THE GDPRLAST-MINUTEKIT
GENERAL DATA PROTECTION REGULATION
How to transform the GDPR from a challenge into an opportunity.
2
The GDPR Last-Minute Kit
Introduction
Disclaimer
Chapter 1: Data Protection Before The GDPR
Chapter 2: Our GDPR Glossary
Chapter 3: Changes Made Under The GDPR
Chapter 4: How Prepared Are Marketers For The GDPR?
Chapter 5: Frequently Asked Questions
Chapter 6: The Changes Within HubSpot
Chapter 7: GDPR Checklist
Conclusion
Table Of Contents
3
4
5
8
12
19
27
32
36
43
3
The GDPR Last-Minute Kit
The GDPR (General Data Protection Regulation) is a new EU Regulation
which will replace the 1995 EU Data Protection Directive (DPD) to
significantly enhance the protection of the personal data of EU citizens and
increase the obligations on organisations who collect or process personal
data. It will come into force on 25th May 2018. The regulation builds on
many of the 1995 Directive’s requirements for data privacy and security
but includes several new provisions to bolster the rights of data subjects
and add harsher penalties for violations.
The full text of the GDPR can be found here and we’ve added a glossary
of all the legal terms to this guide.
So why should you care?
While the current EU legislation (the 1995 EU Data Protection Directive)
governs entities within the EU, the territorial scope of the GDPR is far
wider in that it will also apply to non-EU businesses who a) market their
products to people in the EU or who b) monitor the behaviour of people
in the EU. In other words, even if you’re based outside of the EU but you
control or process the data of EU citizens, the GDPR will apply to you.
Introduction
4
The GDPR Last-Minute Kit
This guide is neither a magnum opus on EU data privacy nor legal advice
for your company to use in complying with EU data privacy laws like the
GDPR. Instead, it provides background information to help you better
understand how HubSpot has addressed some important legal points.
This legal information is not the same as legal advice, where an attorney
applies the law to your specific circumstances, so we insist that you consult
an attorney if you’d like advice on your interpretation of this information or
its accuracy. In a nutshell, you may not rely on this paper as legal advice,
nor as a recommendation of any particular legal understanding.
Disclaimer
The GDPR Last-Minute Kit
CHAPTER 1
Data Protection Before The GDPR
6
The GDPR Last-Minute Kit
You’re likely hearing a lot about the GDPR, but did you know we’ve had
data protection legislation in the EU for quite a while already? Although
the 1995 EU Data Protection Directive will be replaced by the GDPR next
May, the Directive sets out the eight data protection principles which have
been governing the treatment of personal data by organisations for over
two decades! Since the GDPR builds on and enhances these principles,
we recommend you familiarise yourself with the current laws before you
dive into the changes under the GDPR.
If you want to read more about the 1995 Directive and eight original data
protection principles, please read our FAQ section to learn more.
Although the DPD will be replaced by the GDPR, it sets out the eight data
protection principles which the GDPR builds on. These rules govern how
organisations should treat personal data and are set out below:
• Obtain and process the personal data fairly.
• Keep it only for one or more specified and lawful purposes.
• Process it only in ways compatible with the purposes for which it was
given to you initially.
• Keep it safe and secure.
• Keep it accurate and up-to-date.
• Ensure that it is adequate, relevant and not excessive.
7
The GDPR Last-Minute Kit
• Retain it no longer than is necessary for the specified purpose or
purposes.
• Give a copy of his/her personal data to any individual, on request.
The DPD is a Directive, which is a legislative act that sets out a goal that all
EU countries must achieve. However, it is up to the individual countries to
devise their own laws on how to reach these goals. In Ireland for example,
the goals of the DPD were implemented through the Irish Data Protection
Act, 1998. A Regulation on the other hand, such as the GDPR, is a binding
legislative act which applies in its entirety across the EU.
