path with HubSpot E-Privacy Regulation and GDPR: On the safe and the GDPR in th… · Overview: You need a legal reason to use a contacts data. Consent Legitimate Interest That legal

www.bee-inbound.ch

Welcome To

E-Privacy Regulation and GDPR: On the safe path with HubSpot

1

www.bee-inbound.ch

What is a HUG?

2

www.bee-inbound.ch

Who's speaking?

Romy Fuchs• HubSpot Certified Trainer• Inbound fan in every way• Head of Marketing of BEE Inbound

3

www.bee-inbound.ch

short introduction BEE Inbound AG4

www.bee-inbound.ch

Agenda

16:00

16:05

17:05

Welcome and introduction round

E-Privacy Regulation and DSGVO: On the safe path with HubSpot

Questions and exchange of experience

5

E-Privacy and the GDPR in the HubSpot ProductZürich HUG - June 18th 2020

Overview of theHubSpot GDPR Tools

Quentin Lauth, Inbound Consultant

Zürich HUG - June 18th 2020

Quentin Lauth - Inbound Consultant

Zürich HUG - June 18th 2020

Before we start...

While all the following features live in HubSpot, your own legal counsel will give you the best compliance advice for your specific situation. As much as we'd love to help answer legal questions, we'll stick to what we know best: Inbound strategy and the HubSpot platform. In addition, while the features help to enable compliance, there's no one-size-fits all solution. Every circumstance is different. Ultimately, it's up to you and your team to determine what compliance looks like to your business.

Zürich HUG - June 18th 2020

1. What is the GDPR2. Lawful Basis3. Enabling GDPR Settings4. Transitioning to GDPR5. GDPR Forms6. Cookie Banner7. Right to be forgotten8. Useful GDPR Resources9. Questions

AGENDA

What is the GDPR?

High Level Overview

What is the GDPR?

● Introduced May 25th 2018● Collection of Data Protection Laws● Applicable to all businesses working with customers in

the EU● 99 Articles in total● Article 5 - Principles relating to data processing

○ Lawfulness, Fairness and Transparency○ Purpose Limitations○ Data Minimization○ Accuracy○ Storage Limitation○ Integrity and Confidentiality○ Accountability and Compliance*

● Article 17 - Right to be forgotten

High Level Overview

Zürich HUG - June 18th 2020

Using HubSpot does not mean you are GDPR compliant!

Zürich HUG - June 18th 2020

HubSpot provides the tools to help you work towards GDPR compliance.

Zürich HUG - June 18th 2020

CAR MANUFACTURER MAKES A CAR

Zürich HUG - June 18th 2020

CAR SHIPPED ALL OVER THE WORLDZürich HUG - June 18th 2020

EACH COUNTRY HAS ITS OWN RULES OF THE ROAD

Zürich HUG - June 18th 2020

MOST WILL OBEY THE RULES

Zürich HUG - June 18th 2020

OTHERS WILL NOT

Zürich HUG - June 18th 2020

PEOPLE ARE WATCHING AND RESPONSIBILITY IS ON THE CAR OWNER, NOT THE CAR COMPANY.

Zürich HUG - June 18th 2020

Lawful Bases

Process and Communicate

Zürich HUG - June 18th 2020

Lawful BasisOverview:

● You need a legal reason to use a contacts data.○ Consent○ Legitimate Interest

● That legal basis can be in the form of “Consent” from the user. Or it could be in the “Legitimate interest” of your business. It’s entirely up to you which approach you take. HubSpot gives you the means to do this.○ Legitimate Interest - Prospect/Lead○ Legitimate Interest - Existing Customer○ Legitimate Interest - Other○ Performance of a Contract○ Freely Given Consent from Contact○ Not Applicable

● Lawful basis to Process = Contact Property● Lawful basis to communicate = Subscription Types Zürich HUG - June 18th 2020

What is lawful basis to Process?

Zürich HUG - June 18th 2020

Lawful Basis to Process

● Under the General Data Protection Regulation (GDPR), companies need a lawful reason to use and process contact data and must keep records of consent and evidence other lawful purposes of processing.

● The contact property Legal basis for processing contact's data allows you to collect, track, and store lawful basis of processing via contract, legitimate interest, and/or consent for your HubSpot contacts.

● Can be managed in a variety of ways● At any stage you can retrieve the history of this property for auditing

purposes and show the time and date it what set and in relation to what source.

Contact Property

Zürich HUG - June 18th 2020

How can I add lawful basis to process?

