GDPR

SOLVE
Community Manager

Hi everyone - we posted a project update to the GDPR page (see here). I've also copied the list of product functionality / other items we are working on below.

 

  • New tools in form builder to help ensure proper notice and consent
  • Ensuring that end users are able to manage their communication preferences in a way that puts control in the data subject's hands
  • Improvements to double opt-in functionality
  • Ability to easily understand what consent customers have given, when, and the history of changes to that in the relevant parts of the product
  • Ensuring an easy means of exporting the personal data of a data subject
  • Bolstered deletion functionality to comply with right to erasure
  • Enhanced cookie management and preferences with localized privacy notices
  • In-portal guidance and suggestions on how to address key data privacy rules
  • Work with our certified integration partners on solving for the GDPR
Occasional Contributor

Thanks Nick

Reply
0 Upvotes
Occasional Contributor

OK, fine - but what does this actually mean for us? What can I do with this information? What compliance processes and measures can I now put into action on the back of this? I don't understand what HubSpot thinks I'm gaining from this update or what relevance it is to a customer trying to make progress on GDPR implementation or report into directors and business owners on what GDPR compliance is going to look like for their businesses.

 

On the back of this update, my GDPR Implementation report looks like: Yeah - no worries, HubSpot have been doing some stuff. 

 

Hopefully, we won't get a 'lessons will be learned' update in June/July. 

Top Contributor

Hi there,  Hubspot is a marketing tool which gives you the functionality with which you can implement the processes of data collection, managing, processing and deletion of your data.  if you need assistance with GDPR process and the legalities surrounding it then my suggestion is to engage a firm of lawyers to help you draft your privacy policy, privacy centre, cookie policy, legitimate interest policy and any other legal documents needed.  

Reply
0 Upvotes
New Contributor

@nknoop

 

This is a nice list and addresses certain aspects of GDPR processing comipliance. But GDPR 'raises the bar' for the consent, mandated by the 2009 ePrivacy Directive, one must obtain from the user to access their device (i.e. read & set cookies). Post-GDPR unambiguous consent is required as opposed to today's implied consent. 

 

As far as I can tell, HubSpot always sets a tracking cookie before the user has consented or been presented with any cookie/privacy banner, and that is not in line with the ePD (as we understand the post-GDPRlandscape). I've included an excerpt below from a EU-based law firm's GDPR blog on the topic. 

 

....the ability to maintain that an implied consent is unambiguous depends upon at least a couple of critical factors: first, the prominence of the cookie banner itself ....; second, the timing of the cookie drop - if cookies are dropped at the same time as the banner, as is very often the case today, then it’s more-or-less impossible to maintain any argument that the visitor “unambiguously” consented to those cookies, given that they only learned about them after the cookies had already been served. To have a decent argument for unambiguous implied consent, the user at least needs to be informed about, and have the opportunity to decline, cookies before they get served.

Excerpted from http://privacylawblog.fieldfisher.com/2018/gdpr-plus-e-privacy/

 

Any feedback on this from HubSpot would be appreciated.

 

David

 

Occasional Contributor

When are we going to get a new update on progress?

Regular Contributor

Hi, I've read through all the GDPR compliance info and Hubspot's roadmap for updates in this area, but I am unclear about one point. Will there be a distinction on the preferences page between "remove me from mailing lists" and "delete all my information"?

 

 

People have always been able to update their subscription preferences. As I understand it, Hubspot is updating this page to ask people to "opt-in" to the lists they want to be on (instead of "opting out" of the ones they don't want to be on). 

 

However, I don't see anything related to how people request to have their contact information completely deleted.  Is this going to be addressed on the preferences page, or elsewhere? Do we need to set up specific pages with forms to handle these "deletion" requests?

 

Because even if people select "remove me from all mailing lists" this is not the same thing as "delete me completely from your database". How will Hubspot be handling this?

 

 

Reply
0 Upvotes
Highlighted
Occasional Contributor

Hi - I'd imagine most organisations will want to handle full or partial data deletions under a request procedure due to the potential complexities of what data can or should legitimately be deleted.  