The GDPR Last-Minute Kit
CHAPTER 2
GDPR Glossary
9
The GDPR Last-Minute Kit
The GDPR was written by lawyers, so it should come as no surprise that
it’s got a good bit of legal jargon sprinkled in there. But don’t worry, our
glossary will help you understand the most important definitions below:
Data SubjectA person who lives in the EU.
Personal DataAny information related to an identified/identifiable data subject (e.g.,
name, national ID number, address, IP address, health info).
ControllerA company/organisation that collects people’s personal data and makes
decisions about what to do with it. So if you’re collecting personal data and
are determining how it will be processed (for example, using the HubSpot
services to market to prospects and customers), you’re the Controller of that
data and must comply with applicable data privacy legislation accordingly.
ProcessorA company/organisation that helps a controller by “processing” data
based on its instructions, but doesn’t decide what to do with data. So for
example, HubSpot is the processor of the data you collect in your HubSpot
GDPR Glossary
10
The GDPR Last-Minute Kit
portal. We don’t control how you collect or use the data; we merely process
it on your behalf and on your instruction.
ProcessingAny operation or set of operations which is performed on personal data
or on sets of personal data, by automated means or otherwise, such
as collection, recording, organisation, structuring, storage, adaptation
or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction.
Data Protection Officer (DPO)A representative for a controller/processor who oversees GDPR compliance
and is a data-privacy expert.
Data Privacy Impact Assessment (DPIA)A documented assessment of the usefulness, risks, and risk-mitigation
options for a certain type of processing.
Supervisory AuthorityFormerly called “data protection authorities”; one or more governmental
agencies in a member state who oversee that country’s data privacy
enforcement (e.g., Ireland’s Office of the Data Protection Commissioner,
Germany’s 18 national/regional authorities).
The GDPR Last-Minute Kit
HubSpot surveyed consumers in the UK, Ireland, Germany,
Austria, and Switzerland about their general opinions on data
privacy laws. In total, 81% agree these laws are a good thing. And
after receiving a detailed description of the GDPR, 90% agreed that the principles established by the GDPR were good for
consumers.
Third CountriesCountries outside the EU
Standard Contractual ClausesThe SCCs, a/k/a “model clauses” are standardised contract language
(approved by the European Commission) that is one method of permission
for controllers/processors to send personal data to third countries. The
SCCs are included in Exhibit 1 of our Data Processing Agreement)
How Consumers View The GDPR
The GDPR Last-Minute Kit
CHAPTER 3
Changes Made Under The GDPR
13
The GDPR Last-Minute Kit
Consent
Whenever a data subject is about to submit their personal information the
data controller (usually a company) has to make sure the data subject has
given their consent. The GDPR steps up the standard for disclosures when
obtaining consent, as it needs to be “freely given, specific, informed and
unambiguous,” with controllers using “clear and plain” legal language
that is “clearly distinguishable from other matters”.
Controllers will also be required to provide evidence that their processes
are compliant and followed in each case. Previously, under the DPD,
consent could be inferred from an action or inaction in circumstances where
the action or inaction clearly signified consent. Thus, the Directive left
open the possibility of “opt-out” mechanism. However, that will change
under the GDPR which requires the data subject to signal agreement by
“a statement or a clear affirmative action.”
Essentially, your customer cannot be forced into consent, or be unaware
that they are consenting to the processing of their personal data. They
must also know exactly what they are consenting to and they must be
informed in advance of their right to withdraw that consent.
1) Individual’s Rights
14
The GDPR Last-Minute Kit
Obtaining consent requires a positive indication of agreement – it cannot
be inferred from silence, pre-ticked boxes or inactivity. This means that
informing the user during the opt-in is becoming more important in the
future.
New Rights for IndividualsThe regulation also builds in two new rights for data subjects: a “right to
be forgotten” that requires controllers to alert downstream recipients of
deletion requests and a “right to data portability” that allows data subjects
to demand a copy of their data in a common format.
These two rights will now make it easier for users to request that any
information stored should be deleted or that information that has been
collected should be shared with them.