Zürich HUG - June 18th 2020

Lawful Basis to ProcessManage Lawful Basis to Process- Contact Record

Zürich HUG - June 18th 2020

Lawful Basis to ProcessManage Lawful Basis to Process - Import

Zürich HUG - June 18th 2020

Lawful Basis to ProcessManage Lawful Basis to Process - In Bulk

Zürich HUG - June 18th 2020

Lawful Basis to ProcessManage Lawful Basis to Process - via Workflow

Zürich HUG - June 18th 2020

Lawful Basis to ProcessManage Lawful Basis to Process - via a Form

Zürich HUG - June 18th 2020

Lawful Basis to ProcessManage Lawful Basis to Process - API

Zürich HUG - June 18th 2020

What is Lawful Basis to Communicate?

Zürich HUG - June 18th 2020

Lawful Basis to Communicate

● Subscription types capture three states to represent a contact’s subscription status. Whereas email types had two states (the default of “not opted out” and “opted out”), subscription types have three: opted in, not opted in or out (default), and opted out. Essentially, a “yes,” a “neutral,” and a “no.”

● You can easily segment contacts based on the subscriptions they’ve opted into, opted out of or not opted in or out. You can also review the data from the contact record.

● You can manage subscription types in a variety of ways.

Subscription Types

Zürich HUG - June 18th 2020

How do I manage my subscription types?

Zürich HUG - June 18th 2020

Lawful Basis to CommunicateManage Subscription Types - Contact Record

Zürich HUG - June 18th 2020

Lawful Basis to CommunicateManage Subscription Types - In Bulk

Zürich HUG - June 18th 2020

Lawful Basis to CommunicateManage Subscription Types - via Workflow

Zürich HUG - June 18th 2020

Lawful Basis to CommunicateManage Subscription Types - Using a Form

Zürich HUG - June 18th 2020

Lawful Basis to CommunicateManage Subscription Types - Using the API

Zürich HUG - June 18th 2020

Enabling GDPR SettingsWhat to expect and how to do it

Zürich HUG - June 18th 2020

Enabling GDPR Settings

● Right now, everything is disabled. The portal is in the same state it was in before GDPR came into existence.

● The “Old World”

Step 1: Navigate to Settings

Zürich HUG - June 18th 2020

Enable GDPR Settings

● Enabled settings but not into the “New World” just yet.○ Cookie Banner is toggled on by default○ Ability to perform a GDPR delete activated○ Email Send notice for non-opted in contacts○ Banner on Sales extension notifying if contact has not provided lawful

basis to process○ GDPR ready forms - legal basis dropdown○ Unsubscribe links turned on by default (Sales 1:1 email)○ Meeting link will include notice/consent text by default○ Ability to add subscription types and legal basis to process

Step 2: Enable the Toggle

Zürich HUG - June 18th 2020

Enable GDPR Settings

● Portal is now in “full GDPR” mode. ● You can only send to a contact who has a valid email subscription type. ● Does not apply to any contact with “Legal Basis to Process” set to Non

Applicable. ● Only enable this checkbox when you are satisfied that all contacts in

the portal have a valid subscription type applied and automation, forms are configured.

Step 3: Enable the Toggle

Zürich HUG - June 18th 2020

THE NEW WORLD THE OLD WORLD

Zürich HUG - June 18th 2020

THE NEW WORLD THE OLD WORLD

Zürich HUG - June 18th 2020

Transitioning from the old world to the new worldA beginners guide

Zürich HUG - June 18th 2020

Transition from the old to the new

● They allowed contacts to opt out of emails (Marketing Newsletter)● They gave you a way of categorizing your emails and ensuring the

relevant contacts got the emails● There was no concept of being opted in. No way to connect a form

submission with an email type. When a contact was created they were “not opted out”. They were eligible to receive all email types upon creation. For GDPR this is bad.

● Two states = Not Opted out or Opted out

Email Types vs Subscriptions

Zürich HUG - June 18th 2020

Transition from the old to the new

● Three states. Opted in, Not Opted in or out, Opted Out (Yes, Neutral, No).

● You can capture the types of email a contact wants to opt in to on form submission.

● Specify a Process and Operation.● There is a checkbox that makes transitioning from old to new easier for

you!

Email Types vs Subscriptions

Zürich HUG - June 18th 2020

How do I apply lawful basis to communicate with my existing contacts?

