As always you can listen by watching this video or read on...
Now that we're a few months into GDPR and we've had plenty of time to test the new processes and procedures we rolled out to our Automotive clients, they've worked well, so now lets pass on what we've learnt to help you make GDPR-friendly updates and to know what are some tools for regulatory framework for managing cookie consent on your website, notice and consent where you capture data, and responding to requests.
The previous posts in our GDPR for Automotive series gave you ideas of what to consider. This post is the how to of exactly what you can do to be GDPR-friendly.
To use our recommendations you need to be using HubSpot CRM. Learn more here about HubSpot CRM and our implementation service.
FYI: This is not a legal document. You should seek legal advice to ensure you are GDPR compliant and this might mean modifying some of the updates detailed in this article. If you'd like legal advice then read our GDPR Compliance page and book a free GDPR consultation.
One-off GDPR-friendly updates
Cookies on your website
Use HubSpot and you'll already have the HubSpot tracking code on your website, which means a lot of features can be managed from inside HubSpot without the need for a programmer to make updates on your website. Use the HubSpot ‘cookie consent banner’ so your visitors can accept or decline being tracked on your website.
More details on this feature here…
The settings you can use:
- Use cookies: Using tracking cookies allows you to track visits and clicks on your website
- Notify visitors: A banner pops up on your website with buttons to ‘accept’ or ‘decline’
- Require opt-in: Visitors are only tracked if they click ‘accept’
Notes for you:
- A link to your Privacy policy needs to be included.
- To check the consent status or allow users to remove their cookies and tracking cookie consent then your web developer needs this information to update the HubSpot tracking code.
Notice and consent
You can turn this on for all HubSpot hosted data capture points (a) on your website (forms, lead flows, document share link forms, messages) and (b) in meetings links.
Notice and Consent that you can use
You'll go into the HubSpot 'Settings' area --> Contacts & Companies --> Privacy and consent and manage it all from there. Then notice and consent will be added automatically to any new forms that you create.
Legitimate interest
By submitting your details you agree we can store your data and contact you. Read all in our Privacy Policy.
Privacy policy
Read all in our Privacy Policy.
Consent to communicate
Join our mailing list to receive one monthly email with insider tips for sales, marketing, and websites to help grow your business.
[ ] TICK THE BOX TO JOIN THE MAILING LIST
Consent to process data
Explicit: By ticking the box you agree that we can store your data
[ ] I agree to allow The Tree Group to store and process my personal data.
Implicit: By submitting your details you agree that we can store your data.
Notes for you:
- A link to your Privacy policy needs to be included.
Updating existing Meetings links
Use the HubSpot Meetings tool that links directly to your Google Calendar or Office365 Calendar to make it easy for leads, prospects, and customers to book meetings (without bouncing emails back and forth trying to find a time).
GDPR features are turned on for each meeting link, as you can have different types of meetings, and let HubSpot handle legal basis for processing and communicating.
Watch this video on how to update Meetings links
Ongoing GDPR-friendly activity
Sales activity 1: Updating ‘Legal basis for processing contact’s data’
You need a legal basis to store and process contact data. To help you comply, there’s a new Contact property in HubSpot CRM called ‘Legal basis for processing contact’s data’ and it allows you to view, edit, and audit the legal basis for processing for every contact.
In HubSpot, this property can be edited in Settings → Properties → Contact properties
More details on this feature here...
The options you can tick for each contact
- Legitimate interest – prospect/lead
- Legitimate interest – existing customer
- Performance of a contract
- Freely given consent from contact
- Not applicable
‘Freely given consent from contact’ is automatically updated when a contact fills out a HubSpot data capture point and gives consent for you to store and process their data.
Make sure you’ve installed the HubSpot inbox extension for Outlook and Gmail.
Watch this video on how to view, edit, and audit ‘Legal basis for processing contact’s data’
We recommend you consult relevant regulatory guidance on whether you should rely on legitimate interest. For example, the ICO has released this guidance on legitimate interests.
Sales activity 2: Updating ‘Legal basis for communicating’
Before proceeding with this step, you will have already completed SALES ACTIVITY 1 onwards.
This step is required so you can email a contact (from inside your HubSpot CRM) or enroll a contact in a Sequence (from inside your HubSpot CRM or Outlook/Gmail).
‘Communications subscriptions’ are automatically updated if a contact fills out a HubSpot data capture point and gives consent for you to communicate with them. The consent they give depends on what you asked them to do. You might only ask for consent to follow up with sales emails (permission to email them from inside HubSpot CRM and enroll them in Sequences) or to add to them to your mailing list. If you don't ask for consent to add them to your mailing list, you need to ask for that separately and then update their Communication subscription (if you use HubSpot Marketing Starter of above with the email marketing tool) or create then update a property for ‘Opted-in to marketing emails’ then have that sync out to your 3rd party tool using this cloud syncing tool.
Watch this video on how to view, add, and edit ‘Communication subscriptions’
Sales activity 3: Different ways contacts are added to your HubSpot CRM
Before proceeding with this step, you will have already completed SALES ACTIVITY 1 onwards.
