THE GDPR LAST-MINUTE KIT · The GDPR Last-Minute Kit The GDPR (General Data Protection Regulation)...

THE GDPRLAST-MINUTEKIT

GENERAL DATA PROTECTION REGULATION

How to transform the GDPR from a challenge into an opportunity.

2

The GDPR Last-Minute Kit

Introduction

Disclaimer

Chapter 1: Data Protection Before The GDPR

Chapter 2: Our GDPR Glossary

Chapter 3: Changes Made Under The GDPR

Chapter 4: How Prepared Are Marketers For The GDPR?

Chapter 5: Frequently Asked Questions

Chapter 6: The Changes Within HubSpot

Chapter 7: GDPR Checklist

Conclusion

Table Of Contents

3

4

5

8

12

19

27

32

36

43

3


The GDPR (General Data Protection Regulation) is a new EU Regulation

which will replace the 1995 EU Data Protection Directive (DPD) to

significantly enhance the protection of the personal data of EU citizens and

increase the obligations on organisations who collect or process personal

data. It will come into force on 25th May 2018. The regulation builds on

many of the 1995 Directive’s requirements for data privacy and security

but includes several new provisions to bolster the rights of data subjects

and add harsher penalties for violations.

The full text of the GDPR can be found here and we’ve added a glossary

of all the legal terms to this guide.

So why should you care?

While the current EU legislation (the 1995 EU Data Protection Directive)

governs entities within the EU, the territorial scope of the GDPR is far

wider in that it will also apply to non-EU businesses who a) market their

products to people in the EU or who b) monitor the behaviour of people

in the EU. In other words, even if you’re based outside of the EU but you

control or process the data of EU citizens, the GDPR will apply to you.

Introduction

https://gdpr-info.eu/

4


This guide is neither a magnum opus on EU data privacy nor legal advice

for your company to use in complying with EU data privacy laws like the

GDPR. Instead, it provides background information to help you better

understand how HubSpot has addressed some important legal points.

This legal information is not the same as legal advice, where an attorney

applies the law to your specific circumstances, so we insist that you consult

an attorney if you’d like advice on your interpretation of this information or

its accuracy. In a nutshell, you may not rely on this paper as legal advice,

nor as a recommendation of any particular legal understanding.

Disclaimer


CHAPTER 1

Data Protection Before The GDPR

6


You’re likely hearing a lot about the GDPR, but did you know we’ve had

data protection legislation in the EU for quite a while already? Although

the 1995 EU Data Protection Directive will be replaced by the GDPR next

May, the Directive sets out the eight data protection principles which have

been governing the treatment of personal data by organisations for over

two decades! Since the GDPR builds on and enhances these principles,

we recommend you familiarise yourself with the current laws before you

dive into the changes under the GDPR.

If you want to read more about the 1995 Directive and eight original data

protection principles, please read our FAQ section to learn more.

Although the DPD will be replaced by the GDPR, it sets out the eight data

protection principles which the GDPR builds on. These rules govern how

organisations should treat personal data and are set out below:

• Obtain and process the personal data fairly.

• Keep it only for one or more specified and lawful purposes.

• Process it only in ways compatible with the purposes for which it was

given to you initially.

• Keep it safe and secure.

• Keep it accurate and up-to-date.

• Ensure that it is adequate, relevant and not excessive.

7


• Retain it no longer than is necessary for the specified purpose or

purposes.

• Give a copy of his/her personal data to any individual, on request.

The DPD is a Directive, which is a legislative act that sets out a goal that all

EU countries must achieve. However, it is up to the individual countries to

devise their own laws on how to reach these goals. In Ireland for example,

the goals of the DPD were implemented through the Irish Data Protection

Act, 1998. A Regulation on the other hand, such as the GDPR, is a binding

legislative act which applies in its entirety across the EU.


CHAPTER 2

GDPR Glossary

9


The GDPR was written by lawyers, so it should come as no surprise that

it’s got a good bit of legal jargon sprinkled in there. But don’t worry, our

glossary will help you understand the most important definitions below:

Data SubjectA person who lives in the EU.

