GDPR

SOLVE
New Member

Could somebody advise on the Hubspot policy in relation GDPR that will be hitting us in May 2018.

 

How will Hubspot manage opt-in and refresh of opt-in?

How will Hubspot manage the relevant questions to allow someobody to opt-in or download web  content

How will the data that Hubspot store be managed in relation GDPR

 

There are many questions on this topic, where do Hubspot stand in general in realtion to this

3 Accepted solutions

Accepted Solutions
Community Manager

Hi everyone,

 

I work on the legal team at HubSpot and help run our GDPR compliance project. I’ll try to address some of the concerns raised above, and give everyone some insight into the status of the internal project and what our plans are for 2018.

 

We are fully committed to enhancing the HubSpot platform to enable customer/partner compliance with the GDPR. We appreciate that there may be current gaps in how our product interacts with some of the key GDPR requirements; we are actively working with our Product teams to address those areas, as well as introduce new product functionality that will help you comply.

 

For example, we are working on improving the way the CRM and Email product handles and tracks consent. As a previous post on this thread has recognized, this is a huge part of the regulation and is of particular significance to marketing and sales teams. Especially considering the recent Article 29 Working Party guidance on this point, we know we need to do a better job off helping customers manage and track consent.

 

The other areas we are working on improving include the Subscription Preference Pages, notice and consent in forms/CTAs, cookie management and preferences, double opt-in improvements, and tools to help our customers comply with data subject access/modification/deletion requests. We'll be announcing these changes on a rolling basis leading up to the GDPR's enforcement date of May 25, 2018.

 

The regulatory guidance helps shape the solutions we are crafting, and that’s part of the reason we are not immediately releasing product changes. Rather than releasing new functionality now that will later have to be modified based on new interpretations of the GDPR, we want to be sure our product aligns with the groups like the Working Party before changes are finalized.

 

Apart from improvements to the product itself, we are working around the clock on how the GDPR effects other parts of HubSpot. For example, we’re digging into how integrations/Connect partners fit in a GDPR world. Further, we have involved key members of every department within HubSpot to help on this project (mainly IT, Security, Product/Engineering) to drive towards compliance by this coming May. 

 

We’ll be communicating out project updates to our customers and partners starting in late January 2018.

 

I'm happy to chat with anyone, so if you have specific questions or concerns, feel free to reach out via direct message and include your email address. 

 

Nick

Community Manager

Hi everyone - we posted a project update to the GDPR page (see here). I've also copied the list of product functionality / other items we are working on below.

 

  • New tools in form builder to help ensure proper notice and consent
  • Ensuring that end users are able to manage their communication preferences in a way that puts control in the data subject's hands
  • Improvements to double opt-in functionality
  • Ability to easily understand what consent customers have given, when, and the history of changes to that in the relevant parts of the product
  • Ensuring an easy means of exporting the personal data of a data subject
  • Bolstered deletion functionality to comply with right to erasure
  • Enhanced cookie management and preferences with localized privacy notices
  • In-portal guidance and suggestions on how to address key data privacy rules
  • Work with our certified integration partners on solving for the GDPR
Community Thought Leader | Diamond Partner

Thanks @nknoop!

 

This announcement is much appreicated and, I feel, deserves its own thread, which I have started here: HubSpot's GDPR product roadmap has been released

 

Phil Vallender | Inbound marketing for B2B technology companies
Reply
0 Upvotes
50 Replies 50
HubSpot Moderator

Hi @Grovewilks  Find out more about HubSpot GDPR compliance here.

 

Ed 


Did my post help answer your query? Help the Community by marking it as a solution
Occasional Contributor

GDPR is a really big deal for us so I hope some further thinking on this comes out soon! I know May 2018 might seem like a way off, but it will come round pretty quick and we need to have quite a few issues resolved before then.

Reply
0 Upvotes
HubSpot Moderator

Hi @jhollidge  Do you have some specific concerns not addressed by the website linked above?