Access RequestsData subjects always had a right to request access to their data. But the
GDPR enhances these rights. In most cases, you will not be able to charge
for processing an access request, unless you can demonstrate that the
cost will be excessive. The timescale for processing an access request will
also drop to a 30 day period.
In certain cases, organisations may refuse to grant an access request,
15
The GDPR Last-Minute Kit
for example where the request is deemed manifestly unfounded or
excessive. However, organisations will need to have clear refusal policies
and procedures in place and demonstrate why the request meets these
criteria.
2) Internal Procedures
Privacy by Design and DPIAThere are several new principles for entities that handle personal data,
including a requirement to build in data privacy “by design” when
developing new systems and an obligation to perform a Data Privacy
Impact Assessment (DPIA) when processing using “new technologies”
or in risky ways. A DPIA is a process of systematically considering the
potential impact that a project or initiative might have on the privacy of
individuals so that potential privacy issues can be identified before they
arise, giving the organisation time to come up with a way to mitigate them
before the project is underway.
Data Privacy OfficerOn the security side, the GDPR will require many businesses to have a
Data Privacy Officer (DPO) to help oversee their compliance efforts.
Organisations requiring DPOs include public authorities, organisations
who process what is currently known as sensitive personal data on a large
16
The GDPR Last-Minute Kit
scale. While the GDPR currently preserves the DPD’s approved methods
for ensuring “adequacy” when transferring personal data to third countries
(including the Privacy Shield and the Model Clauses), DPOs will also be
helpful in overseeing a controller’s relationships with vendors who process
and store personal data, helping to review vendors’ security practices and
inform vendors of data subject requests.
Contracts & Privacy DocumentationSince the GDPR is all about transparency and fairness, Controllers and
Processors will need to review their Privacy Notices, Privacy Statements
and any internal data policies to ensure they meet the requirements under
the GDPR.
If a Controller engages third party vendors to process the personal data
under their control, they will need to ensure their contracts with those
Processors are updated to include the new, mandatory Processor provisions
set out in Article 28 of the Regulation. Similarly, Processors should consider
what changes they’ll need to make to their customer contracts to be GDPR
ready by May 2018.
17
The GDPR Last-Minute Kit
3) Supervisory Authorities
One-Stop ShopOne particular item in the GDPR should serve to make the lives of these
DPOs easier: the GDPR’s new “one-stop shop” provision, under which
organisations with offices in multiple EU countries will have a “lead
supervisory authority” to act as a central point of enforcement so they don’t
struggle with inconsistent directions from multiple supervisory authorities.
Reporting BreachesThe GDPR contains a new requirement that controllers must notify their
country’s supervisory authority of a personal data breach within 72 hours
of learning of it, unless the data was anonymised or encrypted. In practice,
this will mean that most data breaches must be reported to the DPC.
Breaches that are likely to bring harm to an individual – such as identity
theft or breach of confidentiality – must also be reported to the individuals
concerned.
18
The GDPR Last-Minute Kit
4) Scope, Accountability and Penalties.ScopeWhile the current legislation, the 1995 EU Data Protection Directive,
governs entities within the EU, the territorial scope of the GDPR is far
wider, in that it will also apply to non-EU businesses who market their
products to people in the EU or who monitor the behaviour of people in
the EU. In other words, even if you’re based outside of the EU but you
control or process the data of EU citizens, the GDPR will apply to you.
AccountabilityThis new concept will require Controllers and Processors to be able to
demonstrate their compliance with the GDPR to their local supervisory
authority. Processes should be recorded, implemented and reviewed on
a regular basis. Staff should be trained and appropriate technical and
organisational measures should be taken to ensure and demonstrate
compliance.
Severe PenaltiesThe importance of the GDPR’s new provisions is underscored by the new
penalties it imposes for violations. Depending on the type of violation
in question, controllers and processors who mishandle personal data or
otherwise violate data subjects’ rights could incur fines of up to €20 million
or 4% of their global annual revenue (whichever is greater).
The GDPR Last-Minute Kit
CHAPTER 4
How Prepared Are Marketers For The GDPR?