Personal DataAny information related to an identified/identifiable data subject (e.g.,

name, national ID number, address, IP address, health info).

ControllerA company/organisation that collects people’s personal data and makes

decisions about what to do with it. So if you’re collecting personal data and

are determining how it will be processed (for example, using the HubSpot

services to market to prospects and customers), you’re the Controller of that

data and must comply with applicable data privacy legislation accordingly.

ProcessorA company/organisation that helps a controller by “processing” data

based on its instructions, but doesn’t decide what to do with data. So for

example, HubSpot is the processor of the data you collect in your HubSpot

GDPR Glossary

10


portal. We don’t control how you collect or use the data; we merely process

it on your behalf and on your instruction.

ProcessingAny operation or set of operations which is performed on personal data

or on sets of personal data, by automated means or otherwise, such

as collection, recording, organisation, structuring, storage, adaptation

or alteration, retrieval, consultation, use, disclosure by transmission,

dissemination or otherwise making available, alignment or combination,

restriction, erasure or destruction.

Data Protection Officer (DPO)A representative for a controller/processor who oversees GDPR compliance

and is a data-privacy expert.

Data Privacy Impact Assessment (DPIA)A documented assessment of the usefulness, risks, and risk-mitigation

options for a certain type of processing.

Supervisory AuthorityFormerly called “data protection authorities”; one or more governmental

agencies in a member state who oversee that country’s data privacy

enforcement (e.g., Ireland’s Office of the Data Protection Commissioner,

Germany’s 18 national/regional authorities).


HubSpot surveyed consumers in the UK, Ireland, Germany,

Austria, and Switzerland about their general opinions on data

privacy laws. In total, 81% agree these laws are a good thing. And

after receiving a detailed description of the GDPR, 90% agreed that the principles established by the GDPR were good for

consumers.

Third CountriesCountries outside the EU

Standard Contractual ClausesThe SCCs, a/k/a “model clauses” are standardised contract language

(approved by the European Commission) that is one method of permission

for controllers/processors to send personal data to third countries. The

SCCs are included in Exhibit 1 of our Data Processing Agreement)

How Consumers View The GDPR


CHAPTER 3

Changes Made Under The GDPR

13


Consent

Whenever a data subject is about to submit their personal information the

data controller (usually a company) has to make sure the data subject has

given their consent. The GDPR steps up the standard for disclosures when

obtaining consent, as it needs to be “freely given, specific, informed and

unambiguous,” with controllers using “clear and plain” legal language

that is “clearly distinguishable from other matters”.

Controllers will also be required to provide evidence that their processes

are compliant and followed in each case. Previously, under the DPD,

consent could be inferred from an action or inaction in circumstances where

the action or inaction clearly signified consent. Thus, the Directive left

open the possibility of “opt-out” mechanism. However, that will change

under the GDPR which requires the data subject to signal agreement by

“a statement or a clear affirmative action.”

Essentially, your customer cannot be forced into consent, or be unaware

that they are consenting to the processing of their personal data. They

must also know exactly what they are consenting to and they must be

informed in advance of their right to withdraw that consent.

1) Individual’s Rights

14


Obtaining consent requires a positive indication of agreement – it cannot

be inferred from silence, pre-ticked boxes or inactivity. This means that

informing the user during the opt-in is becoming more important in the

future.

New Rights for IndividualsThe regulation also builds in two new rights for data subjects: a “right to

be forgotten” that requires controllers to alert downstream recipients of

deletion requests and a “right to data portability” that allows data subjects

to demand a copy of their data in a common format.

These two rights will now make it easier for users to request that any

information stored should be deleted or that information that has been

collected should be shared with them.

Access RequestsData subjects always had a right to request access to their data. But the

GDPR enhances these rights. In most cases, you will not be able to charge

for processing an access request, unless you can demonstrate that the

cost will be excessive. The timescale for processing an access request will

also drop to a 30 day period.

