**This blog was first published in June 2017, and has been updated in December 2017.
Download our GDPR guide for HubSpot users.
What is the GDPR?
Set to come into force in May 2018, the General Data Protection Regulation (GDPR) represents the most important change in data privacy and data management in the last 20 years.
More than 200 pages long, GDPR aims to unify and strengthen data privacy laws across Europe; formalising concepts such as the ‘right to be forgotten’ and giving EU citizens complete control over their personal data online. A bold ambition by any standard.
Essentially, what this means is that companies will need to be more transparent with what they do with personal data, while we, as individuals, will have more control over the information we provide. This is a big change for marketers, because in order to keep the ability to remarket to individuals, send out automated emails and target particular audiences, we need to refine our data based upon our contacts that have ‘opted-in’.
At first glance this might seem like a lot of extra effort, but as double opt-in becomes the norm, it will force marketers to clean their contact data and from it generate quality contacts.
Severe penalties await those who fail to adhere to GDPR – you’ve been warned. Businesses that suffer a data breach and have not complied with GDPR could incur a penalty of 4% of global turnover, or €20 million, depending on which amount is greater. Ouch! Also, under GDPR, the countries’ Data Protection Authority (DPA), for the UK, it’s the Information Commissioner’s Office (ICO), must be informed of data breaches within 72 hours of them being detected – so no more burying your head in the sand and praying nothing leaks out.
Does the GDPR apply to me?
GDPR will apply to any businesses that operate within the EU or process the data of EU citizens; it does not matter if your business is based in an EU state or not.
Despite there being less than a year until the GDPR, many businesses are either unprepared or unsure of what GDPR will actually mean for their marketing activity; American research and technology advisory firm Gartner predicts that, by the end of 2018, more than 50% of companies affected by the GDPR will not be in full compliance with its requirements.
If you are struggling to work out what GDPR is - and what it means for your business, check out our frequently asked questions and get the answers you need.
Finally, if you are looking for the final GDPR text, you can find it here.
So, how will the GDPR affect HubSpot users?
While GDPR may be a headache for some marketers, it’s mostly business as usual for those using HubSpot.
Think about it; under GDPR marketers need to receive clear, unambiguous consent from those they are marketing to if they want to engage with them – and there must be a detailed trail of consent.
For HubSpot users, we have been doing most of this all along.
Unlike interruptive marketing methods which demand people’s attention, Inbound Marketing is about earning people’s attention. Synonymous with permission marketing, where you earn the consent of the individuals you market to, Inbound Marketing is about providing valuable, helpful content which addresses the problems and needs of your future or existing customers, pulling them towards your company and product/services.
As you attract these individuals, you convert them into leads using forms, calls-to-action and landing pages on your website using high-quality ‘gated content’. Throughout the Inbound process, every exchange has been consensual and can be easily tracked through the HubSpot platform.
However, in preparing for GDPR, HubSpot users will need to update their cookie practices, get their data capture in order, and re-qualify their lists by obtaining consent via affirmative actions (no more pre-ticked boxes), or via double opt-in.
Disclosing your cookie practices
Under GDPR, cookies are considered to be 'personal data' - and as GDPR provides individuals with more control over their personal data, you will need to revisit your cookie practices. GDPR also states that implied consent is no longer enough - website visitors must make an 'affirmative action' to signal their consent; whether this is clicking a box that says "yes" or one that says "no" to opt out. If there is no free choice - i.e. the ability to opt in or out, then there is no valid consent (no more pre-ticked boxes on forms).
Also, you cannot bundle your 'opt-in' consent; for example, if someone opts in to receiving more information about the products and services you provide you cannot then start sending unrelated marketing collateral to them. Specific consent must be obtained for each marketing activity and you must convey, in detail, what you will be providing individuals with should they opt-in.
As long as fair notice is given beforehand and the option to opt-out is always available, you will be fine under GDPR.
Get your data capture in order
Sorting out single opt-in and double opt-in
Opt-in - or single opt-in - is a term used when someone is given the option to receive email or any other form of marketing communication. Opt-in effectively gives the individual the opportunity to consent to receiving further marketing communication from your business. The problem with single opt-in, however, is that anyone could register to your business' communication using anyone's email address as they do not need to verify it.
Double opt-in, on the other hand, can address that problem.
Double opt-in as we know it, is a requirement that you'll currently see on any German websites. This required brands and businesses to ask all existing contacts or website visitors to verify that they are happy to receive your content or marketing material twice. Once a form is filled in, HubSpot will send out a first opt-in request with a link in the email, the contact would then click on that link to confirm they want to receive regular email communication. In a single opt-in process, anyone can sign up by inserting their email address. With Double opt-in, you can confirm that the person subscribing is the same person as the one you send the email to, as they will need to click the link in the email to verify they are who they say they are before being added to a mailing list.
In terms of best practice, double opt-in is one of the best ways to prove consent obtained under GDPR.
However, double opt-in is not a requirement under GDPR, meaning you don't have to have your visitors/contacts confirm their opt-in twice, but you do need to ensure that you are gaining consent from individuals in relation to all your marketing activity. This means that you can't include pre-ticked boxes asking for people to subscribe to your blog. The individual must complete an affirmative action to sign up to communications. This essentially means unbundling your consent and ensuring you obtain consent from your website visitors in relation to each individual aspect of your marketing activity.
