Is Hubspot GDPR Compliant?

HubSpot has gone to great lengths to make sure that they are GDPR compliant. In this article, we'll breakdown what Hubspot has done to achieve GDPR Compliance.

Is HubSpot GDPR Compliant?

Looking for a CRM system? Naturally you would if you are a retail company that reaches out to hundreds--if not thousands--of prospects. Keeping a record of who you contacted and who you have as a client and keeping tabs on them to help with the retention rate. All that said, have you stopped to think if the CRM system that you are using is GDPR compliant?

HubSpot is an American developer and marketer of software products for inbound marketing, sales, and customer service. HubSpot was founded by Brian Halligan and Dharmesh Shah in 2006. It’s one of the better alternatives if Salesforce is above your budget for a CRM system. This article will quickly go over what GDPR wants in regard to being compliant and what HubSpot has done to meet those standards.

GDPR Compliance Requirements 

GDPR requires that you need a lawful basis for processing personal data. What this means is you need to have a legal reason to use a data subject’s information. Taken from the Information Commissioner’s Office (ICO) website, those reasons are:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal Obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital Interests: the processing is necessary to protect someone’s life.

(e) Public Task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate Interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

What HubSpot is doing to be compliant with GDPR

They will be adding a brand new multiselect property to track lawful basis. The property will be editable manually or via automation. For example, you might configure an automated workflow to set the lawful basis property when a customer signs a contract.

In addition, you’ll be able to track and audit the grant of lawful basis using the property history for that new property.

What does consent mean:

One type of lawful basis of processing is consent with proper notice. In order for a customer to grant consent under the GDPR, these things need to happen:

• The customer needs to be told what they are opting into. The information needs to be clearly explained and not confusing or vague on what exactly you will be using their data for.

• The customer needs to intentionally opt-in (pre-checked checkboxes aren’t valid and are against GDPR guidelines). Having the customer filling out a form alone cannot implicitly opt the customer into everything your company sends. The customer needs to make the initial effort to opt in.

• The consent needs to be transparent, meaning it needs to cover the various ways you process and use the customer’s personal data (e.g. marketing email or sales calls). You must log auditable evidence of what the customer consented to, what they were told (notice), and when they agreed to. This is important if you are ever audited and need proof that your customer is connected to let you use their data.

What HubSpot is doing to be GDPR Compliant:

Within HubSpot, they’ve added features to make collecting, tracking, and managing consent in a GDPR-compliant way as straightforward as possible.

Three of the most common ways that HubSpot customers acquire new customers are through Forms (including Lead Flows), Messages (aka Conversations), and Meetings. These are different channels through which the customer might initially engage with your company.

In each of these tools, you’ll be able to provide proper notice to your customers before they provide information to you (using text boxes on forms), and to collect the appropriate consent when the customers are ready to grant it.

An additional detail on notice: if you need to link out to additional notice provisions (like privacy notices), you can do so using hyperlinks in forms.

Once the customer submits their information, HubSpot will store a copy of the notice that the customer was provided and information about which consent the customer provided, and the timestamp of the interaction.

HubSpot made this level of consent tracking available for other forms of contact creation as well: imports, APIs, and manual additions.

Alongside that change, the HubSpot subscription preferences page will be updated to support the needs of the GDPR. Currently the subscription preferences page allows the customer to opt out of different types of communications. This page will be updated to support opt-in preferences.

Withdrawal of consent (or opt out)

The customer needs the ability--as data subject-- to see what they signed up for, and withdraw their consent (or object to how you’re processing their data) at any time. In other words, withdrawing consent needs to be just as easy as giving it. None of the easy to opt in, but impossible to opt out later on crap.

What HubSpot is doing:

In HubSpot, the customer can withdraw their consent from your subscription preferences page. Once the above changes on consent are made, that page will reflect the customer’s affirmative opt-in for each type of communication. On your subscription preferences page, the customer can easily withdraw that consent. Alternatively, if you receive a withdrawal of consent directly from the customer, HubSpot will make it so you will be able to modify the lawful basis contact property.

In addition, all 1:1 email sent via Sales Hub will be updated to allow the inclusion of unsubscribe links (including messages sent using Sequences).

Cookies

The customers need to be given notice that you're using cookies to track them (in language she can understand) and need to consent to being tracked by cookies. Justa side note that HubSpot does know about the upcoming ePrivacy Regulation and how it might affect how cookies are regulated. HubSpot plans to adjust their product accordingly.

What HubSpot is doing with cookies and tracking

HubSpot will update the default language for enabling cookies on HubSpot-hosted websites to reflect affirmative opt-ins, and make it possible to show different versions of the cookie consent message based on domains or specific URL paths that you specify.

Deletion

The customer (data subject) has the right to request that you delete all the personal data you have about them. The GDPR requires the permanent removal of the customer’s contact from your database, including email tracking history, call records, form submissions and more.

In many cases, you’ll need to respond to a customer's request within 30 days. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply.

What HubSpot is doing:

You will be able to perform a GDPR deletion/erasure request in your HubSpot portal.

Access / Portability

Just as a customer can request that you delete their data, the customer can request access to the personal data you have about them. Personal data is anything identifiable, like their name and email address. If the customer requests access, you (as the controller) need to provide a copy of the data, in some cases in machine-readable format (e.g. CSV or XLS).

The customer can also request to see and verify the lawfulness of the processing.

What HubSpot is doing:

HubSpot has enabled you to grant any access/portability request by easily exporting the customer’s contact record into a machine-readable format. Engagement data like tasks, notes, and calls that aren’t provided in the contact record export can be accessed using the CRM engagements API.

Modification of Data

Just as a customer can request to delete or access their data, they can ask your company to modify their personal data if it’s inaccurate or incomplete. If and when a customer does, you need to be able to accommodate that modification request.

What HubSpot is doing:

In HubSpot, if the customer asks you to change their information, you (or your portal admin) can do so from within their contact record.

Security Measures

The GDPR requires a slew of data protection safeguards, from encryption at rest and in transit to access controls, to data pseudonymization and anonymization.

What HubSpot is doing:

As part of HubSpot's approach to the GDPR, they’re strengthening their security controls across the board.

In addition to industry standard practices around encryption, HubSpot's infrastructure teams are also improving their systems for authentication, authorization, and auditing at a massive scale to better protect their customer's data. They will provide additional details on these security measures as they are implemented.

HubSpot has gone to great lengths to make sure that they are GDPR compliant and that their clients will be able to operate in the same manner in regards to their own clients that they are gathering data from. So for those wondering if HubSpot would be a good choice in regards to it being GDPR compliant, the answer is yes. However, please note that HubSpot does make you have to use several other of their tools to be a successful business, so I recommend looking it over carefully before pulling the trigger.


Get started on the road to Compliance

Accountable can help you achieve HIPAA compliance for your company.

Schedule a Call

More Articles