In certain cases, organisations may refuse to grant an access request,

15


for example where the request is deemed manifestly unfounded or

excessive. However, organisations will need to have clear refusal policies

and procedures in place and demonstrate why the request meets these

criteria.

2) Internal Procedures

Privacy by Design and DPIAThere are several new principles for entities that handle personal data,

including a requirement to build in data privacy “by design” when

developing new systems and an obligation to perform a Data Privacy

Impact Assessment (DPIA) when processing using “new technologies”

or in risky ways. A DPIA is a process of systematically considering the

potential impact that a project or initiative might have on the privacy of

individuals so that potential privacy issues can be identified before they

arise, giving the organisation time to come up with a way to mitigate them

before the project is underway.

Data Privacy OfficerOn the security side, the GDPR will require many businesses to have a

Data Privacy Officer (DPO) to help oversee their compliance efforts.

Organisations requiring DPOs include public authorities, organisations

who process what is currently known as sensitive personal data on a large

16


scale. While the GDPR currently preserves the DPD’s approved methods

for ensuring “adequacy” when transferring personal data to third countries

(including the Privacy Shield and the Model Clauses), DPOs will also be

helpful in overseeing a controller’s relationships with vendors who process

and store personal data, helping to review vendors’ security practices and

inform vendors of data subject requests.

Contracts & Privacy DocumentationSince the GDPR is all about transparency and fairness, Controllers and

Processors will need to review their Privacy Notices, Privacy Statements

and any internal data policies to ensure they meet the requirements under

the GDPR.

If a Controller engages third party vendors to process the personal data

under their control, they will need to ensure their contracts with those

Processors are updated to include the new, mandatory Processor provisions

set out in Article 28 of the Regulation. Similarly, Processors should consider

what changes they’ll need to make to their customer contracts to be GDPR

ready by May 2018.

17


3) Supervisory Authorities

One-Stop ShopOne particular item in the GDPR should serve to make the lives of these

DPOs easier: the GDPR’s new “one-stop shop” provision, under which

organisations with offices in multiple EU countries will have a “lead

supervisory authority” to act as a central point of enforcement so they don’t

struggle with inconsistent directions from multiple supervisory authorities.

Reporting BreachesThe GDPR contains a new requirement that controllers must notify their

country’s supervisory authority of a personal data breach within 72 hours

of learning of it, unless the data was anonymised or encrypted. In practice,

this will mean that most data breaches must be reported to the DPC.

Breaches that are likely to bring harm to an individual – such as identity

theft or breach of confidentiality – must also be reported to the individuals

concerned.

18


4) Scope, Accountability and Penalties.ScopeWhile the current legislation, the 1995 EU Data Protection Directive,

governs entities within the EU, the territorial scope of the GDPR is far

wider, in that it will also apply to non-EU businesses who market their

products to people in the EU or who monitor the behaviour of people in

the EU. In other words, even if you’re based outside of the EU but you

control or process the data of EU citizens, the GDPR will apply to you.

AccountabilityThis new concept will require Controllers and Processors to be able to

demonstrate their compliance with the GDPR to their local supervisory

authority. Processes should be recorded, implemented and reviewed on

a regular basis. Staff should be trained and appropriate technical and

organisational measures should be taken to ensure and demonstrate

compliance.

Severe PenaltiesThe importance of the GDPR’s new provisions is underscored by the new

penalties it imposes for violations. Depending on the type of violation

in question, controllers and processors who mishandle personal data or

otherwise violate data subjects’ rights could incur fines of up to €20 million

or 4% of their global annual revenue (whichever is greater).


CHAPTER 4

How Prepared Are Marketers For The GDPR?

20


So, how prepared are marketers for the GDPR? (Spoiler alert: The answer is “not very.”) And for those who are, what are they doing to prepare for May 2018, when the GDPR comes into force? To understand that, we’ll go over how consumers view the GDPR, which informs the way marketers should be thinking about it. Then, we’ll dive into the ways businesses are preparing.