20
The GDPR Last-Minute Kit
So, how prepared are marketers for the GDPR? (Spoiler alert: The answer is “not very.”) And for those who are, what are they doing to prepare for May 2018, when the GDPR comes into force? To understand that, we’ll go over how consumers view the GDPR, which informs the way marketers should be thinking about it. Then, we’ll dive into the ways businesses are preparing.
How Consumers View the GDPRHubSpot surveyed consumers in the UK, Ireland, Germany, Austria, and
Switzerland about their general opinions on data privacy laws. In total,
81% agree these laws are a good thing. And after receiving a detailed
description of the GDPR, 90% agreed that the principles established by
the GDPR were good for consumers.
Consumers Agree the GDPR Is a Good ThingAmong EU consumers, data privacy laws are well-received -- especially the
GDPR. It’s interesting to note that this feedback comes from an audience
outside of the U.S., where data breaches have been making headlines for
years -- most recently, two of the more noteworthy incidents came from
Equifax and Uber.
21
The GDPR Last-Minute Kit
That reinforces the idea that U.S.-based companies should still be highly
concerned with this European Regulation. Data security is a global issue
-- and in this age, it’s easy to observe what’s happening in other countries.
This is where regulations similar to that of the GDPR become the
marketer’s responsibility. In a recent webinar led by BetterCloud, digital
security expert Jodi Daniels spoke to the importance of GDPR as a brand
awareness issue. Calling it a “big competitive advantage,” she noted that
complying with and prioritising data security laws sends the message to
users that you care about their safety.
22
The GDPR Last-Minute Kit
That concern and transparency is something that a growing number of
consumers will not only expect, but demand. In fact, we found that 91% of
consumers expect companies they work with to be completely transparent
about how, exactly, their data is being used -- which can cause hesitation
in submitting data.
However, that’s just the beginning.
Even if a company is completely transparent about the use of personal data,
less than a quarter of consumers would still find them “very trustworthy”
-- and half of consumers would find them “somewhat trustworthy.”
23
The GDPR Last-Minute Kit
In other words, when it comes to truly earning the trust of consumers,
marketers and their businesses certainly have their work cut out for them
-- and we suspect that much of this sentiment is the result of the recent
data breaches we mentioned earlier. GDPR compliance is a big, crucial
step.
So, what are some of the ways in which businesses are preparing for this
Regulation that will take effect in roughly six months?
How Prepared Are Marketers for the GDPR?
We surveyed business leaders about five months before the GDPR is set to
come into force and our data doesn’t show the most promising picture. Of
the 363 business leaders and marketers we surveyed, only 36% of them stated that they had heard of the GDPR.
Yes, you read the above information correctly: Less than half of the business
leaders and marketers we surveyed are even aware of the GDPR. And as
for how much preparatory knowledge they have about the Regulation in
general -- well, that’s not looking too encouraging, either.
24
The GDPR Last-Minute Kit
But not all hope is lost. There is some preparation underway, and for
the most part, companies (about half of those represented by those we
surveyed) are addressing the GDPR by updating their contracts and data
protection policies, many of whom are working with their vendors to do
the same.
However, what’s less encouraging is that 22% of our survey participants
admitted that, at the time of taking the survey, they hadn’t started doing
anything yet to prepare for the GDPR.
25
The GDPR Last-Minute Kit
That lack of preparation could be the indirect result of the fear that some
marketers seem to have of the GDPR’s impact on their businesses. Over
half of them, for example, expect to see their email marketing lists shrink.
That expectation could stem from the GDPR’s inclusion of “right to
erasure,” which is essentially the right of an individual to request that all
personal data about him or herself is erased by the “controller” of that
data (i.e., the organization that collected the data) with undue delay in
certain circumstances. And given that option, 59% of European consumers
say -- they would take it.
