GDPR

Grovewilks
Member

GDPR

SOLVE

Could somebody advise on the Hubspot policy in relation GDPR that will be hitting us in May 2018.

 

How will Hubspot manage opt-in and refresh of opt-in?

How will Hubspot manage the relevant questions to allow someobody to opt-in or download web  content

How will the data that Hubspot store be managed in relation GDPR

 

There are many questions on this topic, where do Hubspot stand in general in realtion to this

3 Accepted solutions
nknoop
Solution
HubSpot Employee
HubSpot Employee

GDPR

SOLVE

Hi everyone,

 

I work on the legal team at HubSpot and help run our GDPR compliance project. I’ll try to address some of the concerns raised above, and give everyone some insight into the status of the internal project and what our plans are for 2018.

 

We are fully committed to enhancing the HubSpot platform to enable customer/partner compliance with the GDPR. We appreciate that there may be current gaps in how our product interacts with some of the key GDPR requirements; we are actively working with our Product teams to address those areas, as well as introduce new product functionality that will help you comply.

 

For example, we are working on improving the way the CRM and Email product handles and tracks consent. As a previous post on this thread has recognized, this is a huge part of the regulation and is of particular significance to marketing and sales teams. Especially considering the recent Article 29 Working Party guidance on this point, we know we need to do a better job off helping customers manage and track consent.

 

The other areas we are working on improving include the Subscription Preference Pages, notice and consent in forms/CTAs, cookie management and preferences, double opt-in improvements, and tools to help our customers comply with data subject access/modification/deletion requests. We'll be announcing these changes on a rolling basis leading up to the GDPR's enforcement date of May 25, 2018.

 

The regulatory guidance helps shape the solutions we are crafting, and that’s part of the reason we are not immediately releasing product changes. Rather than releasing new functionality now that will later have to be modified based on new interpretations of the GDPR, we want to be sure our product aligns with the groups like the Working Party before changes are finalized.

 

Apart from improvements to the product itself, we are working around the clock on how the GDPR effects other parts of HubSpot. For example, we’re digging into how integrations/Connect partners fit in a GDPR world. Further, we have involved key members of every department within HubSpot to help on this project (mainly IT, Security, Product/Engineering) to drive towards compliance by this coming May. 

 

We’ll be communicating out project updates to our customers and partners starting in late January 2018.

 

I'm happy to chat with anyone, so if you have specific questions or concerns, feel free to reach out via direct message and include your email address. 

 

Nick

View solution in original post

nknoop
Solution
HubSpot Employee
HubSpot Employee

GDPR

SOLVE

Hi everyone - we posted a project update to the GDPR page (see here). I've also copied the list of product functionality / other items we are working on below.

 

  • New tools in form builder to help ensure proper notice and consent
  • Ensuring that end users are able to manage their communication preferences in a way that puts control in the data subject's hands
  • Improvements to double opt-in functionality
  • Ability to easily understand what consent customers have given, when, and the history of changes to that in the relevant parts of the product
  • Ensuring an easy means of exporting the personal data of a data subject
  • Bolstered deletion functionality to comply with right to erasure
  • Enhanced cookie management and preferences with localized privacy notices
  • In-portal guidance and suggestions on how to address key data privacy rules
  • Work with our certified integration partners on solving for the GDPR

View solution in original post

Phil_Vallender
Solution
Most Valuable Member | Diamond Partner
Most Valuable Member | Diamond Partner

GDPR

SOLVE

Thanks @nknoop!

 

This announcement is much appreicated and, I feel, deserves its own thread, which I have started here: HubSpot's GDPR product roadmap has been released

 

Phil Vallender | HubSpot Website Agency

View solution in original post

0 Upvotes
50 Replies 50
edjusten
HubSpot Employee
HubSpot Employee

GDPR

SOLVE

Hi @jhollidge  Do you have some specific concerns not addressed by the website linked above?

 

Ed 


Did my post help answer your query? Help the Community by marking it as a solution
0 Upvotes
alivia
Contributor

GDPR

SOLVE

Specific GDPR concern: how will Hubspot logs fall under the "right to data portability"?

Technically, in Husbpot we store infomration on each page visit and interraction, however this cannot be exported using the API (or exports), so we won't be able to communicate *all* the data relative to a customer.

Correct?