How Consumers View the GDPRHubSpot surveyed consumers in the UK, Ireland, Germany, Austria, and

Switzerland about their general opinions on data privacy laws. In total,

81% agree these laws are a good thing. And after receiving a detailed

description of the GDPR, 90% agreed that the principles established by

the GDPR were good for consumers.

Consumers Agree the GDPR Is a Good ThingAmong EU consumers, data privacy laws are well-received -- especially the

GDPR. It’s interesting to note that this feedback comes from an audience

outside of the U.S., where data breaches have been making headlines for

years -- most recently, two of the more noteworthy incidents came from

Equifax and Uber.

https://blog.hubspot.com/marketing/news-you-missed

https://www.nytimes.com/2017/11/21/technology/uber-hack.html?_r=0

21


That reinforces the idea that U.S.-based companies should still be highly

concerned with this European Regulation. Data security is a global issue

-- and in this age, it’s easy to observe what’s happening in other countries.

This is where regulations similar to that of the GDPR become the

marketer’s responsibility. In a recent webinar led by BetterCloud, digital

security expert Jodi Daniels spoke to the importance of GDPR as a brand

awareness issue. Calling it a “big competitive advantage,” she noted that

complying with and prioritising data security laws sends the message to

users that you care about their safety.

https://www.bettercloud.com/monitor/webinar-gdpr-compliance/

22


That concern and transparency is something that a growing number of

consumers will not only expect, but demand. In fact, we found that 91% of

consumers expect companies they work with to be completely transparent

about how, exactly, their data is being used -- which can cause hesitation

in submitting data.

However, that’s just the beginning.

Even if a company is completely transparent about the use of personal data,

less than a quarter of consumers would still find them “very trustworthy”

-- and half of consumers would find them “somewhat trustworthy.”

23


In other words, when it comes to truly earning the trust of consumers,

marketers and their businesses certainly have their work cut out for them

-- and we suspect that much of this sentiment is the result of the recent

data breaches we mentioned earlier. GDPR compliance is a big, crucial

step.

So, what are some of the ways in which businesses are preparing for this

Regulation that will take effect in roughly six months?

How Prepared Are Marketers for the GDPR?

We surveyed business leaders about five months before the GDPR is set to

come into force and our data doesn’t show the most promising picture. Of

the 363 business leaders and marketers we surveyed, only 36% of them stated that they had heard of the GDPR.

Yes, you read the above information correctly: Less than half of the business

leaders and marketers we surveyed are even aware of the GDPR. And as

for how much preparatory knowledge they have about the Regulation in

general -- well, that’s not looking too encouraging, either.

24


But not all hope is lost. There is some preparation underway, and for

the most part, companies (about half of those represented by those we

surveyed) are addressing the GDPR by updating their contracts and data

protection policies, many of whom are working with their vendors to do

the same.

However, what’s less encouraging is that 22% of our survey participants

admitted that, at the time of taking the survey, they hadn’t started doing

anything yet to prepare for the GDPR.

25


That lack of preparation could be the indirect result of the fear that some

marketers seem to have of the GDPR’s impact on their businesses. Over

half of them, for example, expect to see their email marketing lists shrink.

That expectation could stem from the GDPR’s inclusion of “right to

erasure,” which is essentially the right of an individual to request that all

personal data about him or herself is erased by the “controller” of that

data (i.e., the organization that collected the data) with undue delay in

certain circumstances. And given that option, 59% of European consumers

say -- they would take it.

26


Finally, it seems that marketers and business leaders are largely preparing

to change the ways they collect consumer data. Email opt-ins and

sales-related calling practices will largely be impacted, many expect, and

marketing teams will continue to grow their focus on such outreach tools

as social media and traffic-building content and SEO strategies.

Simply put, consumers in Europe view the GDPR with a highly positive

sentiment, and marketers need to respond in kind. As transparency

becomes even more valued, companies can view it, in part, as a vehicle of

brand awareness -- one that will now be dictated by strict rules.