 

Ed 


Did my post help answer your query? Help the Community by marking it as a solution
Reply
0 Upvotes
Occasional Contributor

The complete lack of action and undertsanding from HubSpot on GDPR compliance is absolutley shocking - and the inability of anyone to communicate what their plan is to ensure customers can meet GDPR requirements is extremely concerning - to the point where some people may feel that HubSpot isn't going to be an option for their businesses going into 2018.

 

The fact that they are asking people for 'specific concerns' is a joke - I mean RTFM!!!

 

The ICO have extensive guidence on GDPR, and whilst there is still some areas of interpretation, the fact that HubSpot hasn't responded to the key issues of consent for marketing communications is desperately ignorant for an inbound marketing company.

 

Additionally, since GDPR not only affects EU companies, but ANY company trading with or creating contacts in the EU (i.e) the yanks -  you'd have thought they be paying attention to the effects GDPR will have on their users and customers (not simply the high-level areas of safe-harbours).

 

You want issues, here are a few issues:

 

Issue #1

When a new contact is created in the CRM, they are automatically opted-in to all marketing communications. This will cause comprehensive failure of consent compliance if contacts view their preferences and see that we've pre-populated consent boxes, this in itself could be a cause of complaint or breach, even if we don't actually send out communications.

 

Development proposal

 

  1. When creating contacts, all email types should be set to opt-out
  2. Then, one or more email types must have consent applied by one of the following methods:
    1. Forms (and lead flows) should offer the functionality to apply consent to one or more email types
    2. Workflows should have the functionality to apply consent to one or more email types (depending on what form was submitted)

 

Issue #2

If the contact unsubscribes from all emails and then chooses to re-subscribe, the action results in consent for all marketing communications (rather than giving the option to opt-in to selected communications).

 

This will potentially cause compliance failure on consent and awareness of consent because:

 

  • If we offer different communication types, the contact should be able to opt-in to each individual communication option when re-subscribing
  • Because clicking the re-subscribe button launches a confirmation page away from the marketing preferences page, the contact may not be aware that they have been opted-in to all communications.

 

Development proposal


A completely compliant solution is for HubSpot to change the re-subscribe process so that the contact opts-in to each type they wish to receive and then selects re-subscribe. This process will only re-subscribe them to the selection made.

 

Issue #3

When a new email type is created, the contact's marketing preferences automatically show the contact as having consented to receive the new email type. This will cause comprehensive failure of consent compliance if contacts view their preferences and see that we've pre-populated consent boxes, this in itself could be a cause of complaint or breach, even if we don't actually send out communications.

 

Development proposal

 

New email types must automatically have a default value of 'opt-out'

 

Issue #4

We are obliged to provide evidence of when and how contacts opted-in. This is contained only in contact histories – and so cannot be exported and cannot be migrated.

 

Development proposal

 

We should be able to export ANY data from the CRM in a machine readable format – not simply contact properties, but correspondence and actions as well.

 

Biggest issue for me right now is the lack of movement from HubSpot.

Occasional Contributor

Tom - finally!

Thank you for addressing this seriously - I had a fear that no one at HubSpot knew what was going on - but the longer it takes for you to get these implemented - the longer any new contacts go without being compliant - meaning retrospective action by users - we really need action ASAP!! 

 

New Contributor

Hi 

You had good issues :-) 

 

You refer to Tom's respons - Is that available ? Did not see anything in the community.

 

Best regards

 

Halvor K

Occasional Contributor

Hi Halvor,

 

Tom did reply and did make a committment to having solutions to these specific issues in place by May.

 

However...

 

His post was then withdrawn by HubSpot a day later on the advice of their legal team.

 

Make of that what you will :-)

 

Reply
0 Upvotes
jm
Occasional Contributor

Great. So Hubspot's legal team won't commit to the one thing they're are supposed to commit to.

Esteemed Contributor | Gold Partner

Exactly this! I've submitted questions around this previously with no answer - we need to be able to use the platform to be compliant, rather than fight against it, as it stands a lot of the required processes will need to be manual which is unsustainable, open to error and not fast enough.

