May or Bust: Your Essential Guide to GDPR Prep for HubSpot Marketers
On May 25, an overhaul of EU Consumer Data protections dubbed the GDPR (General Data Protection Regulation) is going into effect.
Adopted by the European Parliament and Council in April of 2016 after four years of debate, the new protections expand existing data privacy laws and significantly increase fines for malfeasance.
While GDPR undoubtedly holds ramifications, the response from marketers and businesses is mixed.
For some, the sky is indeed falling. Others deride it as an antitrust tool that won’t affect them — “I’m not Facebook or Google, no one is coming after me.”
As for the rest of us? Well, we’re either ambivalent or still figuring out.
A Forrester market research survey found that only 15% of B2B marketers believe they are fully compliant, most are only somewhat ready, and 18% are still mulling how to proceed,
At least most of us seem to agree that we need to do something about it. But what? We can barely get
Fear not, fellow marketer!
While I too have not read every line of the regulation (It’s 88 pages long with 99 articles. Find it here if you want to knock yourself out), I have read a lot of articles from smart people who did.
This post is my definitive guide to preparing your HubSpot marketing business for GDPR.
I’ll discuss some of what’s changing, why it matters, and how you can start to get your marketing tools regulation ready.
If you feel like you’re an expert on GDPR and want to jump to the actionable tips, click here.
But before we get
While I will do my best to provide useful information, this post does not constitute legal advice. I highly recommend that any business unclear about how the regulations apply to them request a consultation with an attorney well-versed in the specifics of the law. I have linked to the sources of all my information to give credit and allow the reader to judge its credibility. Simply put, IMPACT and I are not liable if you get fined (CYA).
So, What’s Changing?
GDPR is not as much an expansion of EU’s existing laws (strict data laws were in place in most of these countries) but a unification to one set of regulations across all nations and an expansion of how those rules can be enforced.
Some member countries with particularly strict data laws, like Germany, may enforce additional protections, but for the sake of simplicity, this post only covers the new unified regulations.
The 3 Key Changes Coming from GDPR:
1. Extended Jurisdiction
While previous laws were a bit vague, GDPR states anyone collecting or processing data from citizens in any of the 28 EU countries is under its jurisdiction.
This means that if you market or do business online with anyone in the EU, you’re subject to these regulations — even if you are not in the EU or you do nothing with their data afterwards
In other words, even if you’re located in California and only do business in-state, if someone from the EU finds one of your landing pages and converts on an offer, you are subject to GDPR.
2. Increased Fines
GDPR Penalties are tiered, but the maximum fine is 4% of global annual revenue. So under the coming regulation, the Cambridge Analytica breach could’ve cost Facebook over 1.5 Billion euros.
GDPR also assigns joint liability so a company can be held responsible for how data is managed or used by vendors (a.k.a. Facebook and all their friends get in trouble).
3. Consent is the Key to Compliance
GDPR is written to ensure EU citizens know when their personal data is being collected and how it is going to be used. This includes anything that identifies a specific person such as someone's full name, home address, location data, IP addresses, and even cross-device online identifiers and cookies.
There is no distinction made between private data, public data, and work data. Once you have a European citizen’s personal data, it is subject to GDPR.
Consumers must also have the ability to see what is being stored about them, correct information, and even withdraw that information from use in databases or algorithms.
Sensitive information about race, religion, sexual orientation, or political beliefs faces even stricter control.
When it comes to children’s personal information, an even additional layer of protection is added. Parental consent is needed to collect or process the data of anyone under 16.
Plus, if someone asks a social network to delete photos they posted as a minor, not only will the network have to remove the photo, they are obligated to inform search engines and anyone that used the photo that it should be deleted.
Who Do These Rules Apply To?
The short answer is — anyone who could possibly generate a lead living in the EU.
The long answer:
GDPR makes distinctions between data “controllers” and “processors” to manage the often complicated roles between those who collect and analyze personal information.
Controllers determine “the purposes and means of processing personal data” and processors are “responsible for processing personal data on behalf of a controller.”