If you still have questions, we’ll continue to follow the GDPR closely in the

past May 2018, when it comes into force. In the meantime, use our GDPR

checklist in this guide to work on GDPR compliance or watch our GDPR

Webinar “Countdown To May 25th”.

https://offers.hubspot.com/countdown-to-may-25th



CHAPTER 5

Frequently AskedQuestions

28


For those unfamiliar with this term, “double-opt-in” is a 2-step mechanism

where a person must confirm their email address after initially signing up.

The GDPR does not require double-opt in (though certain countries may

make this mandatory). It’s worth noting that subscribers to the HubSpot

service may already choose to enable double-opt-in functionality in their

portals as an additional protective measure in proving they obtained the

required consent.

At the moment these lines are written, the European working group for

article 29 did not provide any official instructions that would suggest this

mechanism is mandatory under the GDPR. It should be noted that HubSpot

subscribers have already the ability to enable the dual enrollment feature

in their portal, which allows them to have an additional means of prove

that they have obtained the required consent.

1) “Will double-opt-in be mandatory?”

2) “How will Brexit impact the compliance for businesses based in the UK?”In June 2016, a majority of UK voters voted in favour of leaving the EU

in the “Brexit” referendum. In March 2017, Theresa May gave notice to

leave the EU under Art. 50 which triggered the commencement of the

29


Brexit negotiations and meant that the UK will leave the EU on the sooner

of withdrawal terms being agreed and the expiry of two years from giving

notice, so by end March 2019.

Therefore, it’s highly likely that the UK will still be part of the EU by the

May 2018 GDPR deadline. This means if you’re based in the UK, you’ll

need to work on your compliance as if Brexit never occurred.

The UK has drafted legislation to update the current Data Protection Act

(DPD) in line with the GDPR. The bill is currently working its way through

the UK Parliament.

If you’re based outside the UK but have vendors or affiliates in the UK

with whom you share personal data, you’ll also need to keep an eye on

developments in this area. When the UK leaves, cross-border data flows

may not automatically have adequate safeguards and therefore additional

projections may be required to protect data you transfer to the UK.

3) “How will the Rights of Individuals be affected by the GDPR?”Individuals already have a lot of rights which protect their personal data

under the 1995 Data Protection Directive, but the GDPR significantly

strengthens these rights such that data subjects can now:

30


• Obtain details about how their data is processed by an organisation or

business;

• Obtain copies of personal data that an organisation holds on them;

• Have incorrect or incomplete data corrected;

• Have their data erased by an organisation, where, for example, the

organisation has no legitimate reason for retaining the data;

• Obtain their data from an organisation and to have that data transmitted

to another organisation (Data Portability);

• Object to the processing of their data by an organisation in certain

circumstances;

• Not to be subject to (with some exceptions) automated decision making,

including profiling.

4) “Will data now have to be stored in the EU?”No. There is no obligation under the GDPR for data to be stored in the

EU and the rules regarding transfer of personal data outside the EU will

not change. This means that, as long as the personal data is “adequately

protected”, data may be transferred abroad. For example, the EU has

prepared a list of countries which they deem to provide an adequate

standard of protection (known as “white listed countries”), so it is

permissible to transfer data to those countries.

31


We’ve compiled a list of additional sites for more information around the

new regulation down below. Please feel free to check them out.

• Our GDPR Webinar “Countdown To May 25th”.

• The Irish Data Protection Commissioner’s GDPR website

• Guidance from the German Federal Commissioner for Data Protections’

on the GDPR

• HubSpot’s Data Privacy Resources Page

• EU Data Protection Supervisor

• HubSpot’s Security Program

• Find your Supervisory Authority

• Full text of the GDPR

• Full text of the GDPR in German

• The EU’s GDPR website

5) “Where can I find additional resources?”

