www.bee-inbound.ch Welcome To E-Privacy Regulation and GDPR: On the safe path with HubSpot 1
www.bee-inbound.ch
Welcome To
E-Privacy Regulation and GDPR: On the safe path with HubSpot
1
www.bee-inbound.ch
What is a HUG?
2
www.bee-inbound.ch
Who's speaking?
Romy Fuchs• HubSpot Certified Trainer• Inbound fan in every way• Head of Marketing of BEE Inbound
3
www.bee-inbound.ch
short introduction BEE Inbound AG4
www.bee-inbound.ch
Agenda
16:00
16:05
17:05
Welcome and introduction round
E-Privacy Regulation and DSGVO: On the safe path with HubSpot
Questions and exchange of experience
5
E-Privacy and the GDPR in the HubSpot ProductZürich HUG - June 18th 2020
Overview of theHubSpot GDPR Tools
Quentin Lauth, Inbound Consultant
Zürich HUG - June 18th 2020
Quentin Lauth - Inbound Consultant
Zürich HUG - June 18th 2020
Before we start...
While all the following features live in HubSpot, your own legal counsel will give you the best compliance advice for your specific situation. As much as we'd love to help answer legal questions, we'll stick to what we know best: Inbound strategy and the HubSpot platform. In addition, while the features help to enable compliance, there's no one-size-fits all solution. Every circumstance is different. Ultimately, it's up to you and your team to determine what compliance looks like to your business.
Zürich HUG - June 18th 2020
1. What is the GDPR2. Lawful Basis3. Enabling GDPR Settings4. Transitioning to GDPR5. GDPR Forms6. Cookie Banner7. Right to be forgotten8. Useful GDPR Resources9. Questions
AGENDA
What is the GDPR?
High Level Overview
What is the GDPR?
● Introduced May 25th 2018● Collection of Data Protection Laws● Applicable to all businesses working with customers in
the EU● 99 Articles in total● Article 5 - Principles relating to data processing
○ Lawfulness, Fairness and Transparency○ Purpose Limitations○ Data Minimization○ Accuracy○ Storage Limitation○ Integrity and Confidentiality○ Accountability and Compliance*
● Article 17 - Right to be forgotten
High Level Overview
Zürich HUG - June 18th 2020
Using HubSpot does not mean you are GDPR compliant!
Zürich HUG - June 18th 2020
HubSpot provides the tools to help you work towards GDPR compliance.
Zürich HUG - June 18th 2020
CAR MANUFACTURER MAKES A CAR
Zürich HUG - June 18th 2020
CAR SHIPPED ALL OVER THE WORLDZürich HUG - June 18th 2020
EACH COUNTRY HAS ITS OWN RULES OF THE ROAD
Zürich HUG - June 18th 2020
MOST WILL OBEY THE RULES
Zürich HUG - June 18th 2020
OTHERS WILL NOT
Zürich HUG - June 18th 2020
PEOPLE ARE WATCHING AND RESPONSIBILITY IS ON THE CAR OWNER, NOT THE CAR COMPANY.
Zürich HUG - June 18th 2020
Lawful Bases
Process and Communicate
Zürich HUG - June 18th 2020
Lawful BasisOverview:
● You need a legal reason to use a contacts data.○ Consent○ Legitimate Interest
● That legal basis can be in the form of “Consent” from the user. Or it could be in the “Legitimate interest” of your business. It’s entirely up to you which approach you take. HubSpot gives you the means to do this.○ Legitimate Interest - Prospect/Lead○ Legitimate Interest - Existing Customer○ Legitimate Interest - Other○ Performance of a Contract○ Freely Given Consent from Contact○ Not Applicable
● Lawful basis to Process = Contact Property● Lawful basis to communicate = Subscription Types Zürich HUG - June 18th 2020
What is lawful basis to Process?
Zürich HUG - June 18th 2020
Lawful Basis to Process
● Under the General Data Protection Regulation (GDPR), companies need a lawful reason to use and process contact data and must keep records of consent and evidence other lawful purposes of processing.
● The contact property Legal basis for processing contact's data allows you to collect, track, and store lawful basis of processing via contract, legitimate interest, and/or consent for your HubSpot contacts.
● Can be managed in a variety of ways● At any stage you can retrieve the history of this property for auditing
purposes and show the time and date it what set and in relation to what source.
Contact Property
Zürich HUG - June 18th 2020
How can I add lawful basis to process?