Marketers like you are typically data controllers, where much of the liability lies, but in some cases, you may also be a processor — like if you’re an agency partner working with data for a client (i.e. when IMPACT works with data for a client).
If your site is built on HubSpot CMS or uses HubSpot tracking tools, you are a data controller because you control “the purposes and means” of how personal information on site visitors is collected. HubSpot, in turn, is the processor of the data because it is where the data is stored and analyzed.
Even if you’re not on HubSpot, if you collect any personal data using landing pages, forms, or any other marketing tools for yourself or your clients — you’re a controller. If you’re working with your client’s data to execute a campaign or formulate strategy, you’re a processor.
Note: The ICO (Information Commissioner's Office), “the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals,” has created super valuable checklists for both controllers and processors.
I highly advise filling out whichever applies to your business to better understand your specific obligations.
If you’d like to further review the data rights codified, eugdpr.org has a great summary — including controller requirements to appoint Data Protection Officers. And If you’d like to read more of the legislation, the European Commision (the EU’s legislative arm) has also published a site that is far more skimmable than the full legal text.
Why GDPR Matters
Nitasha Tiku, writing for Wired, may have summed it up best:
“Since the dawn of the commercial web, companies have been financially incentivized to hoover up data and monetize later. Now, EU consumers will have the freedom to opt in, rather than the burden of opting out. That emphasis on consent creates a financial reward to building consumer trust.”
Consumers and governments are increasingly concerned about the troves of personal data that companies collect and how that data can be used, or stolen, for nefarious means.
That’s why GDPR compliance should be viewed as an opportunity to address the rapidly shifting consumer demand for data transparency and consent.
These regulations aren’t arbitrary interference, they reflect very real consumer needs.
While the fines are scary, I have a hard time believing that, come May 25th, the swift hand of EU legislative justice will wipe marketers out of 28 countries.
Regulators will likely be looking for good-faith progress and an attempt to comply as best you can** (These are disclaimer asterisks. This is not legal advice and that opinion is not informed by any legal understanding).
My point is, comply because it is the right thing to do.
Inbound marketing is all about building trust and equity with your personas. Practices that betray the trust of your audience, prospects, or customers only hurt your marketing efforts and business growth.
Compliance ensures your organization will avoid its own #deletefacebook moment and be prepared for a future in which consumers will only demand more and more data transparency and control.
I have to note that HubSpot alone will not keep you fully compliant. The platform has features built that will help, and a roadmap of more on the way, but each organization must conduct their own due diligence.
But, HubSpot is proving its committed to helping and has built an awesome microsite. Here is some of what HubSpot suggests you can do:
Make Sure You Have A "Lawful Basis" for Processing the Data
I’m going to do my best to spare you the legalese.
Basically, any personal data that you have and use is okay if it’s necessary to fulfill your
If your client/customer buys a product/service from you and you’d like to send them onboarding emails, bills, subscription information, and anything else they request or need — that’s okay.
HubSpot Tip: segment your contacts and lists. Fine-tune what constitutes a MQL and ensure your workflows don’t spam existing customers.
You can also market additional products and services to these existing customers because there is a reason to believe they have an interest in them, as long as they can opt-out.
There is also a B2B exception that allows businesses to send emails or marketing materials to other businesses — even if that business or person is not yet a customer or given consent. If you are marketing a B2B product to a business, it is considered legitimate interest. But again, there must be the ability to opt-out and a clear notice about how you got their information.
HubSpot tip: Emails sent using HubSpot always have an “opt-out” unsubscribe button. Under preferences, contacts can self-select the materials they’d like to receive.
Get Clear Consent
To meet GDPR’s strict requirements for consent, you should track it on a case-by-case basis for each of your HubSpot contacts. Luckily, Hubspot’s form and landing page tools make this relatively easy. Use landing page copy to let your prospect know how you plan on processing their data and track consent using a form field.
From HubSpot Academy, here’s how to track consent with a form:
- “Go to Contacts > Forms.
- Create a new form or edit one.
- In the Fields section, click Create new. This will open a lightbox to create a new property that you'll be able to use as a form field in all your forms.
