How can a company implement a data policy and processes within HubSpot that aligns with GDPR requirements?
Please note that the following guidelines are based on my experience and are not legal instructions. It is recommended to consult with your legal consultant to ensure full compliance with GDPR.
GDPR Best Practices in HubSpot:
-
Enable Data Privacy settings at HubSpot. This serves as a central location where you can easily activate data privacy-compliant features across your HubSpot account:
- Manage Subscription types in HubSpot, if somebody opted in. You can use Standard HubSpot options or advice from lawyers on which ones are the best for your particular case. Go to Settings - Marketing - Email - Subscription Types - you can set up subscription types based on your GDPR compliance plan.
- If you go to Settings - Marketing - Email - Subscriptions, you can also check your Subscriptions pages
-
If your GDPR agreement prohibits tracking marketing emails, you have the option to disable this feature. However, if users consent to share this information when accepting cookies or providing consent through a form, you can enable tracking accordingly.
- Unsubscribe options: provide the ability for opted-in people to unsubscribe from marketing in the footer (It's a must-have in HubSpot Marketing Emails, you won't be able to send marketing emails without this);
-
Customize the text of the Consent, Privacy Policy, and Legitimate interest messages here based on your company’s rules and country regulations; HubSpot provides a standard Legitimate Interest, Privacy Policy which is good to have in place for general cases, but you can also consult with your legal team about the best options for your company. You can also choose a language based on your audience and location. Go to Settings - Privacy & Consent - Consent Options tab
- Use the Cookies pop-up window on all your website pages (you can use Cookies both for HUbSpot-hosted pages and external pages built on other CMS) with an explanation to visitors of which data is stored and where. Go to the Privacy & Consent - Cookies tab, and click on the Manage banners button to edit your Cookie banner. Add External Domains If you have content outside HubSpot, a banner will be placed there as well. Do not forget to add the HubSpot tracking code to an external website or page and the Cookie Settings button code snippet that can be found after you click the Manage banners button.
These consent banners specifically manage HubSpot cookies. If your website utilizes additional tracking cookies, they will not be influenced by the consent choices made by your visitors.
-
Forms: Include a Consent checkbox on all your forms (pop-up and regular) to ensure visitors are aware of what they are agreeing to when they submit the form. This checkbox enables visitors to give consent for the processing of their personal information and to receive communication from your company. You can find this checkbox in the form settings
Once a contact completes a form and provides consent, the Legal basis for processing the contact's data property will be marked as Freely given consent from the contact. This information will then be visible in the subscriptions section of the contact record, indicating the Legal basis to communicate effectively. You can also set it up to update GDPR consent.
- Scheduling Pages, Chatbots, and other communication channels: Offer visitors transparency on how their data is processed and stored.
-
To see a report of your current contacts subscriptions and opted-in settings you can go to Data Privacy & Consent - Analyze
General plan to align with GDPR Policy
Implementing a data retention policy within HubSpot that aligns with GDPR requirements involves careful consideration of the types of data you collect, process, and store and close work with the Legal team.
-
Understand GDPR Requirements: I advise you to work closely with your Legal advisors. GDPR outlines principles such as data minimization, purpose limitation, and storage limitation, which are crucial for establishing a data retention policy.
-
Identify Types of Contacts: Classify the data you collect into different categories such as customer data, prospect data, employee data, etc. This helps in determining appropriate retention periods based on the sensitivity and purpose of each category.
-
Document Data Processing Activities: Maintain a comprehensive record of your data processing activities, including the types of data, purposes of processing, and lawful basis for processing. This documentation is essential for demonstrating GDPR compliance.
-
Define Retention Periods: I think, that the legal team can advise you on the best periods in your case. On the HubSpot side, it is possible to set up workflows that will clear the specific values of Contacts within these periods.
-
Regularly Review and Update Retention Periods: Regularly reassessing and updating data retention periods is essential to ensure that your retention policy aligns with any changes in regulations, business operations, or the type of data being handled. It is advisable to seek legal advice or designate a team member to stay informed about any updates in legal information to maintain compliance effectively.
-
Secure Data Storage: Implement robust security measures to protect the stored data from unauthorized access, ensuring that sensitive information is not exposed to potential breaches. HubSpot provides a high level of security. HubSpot is providing strong security measures, so you can not worry about your data security. However, there are some actions you can do (using 2-factor authentification methods, managing user permissions to access data in HubSpot)
-
Train your Team: Ensure that your team is educated on GDPR requirements and the specifics of the data retention policy. Regular training helps maintain a culture of compliance within your organization.
Remember that GDPR compliance is an ongoing process, and staying informed about updates to data protection regulations is crucial for maintaining an effective data retention policy.