 

Example being that if there is a legal requirement to retain specific data for a period of time, partial deletion of data would be the most appropriate way to handle a request. You'd need to document the criteria and process for handling such things in your GDPR policies - but regardless, it would be a highly tricky thing for HubSpot to handle automatically, so my expectation is that they wouldn't go near any functionality that would enable the consumer to control data deletion.

Reply
0 Upvotes
Regular Contributor

What I wanted to know is on the "Manage email preferences" page, will the USER see BOTH options? So they can choose  either : 1) Delete all my contact information from your database  OR

2) unsubscribe me from all lists.

 

Will the USER be given the option to either?

Reply
0 Upvotes
Community Manager

Yes, there will be a distinction between "GDPR delete" and unsubscribe. The GDPR delete button will be unique and will delete all record of the contact throughout the platform. This is distinct from unsubscribe, where you can still opt a contact out of receiving emails, but the contact record will remain in your database. 

 

Reply
0 Upvotes
Esteemed Contributor | Gold Partner

@nknoop will this allow for us to keep an email address only, so as to act as a suppression list, to ensure opt-out contacts do not return to the system when they shouldn't? This would be essential and from my understanding, completely acceptable under legitimate interests.

Deleting the record as a whole using this approach would open up the possibilities for errors such as re-uploading customer/subscriber lists and marketing to people that had expressly opted out. How does this button deal with this?

Reply
0 Upvotes
New Contributor

What my concern is that if my contact data is stored on servers that are situated in Europe? Because this is a big dealbreaker if it isnt.

 

Also I will need to be able to setup a processor's agreement between myself and Hubspot as I am storing contact info about my customers on the hubspot servers

Reply
0 Upvotes
Top Contributor

Hi there, for concerns regarding legality and processors agreement my advice is to consult a legal company. 

Your privacy policy will then detail how your organisation captures and stores data using third party data processors e.g. Hubspot, Zendesk etc.

 

Hydra have the same issues as will all clients who use Hubspot as their data processor as Hubspot data is stored both in and outside the EEA and outside if transfered to the US there is the Data Privacy Shield.

 

There is a lot of detail to cover and understand and I don't recommend you try to do it yourself.   It is much better to get proper legal advice.

 

Reply
0 Upvotes
New Contributor

I got all me legal documents in order already except having the processor's agreement I need to setup with hubspot.

 

This needs to happen before 25th of may or else I am forced to abandon hubspot in search of a company I can actually reach. 

Reply
0 Upvotes
Occasional Contributor

check out the product readiness page 

 

https://www.hubspot.com/data-privacy/gdpr/product-readiness

 

Reply
0 Upvotes
New Contributor

Hey,  keep this thread up-to-date as we approach to GDPR day. Hubspot released this on January 2018.  Get Ready for GDPR: Features You Can Start Using On Your Path to Compliance

Community Manager

We just launched our GDPR product readiness page, which includes a product roadmap with changes we're making between now and May 25. Check it out here

 

Community Thought Leader | Diamond Partner

Thanks @nknoop!

 

This announcement is much appreicated and, I feel, deserves its own thread, which I have started here: HubSpot's GDPR product roadmap has been released

 

Phil Vallender | Inbound marketing for B2B technology companies
Reply
0 Upvotes
Occasional Contributor

*sigh* Like so many on here we all understand that you are working on it.

You have made a page telling us what you are doing. Thats lovely.

However its now less than 2 weeks before this is Law and still no tools to help us comply.

WHAT am i paying for? This is one of the biggest things in law for a long time and to get a mail telling me i can buy a new support module for Hubspot rather than working on what you should be really erks.

Can someone please just tell the truth and when it states available early May on your GDPR page please tell us why mid May its still not available. 

 

Top Contributor
Well said LeeHouse. On a personal al note this will also reflect poorly on me if the product I sold into the company isn’t going to be GDPR compliant. Help us out here will you Hubspot?
Regular Contributor

Question, is there anyway to link to the user email preferences page from a website page similar to the email footer where it's usually located.

We would like to have this option for people to click to see the preferences page from the Notice and Consent / Legitimate Interest (GDPR) / Process consent text section together with our Privacy Policy link. Thanks!