Reply
0 Upvotes
Regular Contributor

Specific GDPR concern: how will Hubspot logs fall under the "right to data portability"?

Technically, in Husbpot we store infomration on each page visit and interraction, however this cannot be exported using the API (or exports), so we won't be able to communicate *all* the data relative to a customer.

Correct?

Reply
0 Upvotes
Top Contributor

Alivia / Shearn,

 

I was under the impression that, when answering a 'Subject Access Request you only need to provide their Personally Identifiable Information, the source of that information and any recipients of it. I'm not sure that one single page view could be counted as PII.. so you are not obliged to provide this?

 

Have I got it wrong?

Reply
0 Upvotes
Occasional Contributor

Good to hear that it is being worked on - my concern is the amount of ground work and preparation we will need to do before the deadline next year. We need to have our own plans in place before May - but it's hard to do this without knowing exactly what Hubspot will be doing as regards compliance and when it will be available to us...???

Advisor

I've brought up the concerns regarding the auto opt-in's before and I've received the same response. As someone who is leading the charge for GDPR for our marketing team, I need to make sure we have things as tight as possible and I have no control over this process.

 

I've just received our first 'request for data' and the need to export contacts full profile has never been more crucial. I literally have to copy and paste each line of data from a contact profile into an excel sheet so I have full documentation...If someone has any suggestions on how to document/export a full profile it would be greatly appreciated. 

Did my post help answer your query? Help the Community by marking it as a solution.
Occasional Contributor

Not that I have done this in the past, but off the top of my head:

 

  • Create a new list and put the single contact into the list
  • Then go into the list (of one contact) and export the list
  • When given the option of what fields to export, select all of them.

Not ideal by a long shot.... but better than copying and pasting a few hundred times!

 

Advisor

Thanks @jhollidge,

 

I've done it the way you've mentioned as well, but I would still feel safer if we could get an entire log of a contact. For example, timestamps on their various actions overtime, or in my recent case a list of all of the communications we've sent the contact over time. 

 

I'm probably going a bit overboard with what we would need to present, but I just want to cover all my bases.

Did my post help answer your query? Help the Community by marking it as a solution.
Reply
0 Upvotes
jm
Occasional Contributor

There is also a thread here concerning Canada's anti-spam laws though I posted my GDPR concerns regarding subscriptions and consent as they are pretty much the same.

 

In short, HubSpot’s consent management is definitely way below par and probably broken in light of GDPR (if you have more than one option for your visitors to sign up for).

 

I understand the legal team don't want to say anything but it's reflecting poorly on Hubspot now.  They've had 2 years to get this in order.  Considering the cost of Hubspot, this lack of clarity is simply not acceptable.

 

 

Top Contributor

Yeah, this is a massive concern for us. My organisation is fairly risk averse and I may end up having to throw the system out, as being not fit for purpose, if it can't be said to be GDPR compliant.

HubSpot Moderator

HI @ojobson and @jm. Our Product and Security teams are working on the GDPR plan. We'll have updates in the coming months. Please refer to our GDPR website for the most current information. You can also reach out to your account managers, who can pass further queries on to the GDPR team. 

 

Thank you,

Ed Justen

 


Did my post help answer your query? Help the Community by marking it as a solution
Reply
0 Upvotes
Community Manager

Hi everyone,

 

I work on the legal team at HubSpot and help run our GDPR compliance project. I’ll try to address some of the concerns raised above, and give everyone some insight into the status of the internal project and what our plans are for 2018.

 

We are fully committed to enhancing the HubSpot platform to enable customer/partner compliance with the GDPR. We appreciate that there may be current gaps in how our product interacts with some of the key GDPR requirements; we are actively working with our Product teams to address those areas, as well as introduce new product functionality that will help you comply.

 

For example, we are working on improving the way the CRM and Email product handles and tracks consent. As a previous post on this thread has recognized, this is a huge part of the regulation and is of particular significance to marketing and sales teams. Especially considering the recent Article 29 Working Party guidance on this point, we know we need to do a better job off helping customers manage and track consent.