This step is required so you have a central record of all activity.
Option 1 - Inbound lead (from HubSpot data capture point)
The contact will have filled out one of your HubSpot data capture points (website; forms, lead flows, live chat, or document share link forms, and meetings links)
- The contact is automatically added to your HubSpot CRM
- The ‘Legal basis for processing contact’s data’ property is automatically updated
- And, if they ticked the consent box, their ‘Communication subscriptions’ is automatically updated to allow you to email them from inside your HubSpot CRM and enroll them in a Sequence or send them email marketing etc.
Option 2 - Inbound lead (from non-HubSpot form)
The contact will have filled out a non-HubSpot form on your website
- The contact is automatically added to your HubSpot CRM, if you turn on the ‘Collected forms’ feature in HubSpot Marketing Free and above.
- The ‘Legal basis for processing contact’s data’ property needs to be manually updated
- You also need to manually update their ‘Communication subscription’
Option 3 - You email the contact and have the ‘Log in CRM’ box ticked
- This is a feature of the HubSpot inbox extension
- If the ‘Log in CRM’ box is ticked when you email a contact then (a) the contact and company will be automatically added to your HubSpot CRM (if they don’t already exist) and (b) the email you send will be automatically logged in your HubSpot CRM against their contact and company record.
- The ‘Legal basis for processing contact’s data’ property needs to be manually updated
- You also need to update their ‘Communication subscription’
Watch this video to see how you can control how emails are logged.
Option 4 - You manually add a contact to your HubSpot CRM
In this case, for each contact, you must update their properties for ‘Legal basis for processing contact’s data’ and create then update the ‘Referred by’ property so you have a record of where their contact details came from. You also need to update their ‘Communication subscription’.
Use LinkedIn
- Message them on LinkedIn
- Ask their permission to follow up on email and add them to the mailing list
- Use the LinkedHub Chrome extension to easily add their details to your HubSpot CRM (this synchronises messages from LinkedIn into your HubSpot CRM so you have proof of ‘opt-in’)
- Go to their contact record in HubSpot CRM
- Add their ‘Communication subscription’
- Now you can email them from inside your HubSpot CRM or enroll them in a Sequence
Watch this video on how to use the LinkedHub Chrome extension.
Publicly available data on the company’s website or using Hunter.io
- Go to the company’s website
- Search the website or click the Hunter.io Chrome extension
- Find publicly available email addresses (Hunter.io shows the source URL)
- If you're happy you have a ‘Legal basis’, add them to your HubSpot CRM
- Make sure to update the ‘Legal basis for processing contact’s data’ property
- Use the ‘Referred by’ property to store the URL of the publicly available data
- Add their ‘Communication subscription’ so you can email them from inside your HubSpot CRM and enroll them in a Sequence.
Watch this video on how to use the Hunter.io Chrome extension.
Sales activity 4: Sending one-to-one sales emails
Before proceeding with this step, you will have already completed SALES ACTIVITY 1 onwards. This step is required if you want to email a contact.
Create a GDPR snippet
In HubSpot you have a feature called Snippets which make it easy to store short pieces of text to drop into emails.
Create a snippet that is GDPR-friendly such as:
I'm contacting you because __________. I found your details on __________ and thought you'd find this email helpful for your work at __________.
Can I add you to our mailing list so you get the latest updates on business growth (you'll always have the opportunity to unsubscribe and request/modify/delete your data)?
Add the ‘GDPR snippet’ to the first email to each contact
This shows you’re ethical in how you approach people. It explains why you’re contacting them, where you got their details, asks if they’d like to join your mailing list, and explains that they can always unsubscribe and request/update/delete their data.
- Make sure you’ve installed the HubSpot inbox extension for Outlook and Gmail.
- Click the Snippet icon
- Choose the GDPR snippet
Watch this video on how to use the Snippet feature:
Sales activity 5: Adding a contact to your email marketing
Before proceeding with this step, you will have already completed SALES ACTIVITY 1 onwards. This step is required if you want to send a contact email marketing.
Option 1 - Use 'Communication subscriptions' - if using the HubSpot email tool
- Your recipients will typically see a 'preferences' or 'unsubscribe' link in the footer of every email you send from inside HubSpot, as part of a Sequence, or using the HubSpot email tool. This allows them to centrally manage their preferences and to opt in and out of different email types
- You can also manage this manually when looking at each contact in HubSpot CRM by going to the Communication subscriptions section
- Simple...
Option 2 - Use the ‘Opted-in to marketing emails’ property if you use a 3rd party email marketing tool
- First, you need to create the custom property
- Then, you can view and edit this property in Outlook/Gmail and inside HubSpot CRM
- Just update the ‘Opted-in to marketing emails’ property to ‘Yes’
- If you subscribed to the cloud sync tool then a sync can be setup with your 3rd party tool
Watch this video on how to view, edit, and audit the ‘Opted-in to marketing emails’ property:
NOTE: If you use a 3rd party tool and have the cloud sync setup, will see new contacts being added to HubSpot CRM where the original source shows ‘INTEGRATION’ which means they came into the CRM because they joined your mailing list through the 3rd party tool such as if you have a non-HubSpot sign-up form on your website.