26
The GDPR Last-Minute Kit
Finally, it seems that marketers and business leaders are largely preparing
to change the ways they collect consumer data. Email opt-ins and
sales-related calling practices will largely be impacted, many expect, and
marketing teams will continue to grow their focus on such outreach tools
as social media and traffic-building content and SEO strategies.
Simply put, consumers in Europe view the GDPR with a highly positive
sentiment, and marketers need to respond in kind. As transparency
becomes even more valued, companies can view it, in part, as a vehicle of
brand awareness -- one that will now be dictated by strict rules.
If you still have questions, we’ll continue to follow the GDPR closely in the
past May 2018, when it comes into force. In the meantime, use our GDPR
checklist in this guide to work on GDPR compliance or watch our GDPR
Webinar “Countdown To May 25th”.
The GDPR Last-Minute Kit
CHAPTER 5
Frequently AskedQuestions
28
The GDPR Last-Minute Kit
For those unfamiliar with this term, “double-opt-in” is a 2-step mechanism
where a person must confirm their email address after initially signing up.
The GDPR does not require double-opt in (though certain countries may
make this mandatory). It’s worth noting that subscribers to the HubSpot
service may already choose to enable double-opt-in functionality in their
portals as an additional protective measure in proving they obtained the
required consent.
At the moment these lines are written, the European working group for
article 29 did not provide any official instructions that would suggest this
mechanism is mandatory under the GDPR. It should be noted that HubSpot
subscribers have already the ability to enable the dual enrollment feature
in their portal, which allows them to have an additional means of prove
that they have obtained the required consent.
1) “Will double-opt-in be mandatory?”
2) “How will Brexit impact the compliance for businesses based in the UK?”In June 2016, a majority of UK voters voted in favour of leaving the EU
in the “Brexit” referendum. In March 2017, Theresa May gave notice to
leave the EU under Art. 50 which triggered the commencement of the
29
The GDPR Last-Minute Kit
Brexit negotiations and meant that the UK will leave the EU on the sooner
of withdrawal terms being agreed and the expiry of two years from giving
notice, so by end March 2019.
Therefore, it’s highly likely that the UK will still be part of the EU by the
May 2018 GDPR deadline. This means if you’re based in the UK, you’ll
need to work on your compliance as if Brexit never occurred.
The UK has drafted legislation to update the current Data Protection Act
(DPD) in line with the GDPR. The bill is currently working its way through
the UK Parliament.
If you’re based outside the UK but have vendors or affiliates in the UK
with whom you share personal data, you’ll also need to keep an eye on
developments in this area. When the UK leaves, cross-border data flows
may not automatically have adequate safeguards and therefore additional
projections may be required to protect data you transfer to the UK.
3) “How will the Rights of Individuals be affected by the GDPR?”Individuals already have a lot of rights which protect their personal data
under the 1995 Data Protection Directive, but the GDPR significantly
strengthens these rights such that data subjects can now:
30
The GDPR Last-Minute Kit
• Obtain details about how their data is processed by an organisation or
business;
• Obtain copies of personal data that an organisation holds on them;
• Have incorrect or incomplete data corrected;
• Have their data erased by an organisation, where, for example, the
organisation has no legitimate reason for retaining the data;
• Obtain their data from an organisation and to have that data transmitted
to another organisation (Data Portability);
• Object to the processing of their data by an organisation in certain
circumstances;
• Not to be subject to (with some exceptions) automated decision making,
including profiling.
4) “Will data now have to be stored in the EU?”No. There is no obligation under the GDPR for data to be stored in the
EU and the rules regarding transfer of personal data outside the EU will
not change. This means that, as long as the personal data is “adequately
protected”, data may be transferred abroad. For example, the EU has
prepared a list of countries which they deem to provide an adequate
standard of protection (known as “white listed countries”), so it is
permissible to transfer data to those countries.
31
The GDPR Last-Minute Kit
We’ve compiled a list of additional sites for more information around the
new regulation down below. Please feel free to check them out.
• Our GDPR Webinar “Countdown To May 25th”.