Zürich HUG - June 18th 2020
Lawful Basis to ProcessManage Lawful Basis to Process- Contact Record
Zürich HUG - June 18th 2020
Lawful Basis to ProcessManage Lawful Basis to Process - Import
Zürich HUG - June 18th 2020
Lawful Basis to ProcessManage Lawful Basis to Process - In Bulk
Zürich HUG - June 18th 2020
Lawful Basis to ProcessManage Lawful Basis to Process - via Workflow
Zürich HUG - June 18th 2020
Lawful Basis to ProcessManage Lawful Basis to Process - via a Form
Zürich HUG - June 18th 2020
Lawful Basis to ProcessManage Lawful Basis to Process - API
Zürich HUG - June 18th 2020
What is Lawful Basis to Communicate?
Zürich HUG - June 18th 2020
Lawful Basis to Communicate
● Subscription types capture three states to represent a contact’s subscription status. Whereas email types had two states (the default of “not opted out” and “opted out”), subscription types have three: opted in, not opted in or out (default), and opted out. Essentially, a “yes,” a “neutral,” and a “no.”
● You can easily segment contacts based on the subscriptions they’ve opted into, opted out of or not opted in or out. You can also review the data from the contact record.
● You can manage subscription types in a variety of ways.
Subscription Types
Zürich HUG - June 18th 2020
How do I manage my subscription types?
Zürich HUG - June 18th 2020
Lawful Basis to CommunicateManage Subscription Types - Contact Record
Zürich HUG - June 18th 2020
Lawful Basis to CommunicateManage Subscription Types - In Bulk
Zürich HUG - June 18th 2020
Lawful Basis to CommunicateManage Subscription Types - via Workflow
Zürich HUG - June 18th 2020
Lawful Basis to CommunicateManage Subscription Types - Using a Form
Zürich HUG - June 18th 2020
Lawful Basis to CommunicateManage Subscription Types - Using the API
Zürich HUG - June 18th 2020
Enabling GDPR SettingsWhat to expect and how to do it
Zürich HUG - June 18th 2020
Enabling GDPR Settings
● Right now, everything is disabled. The portal is in the same state it was in before GDPR came into existence.
● The “Old World”
Step 1: Navigate to Settings
Zürich HUG - June 18th 2020
Enable GDPR Settings
● Enabled settings but not into the “New World” just yet.○ Cookie Banner is toggled on by default○ Ability to perform a GDPR delete activated○ Email Send notice for non-opted in contacts○ Banner on Sales extension notifying if contact has not provided lawful
basis to process○ GDPR ready forms - legal basis dropdown○ Unsubscribe links turned on by default (Sales 1:1 email)○ Meeting link will include notice/consent text by default○ Ability to add subscription types and legal basis to process
Step 2: Enable the Toggle
Zürich HUG - June 18th 2020
Enable GDPR Settings
● Portal is now in “full GDPR” mode. ● You can only send to a contact who has a valid email subscription type. ● Does not apply to any contact with “Legal Basis to Process” set to Non
Applicable. ● Only enable this checkbox when you are satisfied that all contacts in
the portal have a valid subscription type applied and automation, forms are configured.
Step 3: Enable the Toggle
Zürich HUG - June 18th 2020
THE NEW WORLD THE OLD WORLD
Zürich HUG - June 18th 2020
THE NEW WORLD THE OLD WORLD
Zürich HUG - June 18th 2020
Transitioning from the old world to the new worldA beginners guide
Zürich HUG - June 18th 2020
Transition from the old to the new
● They allowed contacts to opt out of emails (Marketing Newsletter)● They gave you a way of categorizing your emails and ensuring the
relevant contacts got the emails● There was no concept of being opted in. No way to connect a form
submission with an email type. When a contact was created they were “not opted out”. They were eligible to receive all email types upon creation. For GDPR this is bad.
● Two states = Not Opted out or Opted out
Email Types vs Subscriptions
Zürich HUG - June 18th 2020
Transition from the old to the new
● Three states. Opted in, Not Opted in or out, Opted Out (Yes, Neutral, No).
● You can capture the types of email a contact wants to opt in to on form submission.
● Specify a Process and Operation.● There is a checkbox that makes transitioning from old to new easier for
you!
Email Types vs Subscriptions
Zürich HUG - June 18th 2020
How do I apply lawful basis to communicate with my existing contacts?
