Regulation (GDPR) is the most important change in data privacy and data management in the last 20 years.
More than 200 pages long, GDPR aims to unify and strengthen data privacy laws across Europe; formalising concepts such as the ‘right to be forgotten’ and giving EU citizens complete control over their personal data online. A bold ambition by any standard.
Essentially, what this means is that companies have to be more transparent with what they do with personal data, while we, as individuals, have more control over the information we provide. This is a big change for marketers, because in order to keep the ability to re-market to individuals, send out automated emails and target particular audiences, we have to refine our data based upon our contacts that have ‘opted-in’.
Severe penalties await those who fail to adhere to GDPR – you’ve been warned. Businesses that suffer a data breach and have not complied with GDPR could incur a penalty of 4% of global turnover, or €20 million, depending on which amount is greater. Ouch! Also, under GDPR, the countries’ Data Protection Authority (DPA), for the UK, it’s the Information Commissioner’s Office (ICO), must be informed of data breaches within 72 hours of them being detected – so no more burying your head in the sand and praying nothing leaks out.
Does the GDPR apply to me?
GDPR applies to any businesses that operate within the EU or process the data of EU citizens; it does not matter if your business is based in an EU state or not.
If you are struggling to work out what GDPR is – and what it means for your business, check out our frequently asked questions and get the answers you need.
Finally, if you are looking for the final GDPR text, you can find it here.
So, how does the GDPR affect HubSpot users?
While GDPR may be a headache for some marketers, it’s mostly business as usual for those using HubSpot.
Think about it; under GDPR marketers need to receive clear, unambiguous consent from those they are marketing to if they want to engage with them – and there must be a detailed trail of consent.
For HubSpot users, we have been doing most of this all along.
Unlike interruptive marketing methods which demand people’s attention, Inbound Marketing is about earning people’s attention. Synonymous with permission marketing, where you earn the consent of the individuals you market to, Inbound Marketing is about providing valuable, helpful content which addresses the problems and needs of your future or existing customers, pulling them towards your company and product/services.
As you attract these individuals, you convert them into leads using forms, calls-to-action and landing pages on your website using high-quality ‘gated content’. Throughout the Inbound process, every exchange has been consensual and can be easily tracked through the HubSpot platform.
To make it easier for you and your team to comply, HubSpot has developed and added a number of new GDPR-related features to the software, including a standalone 'GDPR' function.
To turn on GDPR, you need to go to your HubSpot account settings. Click the settings icon (the cog to the top right) on the main navigation bar, then select Account Defaults. Under lead revisit notifications you will see EU General Data Protection Regulation (GDPR) switch it on.
To only send emails to contacts with an updated lawful basis to communicate, check the ‘only send to contacts with an updated lawful basis to communicate’ box and then click save. However, we would only recommend that you tick this box if you have updated all the contacts in your portal with a lawful basis to communicate.
(Note, if you have already rolled out custom fields to capture consent pre-GDPR, you will have to update).
Once GDPR is enabled, you will have a cookie consent banner, the GDPR delete functionality, email send notices for non-opted-in contacts, banners on contact records that notify you if a contact does not have a lawful basis for processing, GDPR-ready forms, unsubscribe links turned on by default, and much more.
Next, disclosing your cookie practices.
Disclosing your cookie practices
Under GDPR, cookies are considered to be 'personal data' – and as GDPR provides individuals with more control over their personal data, you will need to revisit your cookie practices.
GDPR also states that implied consent is no longer enough – website visitors must make an 'affirmative action' to signal their consent; whether this is clicking a box that says "yes" or one that says "no" to opt out. If there is no free choice – i.e. the ability to opt in or out, then there is no valid consent (no more pre-ticked boxes on forms).
Also, you cannot bundle your 'opt-in' consent; for example, if someone opts in to receiving more information about the products and services you provide you cannot then start sending unrelated marketing collateral to them. Specific consent must be obtained for each marketing activity and you must convey, in detail, what you will be providing individuals with should they opt-in.
As long as fair notice is given beforehand and the option to opt-out is always available, you will be fine under GDPR.
HubSpot have added functionality that allows you to capture a visitor’s consent for cookie tracking, as well as the ability to show different versions of your consent banner on different website pages – which is particularly useful if your business operates across multiple regions.
We would suggest that you update your cookie settings accordingly if you haven’t already.
Get your data capture in order
Determine your legal basis for storing new and existing contacts
Under GDPR, you need to have a legal reason for using and processing someone’s data. You must also keep records of consent and evidence for other lawful purposes of processing. There are six legal bases for processing: consent, contract, legal obligation, vital interests, public task, legitimate interest.
In HubSpot, lawful basis has been broken down into two broad categories – lawful basis both to process (e.g. store data in your CRM or provide content requested) and to communicate (e.g. send a contact a marketing email or have a sales call with them). It’s possible to have one lawful basis and not the other – for example, you might be able to process but not communicate.
To help you, HubSpot have added a contact property which allows you to collect, track and store lawful basis of processing for your contacts, it’s called ‘Legal Basis for Processing’. This property can be set manually, via automation or also set upon form submission or contact import.