• The Irish Data Protection Commissioner’s GDPR website
• Guidance from the German Federal Commissioner for Data Protections’
on the GDPR
• HubSpot’s Data Privacy Resources Page
• EU Data Protection Supervisor
• HubSpot’s Security Program
• Find your Supervisory Authority
• Full text of the GDPR
• Full text of the GDPR in German
• The EU’s GDPR website
5) “Where can I find additional resources?”
6) “When should I be compliant with the GDPR?”The EU General Data Protection Regulation (GDPR) will take effect on May
25, 2018.
The GDPR Last-Minute Kit
CHAPTER 6
The ChangesWithin HubSpot
33
The GDPR Last-Minute Kit
As we approach May 2018, HubSpot is focused on GDPR compliance
efforts. During this implementation period for the Regulation, we are
evaluating new requirements and restrictions imposed by the GDPR and
will take any action necessary to ensure that we handle customer data in
compliance with applicable law by the 2018 deadline.
You’ll receive notifications of new functionality and changes to our Terms
within your HubSpot portal in the usual way.
Product Changes
Our tech and security teams are currently hard at work making necessary
changes to the HubSpot service to ensure we’re compliant by the May
2018 deadline and to help you meet your obligations under the GDPR to
the extent that you use HubSpot to collect and store EU personal data.
We will be providing updates before the May 2018 deadline setting out
the steps we will be taking to ensure that both we and our product are
compliant with the GDPR in advance of the deadline.
34
The GDPR Last-Minute Kit
Our Legal DocumentationOur Legal team are also busy ensuring our legal documentation (namely
our Customer Terms of Service, our Data Processing Agreement and our
Privacy Policy) will be updated to reflect any product changes and to
include the mandatory Processor provisions required by Article 28 of the
GDPR. We’ll keep you updated as these changes are implemented and
we’ll also notify you ‘in portal’ in the usual way.
Transfers Outside the EUHubSpot, Inc. maintains a Privacy Shield certification with the U.S.
Department of Commerce which ensures that adequate safeguards are in
place when we transfer personal data from the EU to the US. References
to our Privacy Shield certification are included in both our Customer Terms
of Service (check out section F.2) and in our Privacy Policy.
We also offer a Data Processing Agreement (which contains the EU approved
Model Clauses) to certain EU/EEA based customers upon request. The
good news is that the rules regarding transfers of personal data abroad
don’t change under the GDPR so we’ve already got you covered!
35
The GDPR Last-Minute Kit
CLICK HERE TO LEARN MORE
Good News: We’re enhancing the HubSpot platform to enable easier compliance with GDPR
Check out our brand new product readiness page to get the full scoop.
The GDPR Last-Minute Kit
CHAPTER 7
GDPR Checklist
37
The GDPR Last-Minute Kit
GDPR Checklist
Since every business is different and the GDPR takes a risk-based approach
to data protection, companies should work to assess their own data
collection and storage practices (including the ways they use HubSpot’s
marketing and sales tools), seek their own legal advice to ensure that their
business practices comply with the GDPR. In determining your next steps,
here are some of the questions you should consider.
The Assessment
What personal data do we collect/store?
Have we obtained it fairly? Do we have the necessary
consents required and were the data subjects informed
of the specific purpose for which we’ll use their data?
Were we clear and unambiguous about that purpose
and were they informed of their right to withdraw
consent at any time?
Are we ensuring we aren’t holding it for any
longer than is necessary and keeping it up-to-date?
38
The GDPR Last-Minute Kit
Are we keeping it safe and secure using a level of
security appropriate to the risk? For example, will
encryption or pseudonymisation be required to protect
the personal data we hold? Are we limiting access to
ensure it is only being used for its intended purpose?
Are we collecting or processing any special categories
of personal data, such as ‘Sensitive Personal Data’,
children’s data, biometric or genetic data etc. and if so,
are we meeting the standards to collect, process and
store it?
Are we transferring the personal data outside the EU
and if so, do we have adequate protections in place?