Sales activity 6: Retention policy
You’re only allowed to store data for the purpose it’s intended and this includes the length of time you store data. The detail around this is up to you and needs to be confirmed in your privacy policy. Managing this will require periodic work.
For now, this is what we suggest
- Add an automated Task to the end of Sequences
- If a contact reaches the end of a Sequence with no response
- 1 week after the last piece of activity
- You can use the standard ‘Delete’ option to delete the contact
- The standard delete option gives you 90 days to be able to restore their data
- This means you give the contact time to reply to previous emails
Responding to requests
Modification
If a contact requests that you modify the data you hold for them, here’s how to update contact data:
Once you’ve modified the contact in HubSpot, if you subscribed to the cloud sync tool then those updates will automatically update your other systems.
Unsubscribing
Option 1 - Typically, there are two ways that a contact can ‘unsubscribe’:
If you use HubSpot CRM and HubSpot Marketing Starter or above
- Your recipients will get a link in the footer of every email you send from inside HubSpot, as part of Sequences, or using the email tool.
If you use HubSpot CRM + a 3rd party email marketing tool
- As above, your recipients will get a link in the footer of the emails you send from inside HubSpot CRM and as part of sequences
- However, your email marketing tool is separate so the footer link in those emails will also be separate. Not ideal!
NOTE: With regards to ‘unsubscribing’, HubSpot CRM and MailChimp are completely separate systems and there is no way to have one central ‘unsubscribe’ link or to offer different subscription preferences such as sales emails, customer updates, marketing updates etc. The only way to get this functionality is for you to upgrade to HubSpot Marketing Starter so that your email marketing tool and CRM are on the same platform. Then you have complete control over all forms of consent and subscription types.
Option 2 - You get asked to ‘manually’ unsubscribe a contact
- First, ask what they want to unsubscribe from. Is it the one-to-one sales emails (sent from inside your HubSpot CRM or in Sequences) or is it marketing emails (sent from the HubSpot email marketing tool or your 3rd party tool) or both.
- It's then up to you to click the 'opt out option in HubSpot and to do the same if you also use a 3rd party email marketing tool.
Deleting
GDPR requires the permanent removal of each contact from your database, including email tracking history, call records, form submissions and more. In many cases, you’ll need to respond to the request within 30 days. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply.
If you have HubSpot Marketing Starter or above, this is easier to manage as you have less systems to update.
I suggest this as a good process:
- Here’s a quick video on how to ‘Delete’ a contact using the ‘soft’ or ‘hard’ options
- Then in your 3rd party email marketing tool, you’ll need to find the contact by their email address and delete the contact
- Next you’ll need to think of your other systems, circulate an email with all involved, give them the email address of the contact that needs to be deleted, ask them to delete that contact from their email contacts folder.
You may also need to delete email history etc. A legal advisor can answer this question.
Note about ‘soft’ delete option: To restore a contact in HubSpot go to the main Contacts area → Actions → Restore contacts.
Note about adding a ‘hard’ deleted contact: Per this HubSpot Academy article, you will receive an in-app notification that the contact can not be created. This will apply across all methods of contact creation including the 'Log to CRM' functionality.
Note about HubSpot: While their personal data will be deleted, their anonymized analytics will remain. For example, if the contact visited your site several times, those sessions will continue to be reflected in your Sources report (if you have a paid version of HubSpot Marketing) but in an anonymized way - you won’t know it was the individual. If you’ve sent emails to the individual, and then you delete them, their analytics will continue to be reflected in the emails you’d sent (opens, clicks, etc.) but their personal information (name) will no longer appear.
Appendix
Appendix 1 - You privacy policy
This is 100% where you need legal advice. The privacy policy should be publicly available on your website and linked next to every data capture point, i.e. some short ‘notice’ text next to each data capture point plus a link to your main privacy policy. It needs to be plain english, simple to understand, and amongst other information, it needs to include a retention policy.
As an example, here are HubSpot’s Privacy policy and the Cookie policy.
When you update your privacy policy you need to include the different ways you track, capture, and store data. To help with that, here are some suggestions:
- HubSpot: DPA, Data Privacy, GDPR, Compliance, and cookies HubSpot set in a visitor’s browser.
- G Suite (for Google contacts and Gmail): G Suite is used for Google Contacts, Gmail, Google Analytics plus many other services. Details here: Google Cloud and G Suite Security and Trust.
- MailChimp (if you don't have a paid version of HubSpot Marketing) Security, Privacy Policy, Terms of Use, GDPR friendly forms, GDPR tools, Guide, DPA, DPA FAQ, Privacy Shield.
That brings this series of posts and articles on GDPR Compliance to a close.
If you'd like support with GDPR, getting started with free technology such as HubSpot CRM, Sales, and Marketing, then start with a free consultation.