6) “When should I be compliant with the GDPR?”The EU General Data Protection Regulation (GDPR) will take effect on May

25, 2018.


http://gdprandyou.ie/

https://www.bfdi.bund.de/SharedDocs/Publikationen/Faltblaetter/Datenschutzgrundverordnung.html;jsessionid=013DE4A21C3128B4C82013D0AE60AC19.1_cid319?nn=5217040

https://www.bfdi.bund.de/SharedDocs/Publikationen/Faltblaetter/Datenschutzgrundverordnung.html;jsessionid=013DE4A21C3128B4C82013D0AE60AC19.1_cid319?nn=5217040

https://legal.hubspot.com/data-privacy?_ga=2.267571848.747144571.1524835620-86372381.1497602854

https://edps.europa.eu/

https://www.hubspot.com/security

http://gdprandyou.ie/resources/

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

https://dsgvo-gesetz.de/

http://www.eugdpr.org/


CHAPTER 6

The ChangesWithin HubSpot

33


As we approach May 2018, HubSpot is focused on GDPR compliance

efforts. During this implementation period for the Regulation, we are

evaluating new requirements and restrictions imposed by the GDPR and

will take any action necessary to ensure that we handle customer data in

compliance with applicable law by the 2018 deadline.

You’ll receive notifications of new functionality and changes to our Terms

within your HubSpot portal in the usual way.

Product Changes

Our tech and security teams are currently hard at work making necessary

changes to the HubSpot service to ensure we’re compliant by the May

2018 deadline and to help you meet your obligations under the GDPR to

the extent that you use HubSpot to collect and store EU personal data.

We will be providing updates before the May 2018 deadline setting out

the steps we will be taking to ensure that both we and our product are

compliant with the GDPR in advance of the deadline.

34


Our Legal DocumentationOur Legal team are also busy ensuring our legal documentation (namely

our Customer Terms of Service, our Data Processing Agreement and our

Privacy Policy) will be updated to reflect any product changes and to

include the mandatory Processor provisions required by Article 28 of the

GDPR. We’ll keep you updated as these changes are implemented and

we’ll also notify you ‘in portal’ in the usual way.

Transfers Outside the EUHubSpot, Inc. maintains a Privacy Shield certification with the U.S.

Department of Commerce which ensures that adequate safeguards are in

place when we transfer personal data from the EU to the US. References

to our Privacy Shield certification are included in both our Customer Terms

of Service (check out section F.2) and in our Privacy Policy.

We also offer a Data Processing Agreement (which contains the EU approved

Model Clauses) to certain EU/EEA based customers upon request. The

good news is that the rules regarding transfers of personal data abroad

don’t change under the GDPR so we’ve already got you covered!

35


CLICK HERE TO LEARN MORE

Good News: We’re enhancing the HubSpot platform to enable easier compliance with GDPR

Check out our brand new product readiness page to get the full scoop.

https://www.hubspot.com/data-privacy/gdpr/product-readiness


CHAPTER 7

GDPR Checklist

37


GDPR Checklist

Since every business is different and the GDPR takes a risk-based approach

to data protection, companies should work to assess their own data

collection and storage practices (including the ways they use HubSpot’s

marketing and sales tools), seek their own legal advice to ensure that their

business practices comply with the GDPR. In determining your next steps,

here are some of the questions you should consider.

The Assessment

What personal data do we collect/store?

Have we obtained it fairly? Do we have the necessary

consents required and were the data subjects informed

of the specific purpose for which we’ll use their data?

Were we clear and unambiguous about that purpose

and were they informed of their right to withdraw

consent at any time?

Are we ensuring we aren’t holding it for any

longer than is necessary and keeping it up-to-date?

38


Are we keeping it safe and secure using a level of

security appropriate to the risk? For example, will

encryption or pseudonymisation be required to protect

the personal data we hold? Are we limiting access to

ensure it is only being used for its intended purpose?

Are we collecting or processing any special categories

of personal data, such as ‘Sensitive Personal Data’,

children’s data, biometric or genetic data etc. and if so,

are we meeting the standards to collect, process and

store it?

Are we transferring the personal data outside the EU

and if so, do we have adequate protections in place?

39


Have we put a project plan together to ensure

compliance by the May 2018 deadline?