- Define a Label for it, and in
FieldType select Singlecheckbox.
- Save the property.
- On the left list, find the new property you've just created and add it to your form either by clicking on it or by dragging it to the position where you want it to be displayed.
- Click on the asterisk button to make the field required.
- Click on the pencil to edit the field and modify the label. Remember, it has to be clear and inform the user about what they're consenting.
- If you're using different forms, remember to add and modify this new property in all of them.”
While it is not required by GDPR, you may want to set up double opt-in on your forms to confirm you have consent. This is also easily done in your HubSpot portal. Go to Content > Content Settings. In the left menu, click Email > Double Opt-In.
HubSpot is working on a feature, for launch in early April, that will automatically show the cookie-consent banner in the right language based on the user's location.
To get consent from your existing contacts, create an opt-in email campaign. Notify them of any changes in your data policy and ask for permission moving forward.
Delete What You Don't Need
Under GDPR, marketers are going to have to get used to deleting or anonymizing information that they no longer use. If you haven’t reached out to a contact in a year-long period, you should either re-engage or delete the contact.
HubSpot tip: Set up contact filters to ensure that you don’t let good leads slip through the cracks and lie dormant.
Make Sure Data is Secure
It’s not just the collection of data that is regulated, it is just as important that the data is securely stored.
If you’d like to learn more about what HubSpot does to protect the data it processes, check out their security page. While I am by no means a cybersecurity expert, I get the impression they are in-line with best practices and very careful about how they handle and secure data.
Audit your own organization and ensure that you too follow best cybersecurity practices. Regardless of GDPR, site security should be a top priority.
If a data breach does occur that “results in a risk for the rights and freedoms of individuals,” you must notify your country’s data protection officer within 72 hours after you are aware of the incident.
Create a Company-wide Culture of Compliance
Don’t assume that you’re compliant.
HubSpot has compiled a great checklist that can serve as a gut check for your data collection and marketing practices.
It is also important to note that while this post focuses on marketers, other parts of an organization, like HR, can be affected as well, particularly if you’re based in the EU or employ any of its citizens in a full-time or freelance capacity.
GDPR needs to be an organization-wide concern.
Some of the questions HubSpot recommends you should ask across your departments and disciplines include:
- “What personal data do we collect/store?
- Have we obtained it fairly? Do we have the necessary consents required and were the data subjects informed of the specific purpose for which we’ll use their data? Were we clear and unambiguous about that purpose and were they informed of their right to withdraw consent at any time?
- Are we ensuring we aren’t holding it for any longer than is necessary and keeping it up-to-date?
- Are we keeping it safe and secure using a level of security appropriate to the risk? For example, will encryption or pseudonymization be required to protect the personal data we hold? Are we limiting access to ensure it is only being used for its intended purpose?
- Are we collecting or processing any special categories of personal data, such as ‘Sensitive Personal Data’, children’s data, biometric or genetic data etc. and if so, are we meeting the standards to collect, process and store it?
- Are we transferring the personal data outside the EU and if so, do we have adequate protections in place?”
The checklist from HubSpot also includes a project plan, procedures, and documentation so I highly recommend it if you don’t know where to start with assessing your compliance.
Appoint a Leader
The most important step your organization can take towards compliance is to appoint someone to take responsibility. Maybe that’s even you reading this. If you’re a marketer, you’re a skilled communicator; take it upon yourself to communicate why it matters and mobilize your company.
The ICO (UK’s Information Commissioner's Office) has also created a helpful infographic and guide with 12 steps you can lead immediately.
Have You Stopped Worrying and Learned to Love GDPR?
Whew, you’re still here huh?
I know GDPR can be dense so I hope this post and all the linked resources have helped you wrap your mind around the regulation.
One Final Disclaimer:
While I did my best to provide useful information, this post does not constitute legal advice. I highly recommend that any business unclear about how the regulations apply to them request a consultation with an attorney well-versed in the specifics of the law. I have linked to the sources of all my information to give credit and allow the reader to judge its credibility. Simply put, IMPACT and I are not liable if you get fined (CYA).