Zürich HUG - June 18th 2020
Transition from the old to the new
● Legitimate Interest, bulk apply to all contacts● Assuming you want to use consent as lawful basis then permission pass
campaign○ Insert Subscription Link {{ subscription_confirmation_url }}
■ When clicked contact opts in to all subscriptions● Map Custom properties to subscription type
■ Opt in to Email Type A■ Opt in to Email Type B■ Opt in to Email Type C
How to apply legal basis to communicate with existing contacts
Zürich HUG - June 18th 2020
GDPR FormsHow to create and customize them
Zürich HUG - June 18th 2020
GDPR Forms
● Dropdown “Notice and Consent / Legitimate Interest (GDPR)”
● Capture legal basis to process and communicate. (Consent)
How to create and customize them
Zürich HUG - June 18th 2020
GDPR FormsHow to create and customize them
Zürich HUG - June 18th 2020
GDPR FormsHow to create and customize them
Zürich HUG - June 18th 2020
GDPR FormsHow to create and customize them
Zürich HUG - June 18th 2020
GDPR Forms
● CSS Selector: .legal-consent-container
Styling GDPR forms
Zürich HUG - June 18th 2020
GDPR Forms
● CSS
Customizing Default Text
Zürich HUG - June 18th 2020
Double Opt-InHow to enable it
Zürich HUG - June 18th 2020
Double Opt-In
● DOI allows you to send a confirmation email to any contacts created from a form submission (or via the Forms API)
● DOI is applied automatically to existing contacts who have received Marketing emails - if they haven’t you’ll need to do a permission pass campaign or send the opt-in email manually
Things to know before starting
Zürich HUG - June 18th 2020
Double Opt-InHow to enable it
Zürich HUG - June 18th 2020
Double Opt-InHow to enable it
Zürich HUG - June 18th 2020
Double Opt-InWhat about multilingual DOI?
Zürich HUG - June 18th 2020
This is not an out of the box feature in HubSpot
● Do you really need multiple language variations? For most customers a bi-or tri-lingual email to ask for confirmation is enough
● Alternatively - you could create a custom double opt-in process that will allow you to send multiple variations of the Opt-In email
● As any custom solution, it requires a lot of process mapping and workflow creation - chat to a technical consultant or a partner to implement
Cookie PolicyHow to create and customize them
Zürich HUG - June 18th 2020
Cookie Policy
● Under the GDPR, if a contact of yours is an EU citizen, they must be given notice that you're using cookies to track them (in a language they can understand), and they need to consent to being tracked by cookies.
● Settings > Reports > Tracking Code > Cookie Policy● If user accepts or declines cookies this is captured on their timeline. You
can also create lists of contacts who have accepted, declined or revoked cookies.
Overview
Zürich HUG - June 18th 2020
Cookie PolicyDefault Settings
Zürich HUG - June 18th 2020
Cookie PolicyNotification Text
Zürich HUG - June 18th 2020
Cookie PolicyDomain and Path
Zürich HUG - June 18th 2020
Cookie PolicyStyle
Zürich HUG - June 18th 2020
Cookie PolicyRemove Cookies
Zürich HUG - June 18th 2020
Cookie PolicyGranual Cookie Management tools
Zürich HUG - June 18th 2020
Cookie Policy
● Checking consent banner status○ If your site uses the privacy consent banner, you can use the
addPrivacyConsentListener function to check the consent status of the visitor. See the documentation for the addPrivacyConsentListener function for more details.
● Removing consent banner cookies○ If you need to remove the consent banner cookies for a visitor, such as in the
case of a GDPR related deletion request, you can use the revokeCookieConsent function. See the documentation for the revokeCookieConsent function for more details.
Advanced Options
Zürich HUG - June 18th 2020
Right to be forgottenPerform a GDPR compliant delete
Zürich HUG - June 18th 2020
Right to be forgotten
● Contact has right to request permanent deletion of their data from your portal.○ Email Activity, Form submissions, page views, engagement history○ EVERYTHING
● 30 days (although it’s specific to the context)● GDPR deletion = blacklist in HubSpot
○ If you attempt to re-add contact you will be notified● While the contact's personal data will be deleted, anonymized analytics
data will remain.○ Form Submissions○ Email Performance○ Traffic Analytics○ Nothing that would identify the contact
Perform a GDPR compliant delete
Zürich HUG - June 18th 2020
Useful GDPR Resources
Highly recommend bookmarking
Zürich HUG - June 18th 2020
YOUR OWN LEGAL COUNSEL
Useful GDPR ResourcesHighly recommend bookmarking these!
● GDPR HubSpot Product Playbook● HubSpot GDPR Overview Page● Knowledgebase GDPR Resources● Turn on GDPR functionality in HubSpot account● Using HubSpot Subscription Types● Manage your contacts subscriptions● Tracking Lawful Basis of Processing in HubSpot● Perform GDPR Compliant Delete in HubSpot● Set Default notice and consent text● Add notice and consent text to HubSpot forms● Customize Cookie Policy and Privacy Alert● Developers Documentation
● How to perform a GDPR compliant delete● GDPR Document● Someone notification on Sales Extension
Zürich HUG - June 18th 2020
Questions
Zürich HUG - June 18th 2020
Final Word
The GDPR isn’t a bad thing and it should not be feared. It’s all about transparency and honesty.
Say what you do and do what you say.
Zürich HUG - June 18th 2020
Thank you
Zürich HUG - June 18th 2020