Have we secured buy-in at executive level to ensure

we have the required resources and budget on hand to

move the project forward?

Do we require a Data Privacy Impact Assessment?

Do we need to hire a Data Privacy Officer?

Are we implementing a policy of ‘Data Protection by

Design and Default’ to ensure we’re systematically

considering the potential impact that a project or

initiative might have on the privacy of individuals?

The GDPR Project Plan

40


Are our Security team informed to ensure they’re aware

of their obligations under the GDPR and do they have

sufficient resources to implement any required changes

or new processes?

Do we have GDPR compliant procedures in place to

handle requests from data subjects to modify, delete or

access their personal data?

Do we have security notification procedures in place

to ensure we meet our enhanced reporting obligations

under the GDPR in case of a data breach in a timely

manner?

Do we have security notification procedures in place

to ensure we meet our enhanced reporting obligations

under the GDPR in case of a data breach in a timely

manner?

The Procedures and Controls

41


Are our staff trained in all areas of EU data privacy to

ensure they handle data in a compliant manner?

Do we review and audit the data we hold on a regular

basis?

The Documentation

Do we have a Privacy Policy in place and if so, do we

need to update it to comply with the GDPR?

Do we have a defined policy on retention periods for

all items of personal data, from customer, prospect and

vendor data to employee data? Is it compliant with the

GDPR?

Are our internal procedures adequately documented?

42


If we’re a data processor, have we updated our

contracts with the relevant controllers to ensure they

include the mandatory provisions set out in Art. 28 of

the GDPR?

In cases where our third-party vendors are processing

personal data on our behalf, have we ensured our

contracts with them have been updated to include

those same processor requirements under the GDPR?


Conclusion

44


While there are lots that organisations must do to ensure they comply

with the GDPR, at HubSpot, we’re welcoming it. In fact, we see three big

changes as to why marketers should welcome it too.

1) People’s attention will be treated with the respect it deserves.

For marketers to succeed when the GDPR comes into force, they’re going

to have to focus on providing even more value to customers. This means

the job of a marketer is going to get more difficult. They will have to work

hard (really hard) to attract consumers and earn the right to speak with

people. But they should -- attention is a valuable commodity, and in truth,

it’s been abused by marketers over the years.

2) Greater transparency between people and the companies that hold their data.

If the GDPR is successful it will provide greater transparency and control to

EU citizens over how their data is being used by organisations. Transparency

is key. Today, few people see the benefits of sharing data, but they often

do because they want to use a service or product. Forcing companies that

collect data to become transparent means they will need to communicate

and provide value to the person.

Conclusion

45


We expect greater communication and transparency around data collection

will lead to better understanding about why people should share data.

3) A higher bar for marketers has been set.

Let’s not fool ourselves -- the GDPR is going to (forcibly) raise the bar for

marketers. Tactics which don’t have GDPR-compliant consent mechanisms

built in will be consigned to the history books. This means marketers will

need fresh thinking and have to innovate. The end result is that to succeed

in this new reality and comply with the GDPR, we’re going to see better,

more creative and thoughtful marketing.

We see the GDPR as a watershed moment for the marketing industry. It’s

rightly causing many organisations to rethink how they approach marketing,

but it’s also a huge opportunity for businesses to articulate the importance

of people sharing their data and how it leads to greater personalisation,

better products and services, and a more efficient data economy.

For too long businesses have remained silent on this issue. A discussion is

long overdue and we’re excited to help shape it.


Grow Better With HubSpot.Whether you want to increase leads, accelerate sales,

or organise your contacts, HubSpot has a solution to

help you grow better.

Try it for free

Get a Free Marketing Assessment

https://www.hubspot.com/products/get-started

https://www.hubspot.com/products/get-started

THE GDPR LAST-MINUTE KIT · The GDPR Last-Minute Kit The GDPR (General Data Protection Regulation)...

Documents

Transcript of THE GDPR LAST-MINUTE KIT · The GDPR Last-Minute Kit The GDPR (General Data Protection Regulation)...