39
The GDPR Last-Minute Kit
Have we put a project plan together to ensure
compliance by the May 2018 deadline?
Have we secured buy-in at executive level to ensure
we have the required resources and budget on hand to
move the project forward?
Do we require a Data Privacy Impact Assessment?
Do we need to hire a Data Privacy Officer?
Are we implementing a policy of ‘Data Protection by
Design and Default’ to ensure we’re systematically
considering the potential impact that a project or
initiative might have on the privacy of individuals?
The GDPR Project Plan
40
The GDPR Last-Minute Kit
Are our Security team informed to ensure they’re aware
of their obligations under the GDPR and do they have
sufficient resources to implement any required changes
or new processes?
Do we have GDPR compliant procedures in place to
handle requests from data subjects to modify, delete or
access their personal data?
Do we have security notification procedures in place
to ensure we meet our enhanced reporting obligations
under the GDPR in case of a data breach in a timely
manner?
Do we have security notification procedures in place
to ensure we meet our enhanced reporting obligations
under the GDPR in case of a data breach in a timely
manner?
The Procedures and Controls
41
The GDPR Last-Minute Kit
Are our staff trained in all areas of EU data privacy to
ensure they handle data in a compliant manner?
Do we review and audit the data we hold on a regular
basis?
The Documentation
Do we have a Privacy Policy in place and if so, do we
need to update it to comply with the GDPR?
Do we have a defined policy on retention periods for
all items of personal data, from customer, prospect and
vendor data to employee data? Is it compliant with the
GDPR?
Are our internal procedures adequately documented?
42
The GDPR Last-Minute Kit
If we’re a data processor, have we updated our
contracts with the relevant controllers to ensure they
include the mandatory provisions set out in Art. 28 of
the GDPR?
In cases where our third-party vendors are processing
personal data on our behalf, have we ensured our
contracts with them have been updated to include
those same processor requirements under the GDPR?
The GDPR Last-Minute Kit
Conclusion
44
The GDPR Last-Minute Kit
While there are lots that organisations must do to ensure they comply
with the GDPR, at HubSpot, we’re welcoming it. In fact, we see three big
changes as to why marketers should welcome it too.
1) People’s attention will be treated with the respect it deserves.
For marketers to succeed when the GDPR comes into force, they’re going
to have to focus on providing even more value to customers. This means
the job of a marketer is going to get more difficult. They will have to work
hard (really hard) to attract consumers and earn the right to speak with
people. But they should -- attention is a valuable commodity, and in truth,
it’s been abused by marketers over the years.
2) Greater transparency between people and the companies that hold their data.
If the GDPR is successful it will provide greater transparency and control to
EU citizens over how their data is being used by organisations. Transparency
is key. Today, few people see the benefits of sharing data, but they often
do because they want to use a service or product. Forcing companies that
collect data to become transparent means they will need to communicate
and provide value to the person.
Conclusion
45
The GDPR Last-Minute Kit
We expect greater communication and transparency around data collection
will lead to better understanding about why people should share data.
3) A higher bar for marketers has been set.
Let’s not fool ourselves -- the GDPR is going to (forcibly) raise the bar for
marketers. Tactics which don’t have GDPR-compliant consent mechanisms
built in will be consigned to the history books. This means marketers will
need fresh thinking and have to innovate. The end result is that to succeed
in this new reality and comply with the GDPR, we’re going to see better,
more creative and thoughtful marketing.
We see the GDPR as a watershed moment for the marketing industry. It’s
rightly causing many organisations to rethink how they approach marketing,
but it’s also a huge opportunity for businesses to articulate the importance
of people sharing their data and how it leads to greater personalisation,
better products and services, and a more efficient data economy.
For too long businesses have remained silent on this issue. A discussion is
long overdue and we’re excited to help shape it.
The GDPR Last-Minute Kit
Grow Better With HubSpot.Whether you want to increase leads, accelerate sales,
or organise your contacts, HubSpot has a solution to
help you grow better.
Try it for free
Get a Free Marketing Assessment
Top Related