0 Upvotes
ojobson
Top Contributor

GDPR

SOLVE

Alivia / Shearn,

 

I was under the impression that, when answering a 'Subject Access Request you only need to provide their Personally Identifiable Information, the source of that information and any recipients of it. I'm not sure that one single page view could be counted as PII.. so you are not obliged to provide this?

 

Have I got it wrong?

0 Upvotes
c2b2
Participant

GDPR

SOLVE

The complete lack of action and undertsanding from HubSpot on GDPR compliance is absolutley shocking - and the inability of anyone to communicate what their plan is to ensure customers can meet GDPR requirements is extremely concerning - to the point where some people may feel that HubSpot isn't going to be an option for their businesses going into 2018.

 

The fact that they are asking people for 'specific concerns' is a joke - I mean RTFM!!!

 

The ICO have extensive guidence on GDPR, and whilst there is still some areas of interpretation, the fact that HubSpot hasn't responded to the key issues of consent for marketing communications is desperately ignorant for an inbound marketing company.

 

Additionally, since GDPR not only affects EU companies, but ANY company trading with or creating contacts in the EU (i.e) the yanks -  you'd have thought they be paying attention to the effects GDPR will have on their users and customers (not simply the high-level areas of safe-harbours).

 

You want issues, here are a few issues:

 

Issue #1

When a new contact is created in the CRM, they are automatically opted-in to all marketing communications. This will cause comprehensive failure of consent compliance if contacts view their preferences and see that we've pre-populated consent boxes, this in itself could be a cause of complaint or breach, even if we don't actually send out communications.

 

Development proposal

 

  1. When creating contacts, all email types should be set to opt-out
  2. Then, one or more email types must have consent applied by one of the following methods:
    1. Forms (and lead flows) should offer the functionality to apply consent to one or more email types
    2. Workflows should have the functionality to apply consent to one or more email types (depending on what form was submitted)

 

Issue #2

If the contact unsubscribes from all emails and then chooses to re-subscribe, the action results in consent for all marketing communications (rather than giving the option to opt-in to selected communications).

 

This will potentially cause compliance failure on consent and awareness of consent because:

 

  • If we offer different communication types, the contact should be able to opt-in to each individual communication option when re-subscribing
  • Because clicking the re-subscribe button launches a confirmation page away from the marketing preferences page, the contact may not be aware that they have been opted-in to all communications.

 

Development proposal


A completely compliant solution is for HubSpot to change the re-subscribe process so that the contact opts-in to each type they wish to receive and then selects re-subscribe. This process will only re-subscribe them to the selection made.

 

Issue #3

When a new email type is created, the contact's marketing preferences automatically show the contact as having consented to receive the new email type. This will cause comprehensive failure of consent compliance if contacts view their preferences and see that we've pre-populated consent boxes, this in itself could be a cause of complaint or breach, even if we don't actually send out communications.

 

Development proposal

 

New email types must automatically have a default value of 'opt-out'

 

Issue #4

We are obliged to provide evidence of when and how contacts opted-in. This is contained only in contact histories – and so cannot be exported and cannot be migrated.

 

Development proposal

 

We should be able to export ANY data from the CRM in a machine readable format – not simply contact properties, but correspondence and actions as well.

 

Biggest issue for me right now is the lack of movement from HubSpot.

JoeDavies
Top Contributor | Elite Partner
Top Contributor | Elite Partner

GDPR

SOLVE

Exactly this! I've submitted questions around this previously with no answer - we need to be able to use the platform to be compliant, rather than fight against it, as it stands a lot of the required processes will need to be manual which is unsustainable, open to error and not fast enough.

0 Upvotes
c2b2
Participant

GDPR

SOLVE

Tom - finally!

Thank you for addressing this seriously - I had a fear that no one at HubSpot knew what was going on - but the longer it takes for you to get these implemented - the longer any new contacts go without being compliant - meaning retrospective action by users - we really need action ASAP!! 

 

halvork
Member

GDPR

SOLVE

Hi 

You had good issues 🙂 

 

You refer to Tom's respons - Is that available ? Did not see anything in the community.

 

Best regards

 

Halvor K

c2b2
Participant

GDPR

SOLVE

Hi Halvor,

 

Tom did reply and did make a committment to having solutions to these specific issues in place by May.

 

However...

 

His post was then withdrawn by HubSpot a day later on the advice of their legal team.

 

Make of that what you will 🙂

 

0 Upvotes
jm
Contributor

GDPR

SOLVE

Great. So Hubspot's legal team won't commit to the one thing they're are supposed to commit to.