In the property, you have five default property options – legitimate interest (prospect/lead), legitimate interest (existing customer), performance of contract, freely given consent from contact and not applicable.
As for lawful basis to communicate, that will be done using the new subscription types which we will discuss in the next section.
Update subscription types
Subscription types represent the lawful basis to communicate for a certain category of communications. Subscription types are replacing email types for all HubSpot Marketing products.
Just like with the lawful basis to process, the lawful basis to communicate could be consent, performance of a contract, legitimate interest – and so on.
Subscription types are designed to accurately capture contacts’ email subscription preferences. You have three statuses within HubSpot – opted in, not opted in or out (default) and opted out.
Subscription types can be shown as form fields to allow contacts to opt into specific subscription types so they will not be opted into everything – just what they select.
Collecting consent on your forms and lead flows
You need to gather lawful basis from a form submission. In HubSpot, you have GDPR-friendly forms and lead flows that enable you to capture lawful basis to process and communicate. The lawful basis you establish and use is up to you and your team – but HubSpot has the tools that will enable you to capture lawful basis to process and communicate.
You can easily add a section for establishing lawful basis on your HubSpot forms. When you edit a form, there will be a section for ‘marketing consent’ and a series of dropdowns which you can select and fill in.
There are three different options to collect consent in HubSpot via forms. In short they are:
Consent checkbox for communications; form submit as consent to process
With this option, you can collect consent to communicate through an affirmative opt-in using a checkbox that specifies the communication/subscription type. Please note that the checkbox cannot be pre-selected by default. You can add more than one checkbox to allow visitors to consent to communication for more than one subscription type (see below). If someone submitting the form doesn’t check the consent to communicate box, the submission is still processed, and the contact doesn’t subscribe to any communications. It is not possible to make the consent to communicate required.
With this option, consent to process personal data is collected implicitly upon the contact clicking the submit button.
Consent checkboxes for communications and processing
With this option, you can collect consent to communicate with an affirmative opt-in using a checkbox that specifies the communication/subscription type. Please note that the checkbox cannot be pre-selected by default. You can add more than one checkbox to allow visitors to consent to communication for more than one subscription type (see below). If someone submitting the form doesn’t check the consent to communicate box, the submission is still processed, and the contact doesn’t subscribe to any communications. It is not possible to make the consent to communicate required.
With this option, you cannot process a visitor’s data and accept their submission unless they check the box. The contact needs to check the consent to process checkbox in order to give their consent.
If your lawful basis of processing is legitimate interest instead of consent, this form option will display a notice to visitors letting them know that you need their information to contact them about your products and services and that they may unsubscribe from these communications at any time.
The default language used for these notices is set in your Privacy and consent settings – you can customise them if you wish.
Sorting out single opt-in and double opt-in
Opt-in – or single opt-in – is a term used when someone is given the option to receive email or any other form of marketing communication. Opt-in effectively gives the individual the opportunity to consent to receiving further marketing communication from your business. The problem with single opt-in, however, is that anyone could register to your business' communication using anyone's email address as they do not need to verify it.
Double opt-in, on the other hand, can address that problem.
Double opt-in as we know it, is a requirement that you'll see on any German websites. This required brands and businesses to ask all existing contacts or website visitors to verify that they are happy to receive your content or marketing material twice. Once a form is filled in, HubSpot will send out a first opt-in request with a link in the email, the contact would then click on that link to confirm they want to receive regular email communication. In a single opt-in process, anyone can sign up by inserting their email address. With Double opt-in, you can confirm that the person subscribing is the same person as the one you send the email to, as they will need to click the link in the email to verify they are who they say they are before being added to a mailing list.
In terms of best practice, double opt-in is one of the best ways to prove consent obtained under GDPR.
However, double opt-in is not a requirement under GDPR, meaning you don't have to have your visitors/contacts confirm their opt-in twice, but you do need to ensure that you are gaining consent from individuals in relation to all your marketing activity. This means that you can't include pre-ticked boxes asking for people to subscribe to your blog. The individual must complete an affirmative action to sign up to communications. This essentially means unbundling your consent and ensuring you obtain consent from your website visitors in relation to each individual aspect of your marketing activity.
As a minimum, you should have tick boxes on all of your forms along with an explanation of what you are going to do with a visitor's contact information if they opt-in.
Think privacy by design
As a concept, privacy by design has existed for years, but with GDPR, it is finally becoming an important part of a legal framework. Privacy by design is an approach that encourages privacy and data protection compliance from the start. You build your processes and infrastructure with privacy and data security in mind. While not a requirement, privacy by design will help your business to comply with GDPR regulations.
With privacy at the heart of all the business’ operations, problems can be identified earlier, employees will have increased awareness of privacy and data protection across the business, actions are less likely to be privacy intrusive, and businesses can meet their legal obligations more easily.
Also, minimise your data collection – only collect what is necessary and ensure you have data retention policies in place. Another thing to consider is moving your website over to HTTPS if you haven’t already, HTTPS ensures that communications between your browser and the website are encrypted – and cannot be exploited by a third party.
