HubSpot’s GDPR settings make staying compliant significantly more straightforward, but knowing which tools to use (and when) can still be a challenge.
Data management compliance can be daunting at the best of times. Meeting the General Data Protection Regulation (GDPR) takes that to the next level. To stay compliant today, organisations have to navigate complicated processes, all while working with IT to keep their front-end forms and permissions up to date.
Sounds like a handful, and it is. That’s why HubSpot poured time and resources into creating tools that make it easy to implement your internal processes on audience-facing web platforms.
In this article, we’ll take a deep dive into how HubSpot’s platform helps organisations meet GDPR compliance, and what you need to do on your side to ensure these tools are meeting their full potential.
Want to learn more about what HubSpot can do for you, including how to manage settings, create internal processes, and safely store contact data? Download the HubSpot Administrator's Handbook for free.
First, some key GDPR concepts
Before getting into the details of HubSpot’s GDPR tools, we should go over a few basics that users need to know as they navigate their GDPR settings.
First, any organisation or business that operates in the EU, or offers products or services to any entity within the EU, must follow GDPR.
GDPR is an important component of the EU privacy and human rights laws. According to the GDPR site itself, it is “the toughest privacy and security law in the world”.
(No pressure.)
That said, organisations must create clear processes which comply with key GDPR tenants. There are seven protection and accountability principles outlined in detail in Articles 5.1-2, but the gist is that data processing must be:
- Lawful, fair, and transparent,
- Used for legitimate purposes specified to the subject,
- Used only as much as necessary,
- Accurate,
- Stored only as long as necessary for specified purpose,
- Able to ensure security, integrity, and confidentiality,
- Easy for a data officer to demonstrate GDPR compliance and accountability with all of these principles.
For this article, we’ll focus on two components of GDPR which users must keep in mind as they navigate HubSpot’s platform. These are:
Demonstrating the legal basis for processing a contact’s data. Organisations must demonstrate why they are legally allowed to have contact information stored in their system. For HubSpot, this means a data property for each contact that allows you to collect, track and store what the lawful basis is. This information can be collected and amended with the help of a form, a manual (bulk) update or using automated workflows.
However, processing data is different from using that data to communicate with the subject.
Demonstrating the legal basis for communicating with a contact. In addition to the above, if a business wants to send automated or marketing communication, such as newsletters or email campaigns, they should be able to prove that they are allowed to use their stored data to communicate with the subject in question. Organisations may rely on different legal bases for communications; the most well-known one being consent that is easily managed with a tick box on forms for a contact to opt-in to communications.
Now that we’ve established a few key concepts, let’s analyse how HubSpot helps organisations maintain compliance.
Data management compliance: is HubSpot GDPR compliant?
The short answer is yes, but with a caveat.
The HubSpot platform offers a dependable and easy-to-use set of tools that an organisation can turn on to ensure that they are maintaining their GDPR processes. And that’s the catch: businesses must create their own internal processes for maintaining the data they collect.
No platform can – or should – create those processes for you.
HubSpot helps you collect data in a GDPR-friendly way, but businesses may need to create workflows within the system or do certain manual steps, depending on their own internal processes, to keep GDPR compliant. For example, some businesses might want to set up an automation to add on data for lawful basis for processing and communication for contacts added to the portal from uploaded lists,
Thankfully, HubSpot does make it easy to implement almost any process or workflow on its platform. With a few simple clicks, businesses can execute automatic GDPR-compliant processes for certain types of data that enter the portal.
What GDPR settings does HubSpot offer?
HubSpot offers a comprehensive set of tools to help businesses use their own processes to stay GDPR compliant. Here are some of our favourites:
Ensuring Legal Basis for Processing Data and Communicating With Subjects: As we mentioned above, it’s important to demonstrate that you have a legal basis to store subject data and use it to communicate with them. This can be achieved on the data collection forms themselves. As an example, in form settings you can use two separate boxes for subjects to tick to confirm their consent to process data and communication. In HubSpot, you can set this up via the central setting and configure for individual forms.
Subscriptions. One data point that can be collected in the backend is the type of subscription that the contact is signed up to receive. This helps businesses define which types of emails - ie. sales or marketing - they should send to the specified subject. Subscriptions offer granular opt-in and opt-out, and HubSpot makes it easy to configure. Data is saved on when and how the contact was opted in to email communications, which can be done via forms or workflows.
