Hi everyone - we posted a project update to the GDPR page (see here). I've also copied the list of product functionality / other items we are working on below.
OK, fine - but what does this actually mean for us? What can I do with this information? What compliance processes and measures can I now put into action on the back of this? I don't understand what HubSpot thinks I'm gaining from this update or what relevance it is to a customer trying to make progress on GDPR implementation or report into directors and business owners on what GDPR compliance is going to look like for their businesses.
On the back of this update, my GDPR Implementation report looks like: Yeah - no worries, HubSpot have been doing some stuff.
Hopefully, we won't get a 'lessons will be learned' update in June/July.
03-02-2018 11:09 - edited 03-02-2018 11:16
This is a nice list and addresses certain aspects of GDPR processing comipliance. But GDPR 'raises the bar' for the consent, mandated by the 2009 ePrivacy Directive, one must obtain from the user to access their device (i.e. read & set cookies). Post-GDPR unambiguous consent is required as opposed to today's implied consent.
As far as I can tell, HubSpot always sets a tracking cookie before the user has consented or been presented with any cookie/privacy banner, and that is not in line with the ePD (as we understand the post-GDPRlandscape). I've included an excerpt below from a EU-based law firm's GDPR blog on the topic.
....the ability to maintain that an implied consent is unambiguous depends upon at least a couple of critical factors: first, the prominence of the cookie banner itself ....; second, the timing of the cookie drop - if cookies are dropped at the same time as the banner, as is very often the case today, then it’s more-or-less impossible to maintain any argument that the visitor “unambiguously” consented to those cookies, given that they only learned about them after the cookies had already been served. To have a decent argument for unambiguous implied consent, the user at least needs to be informed about, and have the opportunity to decline, cookies before they get served.
Any feedback on this from HubSpot would be appreciated.
Hi, I've read through all the GDPR compliance info and Hubspot's roadmap for updates in this area, but I am unclear about one point. Will there be a distinction on the preferences page between "remove me from mailing lists" and "delete all my information"?
People have always been able to update their subscription preferences. As I understand it, Hubspot is updating this page to ask people to "opt-in" to the lists they want to be on (instead of "opting out" of the ones they don't want to be on).
However, I don't see anything related to how people request to have their contact information completely deleted. Is this going to be addressed on the preferences page, or elsewhere? Do we need to set up specific pages with forms to handle these "deletion" requests?
Because even if people select "remove me from all mailing lists" this is not the same thing as "delete me completely from your database". How will Hubspot be handling this?
Hi - I'd imagine most organisations will want to handle full or partial data deletions under a request procedure due to the potential complexities of what data can or should legitimately be deleted.
Example being that if there is a legal requirement to retain specific data for a period of time, partial deletion of data would be the most appropriate way to handle a request. You'd need to document the criteria and process for handling such things in your GDPR policies - but regardless, it would be a highly tricky thing for HubSpot to handle automatically, so my expectation is that they wouldn't go near any functionality that would enable the consumer to control data deletion.
What I wanted to know is on the "Manage email preferences" page, will the USER see BOTH options? So they can choose either : 1) Delete all my contact information from your database OR
2) unsubscribe me from all lists.
Will the USER be given the option to either?
Yes, there will be a distinction between "GDPR delete" and unsubscribe. The GDPR delete button will be unique and will delete all record of the contact throughout the platform. This is distinct from unsubscribe, where you can still opt a contact out of receiving emails, but the contact record will remain in your database.
@nknoop will this allow for us to keep an email address only, so as to act as a suppression list, to ensure opt-out contacts do not return to the system when they shouldn't? This would be essential and from my understanding, completely acceptable under legitimate interests.
Deleting the record as a whole using this approach would open up the possibilities for errors such as re-uploading customer/subscriber lists and marketing to people that had expressly opted out. How does this button deal with this?
What my concern is that if my contact data is stored on servers that are situated in Europe? Because this is a big dealbreaker if it isnt.
Also I will need to be able to setup a processor's agreement between myself and Hubspot as I am storing contact info about my customers on the hubspot servers
Hi there, for concerns regarding legality and processors agreement my advice is to consult a legal company.
Hydra have the same issues as will all clients who use Hubspot as their data processor as Hubspot data is stored both in and outside the EEA and outside if transfered to the US there is the Data Privacy Shield.
There is a lot of detail to cover and understand and I don't recommend you try to do it yourself. It is much better to get proper legal advice.
I got all me legal documents in order already except having the processor's agreement I need to setup with hubspot.
This needs to happen before 25th of may or else I am forced to abandon hubspot in search of a company I can actually reach.
*sigh* Like so many on here we all understand that you are working on it.
You have made a page telling us what you are doing. Thats lovely.
However its now less than 2 weeks before this is Law and still no tools to help us comply.
WHAT am i paying for? This is one of the biggest things in law for a long time and to get a mail telling me i can buy a new support module for Hubspot rather than working on what you should be really erks.
Can someone please just tell the truth and when it states available early May on your GDPR page please tell us why mid May its still not available.
Question, is there anyway to link to the user email preferences page from a website page similar to the email footer where it's usually located.