Remember, the data doesn’t belong to you – it belongs to the user – and on that basis, you need to give them every right to make corrections to that data. They are also the one who can grant and revoke consent of that data.
Deletion, access and portability
Under GDPR, your contacts have the ‘right to be forgotten’, which essentially means that they can ask you to provide them with a copy of all the personal data you have on them, or to delete/modify it.
There’s a new option within HubSpot called “GDPR delete” that permanently deletes a contact, rather than storing their information. If you do not have a process in place to manage deletion requests, it may be worth setting up a process to ensure it’s done quickly and promptly if a contact does ask.
You also have the option to grant any access/portability request to your contacts by exporting their record into a machine-readable format.
To ensure GDPR compliance, we would suggest your forms include:
- The reasons why data is being requested;
- Information on what the data will be used for;
- Clear opt-in and opt-out rules.
Under GDPR, data must be ‘accurate’ and kept for no longer than what is ‘necessary’. With HubSpot, you can manage all of your data from HubSpot’s contact records – meaning if it’s altered in one place, those changes will be reflected across the platform.
HubSpot users need to start gaining opt-in now
By changing your HubSpot setup to require consent, you can begin to qualify your existing contact database and clean out old or incorrect data.
With the feature enabled, HubSpot can send out an opt-in request emails to contacts where you can't currently prove their consent to be contacted. For example, you might have a list of contacts who have previously signed up to your blog, but they've done this via a pre-ticked box – this does not count as consent, you'll need to get these people to consent again.
Opt-in might seem excessive, but that’s because it’s new and who likes change, right? We do! HubSpot marketers can develop extremely high-quality lists of people who are more engaged with the company. Those that actually opt-in are far more interested in what your business does and will be happy to receive further marketing material, so treat those people well!
GDPR self assessment
The ICO have constructed an in-depth GDPR preparation self assessment that will enable your business to overhaul its activities and be GDPR compliant. The assessment asks a series of questions to ascertain your business' level of "preparedness" in relation to GDPR. Upon completing the self assessment, you are then presented with an overall result, an overview of how well prepared your business is, and a series of suggested actions.
You can find the ICO's GDPR self assessment here – it also includes a checklist for data controllers and soon a checklist for data processors.
GDPR consent checklist
If you are still struggling with how to obtain, record and manage consent in a GDPR-compliant fashion, the ICO has created a checklist of activities that you must do to keep your activities GDPR compliant.
You can find the document here, but we have included the steps below:
Asking for consent
- We have checked that consent is the most appropriate lawful basis for processing.
- We have made the request for consent prominent and separate from our terms and conditions.
- We ask people to positively opt in.
- We don’t use pre-ticked boxes, or any other type of consent by default.
- We use clear, plain language that is easy to understand.
- We specify why we want the data and what we’re going to do with it.
- We give granular options to consent to independent processing operations.
- We have named our organisation and any third parties.
- We tell individuals they can withdraw their consent.
- We ensure that the individual can refuse to consent without detriment.
- We don’t make consent a precondition of a service.
- If we offer online services directly to children, we only seek consent if we have age-verification and parental-consent measures in place.
- We keep a record of when and how we got consent from the individual.
- We keep a record of exactly what they were told at the time.
- We regularly review consents to check that the relationship, the processing and the purposes have not changed.
- We have processes in place to refresh consent at appropriate intervals, including any parental consents.
- We consider using privacy dashboards or other preferencemanagement tools as a matter of good practice.
- We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
- We act on withdrawals of consent as soon as we can.
- We don’t penalise individuals who wish to withdraw consent.
Five tips for marketers:
HubSpot user or not, there are three straightforward tips you can follow to prepare yourself for GDPR:
- Audit your current database and try to establish whether individuals within your database have provided you with their consent. If you have obtained information without opt-in or have old information that is no longer relevant, you will need to cleanse that data. Your database might have a large number of contacts - but are they relevant, valuable and up to date? Cleansing your data will give you a better view of your actual contact pool.
- Have a clear understanding of your route to purchase or conversion and how those contacts came into touch with your business. If your business is asked to provide a trail of consent, you need to have comprehensive information on how you acquired the contact data.
- Educate your entire team on GDPR - In overhauling your processes, many will be disgruntled and confused, asking: "Why?" and "What's the benefit of this?". When these issues arise, you need to articulate the benefits of good data governance and how it improves your business' marketing activity. It's not just "we'll be fined if we don't market this way" but actually showing how using the methods outlined above can result in better marketing and better quality data. Without buy-in from everyone in the business, new policies and practices will be hard to implement and maintain over time as people fall back into old habits!
- Agree on your legal basis for processing - For many B2B companies, the legal basis for processing will either be consent or legitimate interest. No legal basis is better than the other – but it's important that you carefully assess with your legal team the most business-effective route for you to pursue in relation to engaging with your customers.
We would recommend that you have a marketing automation platform capable of managing all marketing data that enables you update records on the fly. By George! HubSpot provides the necessary functionalities your business needs to ensure regulatory compliance and high-quality data capture and management! Who would've known?
If you're ever in doubt and need guidance about GDPR on your website - book a meeting with one of our marketing specialists here.