As a minimum, you should have tick boxes on all of your forms along with an explanation of what you are going to do with a visitor's contact information if they opt-in.
Think privacy by design
As a concept, privacy by design has existed for years, but with GDPR, it is finally becoming an important part of a legal framework. Privacy by design is an approach that encourages privacy and data protection compliance from the start. You build your processes and infrastructure with privacy and data security in mind. While not a requirement, privacy by design will help your business to comply with GDPR regulations.
With privacy at the heart of all the business’ operations, problems can be identified earlier, employees will have increased awareness of privacy and data protection across the business, actions are less likely to be privacy intrusive, and businesses can meet their legal obligations more easily.
Also, minimise your data collection – only collect what is necessary and ensure you have data retention policies in place. Another thing to consider is moving your website over to HTTPS if you haven’t already, HTTPS ensures that communications between your browser and the website are encrypted – and cannot be exploited by a third party.
Remember, the data doesn’t belong to you – it belongs to the user – and on that basis, you need to give them every right to make corrections to that data. They are also the one who can grant and revoke consent of that data.
HubSpot users need to start gaining opt-in now
By changing your HubSpot setup to require consent, you can begin to qualify your existing contact database and clean out old or incorrect data.
With the feature enabled, HubSpot can send out an opt-in request emails to contacts where you can't currently prove their consent to be contacted. For example, you might have a list of contacts who have previously signed up to your blog, but they've done this via a pre-ticked box - this does not count as consent, you'll need to get these people to consent again.
Opt-in might seem excessive, but that’s because it’s new and who likes change, right? We do! HubSpot marketers can develop extremely high-quality lists of people who are more engaged with the company. Those that actually opt-in are far more interested in what your business does and will be happy to receive further marketing material, so treat those people well!
To ensure GDPR compliance, we would suggest your forms include:
- The reasons why data is being requested;
- Information on what the data will be used for;
- Clear opt-in and opt-out rules.
Under GDPR, data must be ‘accurate’ and kept for no longer than what is ‘necessary’. With HubSpot, you can manage all of your data from HubSpot’s contact records – meaning if it’s altered in one place, those changes will be reflected across the platform.
GDPR self assessment
The ICO have constructed an in-depth GDPR preparation self assessment that will enable your business to overhaul its activities and be GDPR compliant come May 2018. The assessment asks a series of questions to ascertain your business' level of "preparedness" in relation to GDPR. Upon completing the self assessment, you are then presented with an overall result, an overview of how well prepared your business is, and a series of suggested actions.
You can find the ICO's GDPR self assessment here - it also includes a checklist for data controllers and soon a checklist for data processors.
GDPR consent checklist
If you are still struggling with how to obtain, record and manage consent in a GDPR-compliant fashion, the ICO has created a checklist of activities that you must do to keep your activities GDPR compliant.
You can find the document here, but we have included the steps below:
Asking for consent
- We have checked that consent is the most appropriate lawful basis for processing.
- We have made the request for consent prominent and separate from our terms and conditions.
- We ask people to positively opt in.
- We don’t use pre-ticked boxes, or any other type of consent by default.
- We use clear, plain language that is easy to understand.
- We specify why we want the data and what we’re going to do with it.
- We give granular options to consent to independent processing operations.
- We have named our organisation and any third parties.
- We tell individuals they can withdraw their consent.
- We ensure that the individual can refuse to consent without detriment.
- We don’t make consent a precondition of a service.
- If we offer online services directly to children, we only seek consent if we have age-verification and parental-consent measures in place.
- We keep a record of when and how we got consent from the individual.
- We keep a record of exactly what they were told at the time.
- We regularly review consents to check that the relationship, the processing and the purposes have not changed.
- We have processes in place to refresh consent at appropriate intervals, including any parental consents.
- We consider using privacy dashboards or other preferencemanagement tools as a matter of good practice.
- We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
- We act on withdrawals of consent as soon as we can.
- We don’t penalise individuals who wish to withdraw consent.
Four tips for marketers:
HubSpot user or not, there are three straightforward tips you can follow to prepare yourself for GDPR:
- Audit your current database and try to establish whether individuals within your database have provided you with their consent. If you have obtained information without opt-in or have old information that is no longer relevant, you will need to cleanse that data. Your database might have a large number of contacts - but are they relevant, valuable and up to date? Cleansing your data will give you a better view of your actual contact pool.
- Have a clear understanding of your route to purchase or conversion and how those contacts came into touch with your business. If your business is asked to provide a trail of consent, you need to have comprehensive information on how you acquired the contact data.
- Educate your entire team on GDPR. In overhauling your processes, many will be disgruntled and confused, asking: "Why?" and "What's the benefit of this?". When these issues arise, you need to articulate the benefits of good data governance and how it improves your business' marketing activity. It's not just "we'll be fined if we don't market this way" but actually showing how using the methods outlined above can result in better marketing and better quality data. Without buy-in from everyone in the business, new policies and practices will be hard to implement and maintain over time as people fall back into old habits!
We would recommend that you have a marketing automation platform capable of managing all marketing data that enables you update records on the fly. By George! Wouldn’t you know that HubSpot provides the necessary functionalities your business needs to ensure regulatory compliance and high-quality data capture and management.
Achieving GDPR Compliance
A Guide for HubSpot Users
The what, the when and the why when it comes to making sure that your HubSpot portal is ready for GDPR in May 2018.