 

The other areas we are working on improving include the Subscription Preference Pages, notice and consent in forms/CTAs, cookie management and preferences, double opt-in improvements, and tools to help our customers comply with data subject access/modification/deletion requests. We'll be announcing these changes on a rolling basis leading up to the GDPR's enforcement date of May 25, 2018.

 

The regulatory guidance helps shape the solutions we are crafting, and that’s part of the reason we are not immediately releasing product changes. Rather than releasing new functionality now that will later have to be modified based on new interpretations of the GDPR, we want to be sure our product aligns with the groups like the Working Party before changes are finalized.

 

Apart from improvements to the product itself, we are working around the clock on how the GDPR effects other parts of HubSpot. For example, we’re digging into how integrations/Connect partners fit in a GDPR world. Further, we have involved key members of every department within HubSpot to help on this project (mainly IT, Security, Product/Engineering) to drive towards compliance by this coming May. 

 

We’ll be communicating out project updates to our customers and partners starting in late January 2018.

 

I'm happy to chat with anyone, so if you have specific questions or concerns, feel free to reach out via direct message and include your email address. 

 

Nick

jm
Occasional Contributor

Appreciate this Nick, @nknoop .  That gives me a lot more comfort and something I can communicate to my team. Looking forward to regular updates to help with some forward planning especially if there is work to be done as a result of consent/subscription mechanism changes.

 

Highlighted
Occasional Contributor

"We’ll be communicating out project updates to our customers and partners starting in late January 2018."

 

I must have missed that first update.

Occasional Contributor

Hi Nick,

 

Is there any update on this?? The end of January has passed and unless I am mistaken, we have had no further details on what functionality is coming from a GDPR perspective. It makes it very difficult for us to proceed with our own compliance plans without knowing what Hubspot are doing/planning to do.

 

I would appreciate an update as soon as possible please!!!

 

Thanks

 

Occasional Contributor

Nick, 

 

Is there any action plan on this?

 

A bit more of transparency will be appreciated. May is just around the corner.

 

If there is any dramatic change management program that we have to undertake, as a result of using HS in order to comply with GDPR, it will be very beneficial to know today better than tomorrow what the plan looks like. Time is of the essence.

 

Perhaps this is not the best forum to address this queries? Is there any other official channel that we should be using?

 

Thanks,

Occasional Contributor

They promised their first GDPR action update late Jan 2018.

Guess what?

Nothing.

 

Attract > Convert> Close> Disappoint> 

Top Contributor

Hi there, please could you let me know where in the forms section is the Notice & Consent form copy?. Thanks

Sacha

Reply
0 Upvotes
Top Contributor

 

Dear Nick

Please could you provide an update when we can expect functionality releases for:

 

Consent:

Alongside that change, the HubSpot subscription preferences page will be updated to support the needs of the GDPR. Currently the subscription preferences page allows Ana to opt out of different types of communications. This page will be updated to support opt-in preferences.

In Progress - Available early May

 

Delete :

You will be able to perform a GDPR-compliant permanent delete in your HubSpot portal.
(revised) In Progress - Available early May

Reply
0 Upvotes
Occasional Contributor

Yes please. We would really appreciate an update and the functionality to be available asap. Until we see what Hubspot functionality brings, we are sitting in limbo. It's very late now and time is ticking....

Reply
0 Upvotes
Occasional Contributor | Platinum Partner

Same (massive) concerns here. Lot's of questions on the product - and general need for guidance from HS, as leader in the space. The time to act is long, long overdue. Communication and roadmap should be apparant asap. 

Occasional Contributor

I am being asked regularly by the directors of our company to outline our GDPR compliance plans for sales/marketing ahead of the 25th May deadline. It is very frustrating not to be able to respond with any sort of clarity.  So many aspects of GDPR  compliance relate back to how Hubspot is going to handle it.  Time is ticking. We would appreciate an update asap please.