GDPR Best Practices Using HubSpot

With GDPR having been in effect for a few months now, most organizations have more or less implemented their updated privacy policies, cookie consent messages and consent wording on website forms.

If you haven’t completed your GDPR setup yet, make sure you do as the first accusations of non-compliance are rolling in. Even if you have not been flagged for anything since this update, do not consider GDPR as something that is going to go away.

If you are using HubSpot as your marketing automation platform or are thinking of switching to HubSpot, you are in good hands.  HubSpot has built a set of tools that will help you stay on top of GDPR compliance. In the rest of this article, I'll provide you with a quick summary of the GDPR rules as they relate to your web presence and email marketing, as well as best practices on how to implement HubSpot’s GDPR functionality. 

Please be informed that the content of this blog contains helpful information, but is in no way legal advice. Please consult with an attorney to define if the content below is applicable to you and to what extent.

A Quick Refresher on GDPR

The General Data Protection Regulation (GDPR) went into effect on May 25, 2018 and is a regulation on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It affects all organizations that control or process the data of EU citizens. In ‘web terms’ that includes every organization who has a web presence in Europe and might be tracking and storing user data.

How does this impact your company? In short, you need to:

• Make website visitors aware that you are tracking their web behavior and ask for consent. Also allow them the right to decline.  As part of this, you will need to update your privacy policy and place a cookie consent message on your website that is immediately displayed to web visitors.
• Get consent from visitors to ‘legally process their information’ and send communications.  Make sure to update your signup subscription preferences and place consent forms on your landing pages.
• Keep visitor data safe and secure (security breaches need to be reported within 72 hours) and make users are aware of data retention policies (this should be part of your privacy policy).
• Give users access to the data you are storing about them and the option to edit or delete this data as they desire.

HubSpot GDPR Features:  

1. Privacy policy update: This one actually is not a HubSpot function but is essential for GDPR compliance. Consult your legal counsel to create or update your privacy policy that meets GDPR rules and make it readily available to website visitors. Using HubSpot tools, you can refer to the your privacy policy in several places, such as the cookie consent message, email templates, and consent wording on forms.
   
   
2. Cookies: HubSpot offers an out-of-the-box cookie message which you can adjust to fit your own messaging. You can create varying policies for different web pages or languages. There are also some nice options for placement of the message and button color. 
   
3. Lawful basis of processing: What does this mean? You will need to have a legal reason to use someone’s data. That reason could be consent (they opted in) with notice (you told them what they were opting into), performance of a contract (e.g. they are your customer and you want to send them a bill), or what GDPR considers “legitimate interest” (e.g. they are a customer and you want to send them products related to what they currently have). To help capture the lawful basis of processing, HubSpot built a native contact field with six values shown here.
   Once implemented, contacts that don’t fall into one of these buckets should not receive any email communications. How to update existing leads and new ones with the right lawful basis of processing label is specific to your organization and will need to be worked out with your marketing, sales, customer service and legal teams.  
   
   Another best practice to consider is sending a permission pass email to your existing database which simply asks for their permission to receive your information.
   
   
4. Subscriptions: Define and offer the various email communication subscription types available to your audience (Blog Subscription, Product Alerts and Updates, Monthly Newsletter, etc.). 
   
5. Consent: HubSpot offers three different types of consent messages to communicate lawful basis on a form submission. Copy can be adjusted as needed based on your specific business or individual form need.  For example, a blog subscription form might use a different consent message than a product trial form. 
   
6. Suppression: Once steps 1-5 are complete, the GDPR feature illustrated here can be turned on and will not allow for emails to be sent to non-compliant leads. 
   
7. Other
   
   1. Deletion: To comply with the regulation of users being able to ask organizations to edit/delete their data, HubSpot launched a “GDPR deletion” function that permanently deletes a contact, rather than storing their information in case they ever re-convert. Using this feature you will be able to perform a GDPR-compliant permanent deletion in your HubSpot portal.
      
      
   2. Security: HubSpot is strengthening its security controls across the board to protect customer's data. For example, HubSpot's infrastructure teams are improving their systems for authentication, authorization, and auditing at a massive scale to better protect customer's data.  

Furthermore, GDPR goes well beyond your company website and has implications for online advertising, social media, and more. Please, always be sure to consult with your legal team before implementing any notices or processes around GDPR compliance since they are the ones closest to your business operations and understand how GDPR will impact you.

If you would like our team to help you with the implementation of the GDPR compliance tools in HubSpot, please feel free to reach out to us.