Zürich HUG - June 18th 2020

Transition from the old to the new

● Legitimate Interest, bulk apply to all contacts● Assuming you want to use consent as lawful basis then permission pass

campaign○ Insert Subscription Link {{ subscription_confirmation_url }}

■ When clicked contact opts in to all subscriptions● Map Custom properties to subscription type

■ Opt in to Email Type A■ Opt in to Email Type B■ Opt in to Email Type C

How to apply legal basis to communicate with existing contacts

Zürich HUG - June 18th 2020

GDPR FormsHow to create and customize them

Zürich HUG - June 18th 2020

GDPR Forms

● Dropdown “Notice and Consent / Legitimate Interest (GDPR)”

● Capture legal basis to process and communicate. (Consent)

How to create and customize them

Zürich HUG - June 18th 2020

GDPR FormsHow to create and customize them

Zürich HUG - June 18th 2020

GDPR FormsHow to create and customize them

Zürich HUG - June 18th 2020

GDPR FormsHow to create and customize them

Zürich HUG - June 18th 2020

GDPR Forms

● CSS Selector: .legal-consent-container

Styling GDPR forms

Zürich HUG - June 18th 2020

GDPR Forms

● CSS

Customizing Default Text

Zürich HUG - June 18th 2020

Double Opt-InHow to enable it

Zürich HUG - June 18th 2020

Double Opt-In

● DOI allows you to send a confirmation email to any contacts created from a form submission (or via the Forms API)

● DOI is applied automatically to existing contacts who have received Marketing emails - if they haven’t you’ll need to do a permission pass campaign or send the opt-in email manually

Things to know before starting

Zürich HUG - June 18th 2020

Double Opt-InHow to enable it

Zürich HUG - June 18th 2020

Double Opt-InHow to enable it

Zürich HUG - June 18th 2020

Double Opt-InWhat about multilingual DOI?

Zürich HUG - June 18th 2020

This is not an out of the box feature in HubSpot

● Do you really need multiple language variations? For most customers a bi-or tri-lingual email to ask for confirmation is enough

● Alternatively - you could create a custom double opt-in process that will allow you to send multiple variations of the Opt-In email

● As any custom solution, it requires a lot of process mapping and workflow creation - chat to a technical consultant or a partner to implement

Cookie PolicyHow to create and customize them

Zürich HUG - June 18th 2020

Cookie Policy

● Under the GDPR, if a contact of yours is an EU citizen, they must be given notice that you're using cookies to track them (in a language they can understand), and they need to consent to being tracked by cookies.

● Settings > Reports > Tracking Code > Cookie Policy● If user accepts or declines cookies this is captured on their timeline. You

can also create lists of contacts who have accepted, declined or revoked cookies.

Overview

Zürich HUG - June 18th 2020

Cookie PolicyDefault Settings

Zürich HUG - June 18th 2020

Cookie PolicyNotification Text

Zürich HUG - June 18th 2020

Cookie PolicyDomain and Path

Zürich HUG - June 18th 2020

Cookie PolicyStyle

Zürich HUG - June 18th 2020

Cookie PolicyRemove Cookies

Zürich HUG - June 18th 2020

Cookie PolicyGranual Cookie Management tools

Zürich HUG - June 18th 2020

Cookie Policy

● Checking consent banner status○ If your site uses the privacy consent banner, you can use the

addPrivacyConsentListener function to check the consent status of the visitor. See the documentation for the addPrivacyConsentListener function for more details.

● Removing consent banner cookies○ If you need to remove the consent banner cookies for a visitor, such as in the

case of a GDPR related deletion request, you can use the revokeCookieConsent function. See the documentation for the revokeCookieConsent function for more details.

Advanced Options

Zürich HUG - June 18th 2020

Right to be forgottenPerform a GDPR compliant delete

Zürich HUG - June 18th 2020

Right to be forgotten

● Contact has right to request permanent deletion of their data from your portal.○ Email Activity, Form submissions, page views, engagement history○ EVERYTHING

● 30 days (although it’s specific to the context)● GDPR deletion = blacklist in HubSpot

○ If you attempt to re-add contact you will be notified● While the contact's personal data will be deleted, anonymized analytics

data will remain.○ Form Submissions○ Email Performance○ Traffic Analytics○ Nothing that would identify the contact

Perform a GDPR compliant delete

Zürich HUG - June 18th 2020

Useful GDPR Resources

Highly recommend bookmarking

Zürich HUG - June 18th 2020

YOUR OWN LEGAL COUNSEL

Useful GDPR ResourcesHighly recommend bookmarking these!

● GDPR HubSpot Product Playbook● HubSpot GDPR Overview Page● Knowledgebase GDPR Resources● Turn on GDPR functionality in HubSpot account● Using HubSpot Subscription Types● Manage your contacts subscriptions● Tracking Lawful Basis of Processing in HubSpot● Perform GDPR Compliant Delete in HubSpot● Set Default notice and consent text● Add notice and consent text to HubSpot forms● Customize Cookie Policy and Privacy Alert● Developers Documentation

● How to perform a GDPR compliant delete● GDPR Document● Someone notification on Sales Extension

Zürich HUG - June 18th 2020

Questions

Zürich HUG - June 18th 2020

Final Word

The GDPR isn’t a bad thing and it should not be feared. It’s all about transparency and honesty.

Say what you do and do what you say.

Zürich HUG - June 18th 2020

Thank you

Zürich HUG - June 18th 2020