Three different configurations for form settings – (1) Legitimate interest, (2) Consent checkbox for communications and processing and (3) Consent checkbox for communications; form submit as consent to process. |
Permanent Deletion: HubSpot offers the option to activate a process that will allow for GDPR compliant deletion of data. Usually, a simple deletion of the subject’s information from the viewable system may still save certain data in the background. This means that if the subject opts in for data collection in the future (like filling out a form), their information has been saved and becomes readily available again. GDPR-compliant deletion of data is a different beast entirely – it’s a permanent deletion of all of the subject’s information, forever, and nothing stays in the background. This functionality is extremely important for maintaining GDPR requirements, and having it easily available within HubSpot is a significant game-changer.
|
|
When you delete contacts without GDPR tools turned on – they can be restored up to 90 days afterwards. This is what usually happens when you delete data from HubSpot. | A GDPR hard delete will permanently remove all data. This kind of deletion requires that the GDPR tools have been turned on. |
Schrems II and Moving Data Outside the EU. In 2020, the European Court of Justice implemented the Schrems II judgement which requires customers of US cloud services to take extra steps for data protection, including verifying the data protection laws of the recipient country. As can be imagined, this can make processes much more complex. One solution is the opening of HubSpot’s EU-based data centre. This allows businesses to maintain storage in an EU-based cloud. Additionally, a migration plan is in place for bringing older portals with a US-based data centre to the new EU centre. An important note, however, is businesses are still implicated under Schrems II should they choose to move any EU data to the US.
Restricting Access for HubSpot Employees to the Portal. This is a feature some of our clients with strict legal departments often ask about. While it’s helpful for HubSpot employees to have access to a business’ portal when they’re troubleshooting any issues, it might go against GDPR processes set up by the organisation in question. If this is a concern for your business, HubSpot makes it easy to shut off access for HubSpot employees with the toggle of a button.
To change account access by HubSpot employees, navigate to Settings > Account Defaults > Security and untick the box under Account Access. Here you can also review when the access was granted and which department the employee works in. |
Restricting Access for your own employees in the Portal. For larger organisations there will usually be a lot of employees needing access to HubSpot. However, a tenet of GDPR is to not make data too widely available and to limit the risk of data making its way off the CRM. With user permissions and teams you can easily limit access to functionality in the portal (not allowing anyone to download data for example) or hide contacts in the CRM from view. If HR, for example, has stored candidate information in HubSpot, it can shut off access to anyone outside of their department.
A view of permissions set for this user in a HubSpot portal to ensure they have limited access to areas and data they should not view. This can be restricted on an individual basis or based on team membership. |
Related read: How to Secure Your HubSpot Portal in 20 Minutes.
Add a Cookies Banner - We know that having a cookie banner is a non-GDPR law, but as HubSpot has funnelled this tool into its GDPR platform, we wanted to make a special note of it. This functionality makes it easy to set up and implement cookies banners and settings based on your organisation's needs..
An example of a simple cookies banner set to show when you visit a page that has HubSpot tracking code installed. Text and settings can be changed. An example of a granular cookies banner that allows you to add more information and for visitors to opt in and out of specific types of cookies. This can also be set up directly in HubSpot. |
For a more detailed description of their GDPR tools, check out their product playbook.
What does HubSpot need me to do?
As mentioned earlier, HubSpot’s GDPR tools are not the full solution for compliance. You are responsible for the data you collect, and HubSpot serves as a useful tool to implement your in-house processes and set you up with what you need.
Here are some key questions to consider when working with your legal team to create a process for GDPR workflows:
- What do you intend to do with the data you collect?
- What kind of data do you need (and why)? (The recommendation is to not collect more data than you need).
- What supporting process will you have in place? (For deleting data for example)
- Are you importing information from lists? How will this be processed differently from data submitted via forms?
- What are your privacy and cookie policies? Are they stated clearly in your communications?
- How long will you store contact data and what plans are in place for removing it? (The principle of storage limitation; limiting how long you keep any given piece of data).
- Is your data protection officer (DPO) up to date with your GDPR processes?
- Have you planned when and how you’re going to review these processes?
- Do you need to perform a Data Protection Impact Assessment (DPIA) to help you identify and minimise data protection risks?
HubSpot can be incredibly useful when implementing your internal GDPR processes for sales, service and marketing contact data. While it’s up to you and your organisation to ensure that you are maintaining GDPR compliance, the tools in HubSpot make it easy to store customer data safely and correctly.
Want to learn more about what HubSpot can do for you, including how to manage settings, create internal processes, and safely store contact data? Download the HubSpot Administrator's Handbook for free.
The HubSpot Administrators Handbook
Your guide to:
- Approaching your user permissions and team structure
- Knowing your data inside out to keep it clean and useful
- Staying on top of changes to stay in control
Jasmine is an Inbound Marketing Strategist and UX Designer. Her specialities are making sense of complex processes and getting things done. Questions or comments? Send her an email or connect on LinkedIn; she’s always happy to have a chat.