We recently looked at the big issue of GDPR and what it means for inbound marketers, and in particular focused on the two main areas the industry needs to be aware of – consent and legitimate interest. Here, in the second part of our piece on this new legislation that increases consumer data rights, we take a look at what needs to be done with the data we gather and process in order to be compliant and still manage to keep our inbound marketing strategies working.
Until now, inbound marketers have tended to gather as much information about consumers as possible in order to both understand our market and tailor content towards the people most likely to turn into qualified leads we can bring along the conversion path. A single click on a CTA, filling out a landing page form, or even visiting a website, meant that the data we collected could be used to market to that individual.
However, with GDPR, individuals will potentially have much more of a say in this gathering of data, and how it is used. We discussed in our piece on legitimate interest and consent that marketers now need to take extra steps to ensure the consumer both knows what their data will be used for, and agrees to having it used, but this new legislation also allows for individuals to actively request information on the data we hold about them.
If an individual whose personal information you hold in your database and use to engage with them requests to know what information you have on them, you must now be able to provide it – within a month. That means being able to locate, access, retrieve and reproduce it for the individual, as well as explain why you have it, how you got it, what you do with it, and how it falls under the rules for lawful processing. If your business or inbound agency is not able to do this (run a test to see) you need to get started on finding a way to make it possible.
What is HubSpot doing?
As detailed in their continuously updated article on GDPR, HubSpot outlines that within their portal, you can currently handle any data access requests easily by exporting an individual’s contact record into a machine-readable format. This means that all records of engagement can be located and reproduced, while actions such as notes, calls, etc that aren’t provided in the contact record can be accessed using the CRM engagements functions.
An individual, once they have seen the data you hold, may request that it is modified – for clarification, correction, completion, etc – and this can also easily be done within HubSpot by simply amending the information within their individual contact record, which can also be shared with the person in question.
The Right to be Forgotten
While it will now be necessary to have a double opt-in feature in order to be absolutely sure that an individual can expect to receive engagement and content from inbound marketers, it will now also be necessary to allow for and enable the ability to opt out and withdraw consent, and to have that data removed from our databases in order to satisfy the individual’s ‘right to be forgotten’. This withdrawal of consent needs to be as easy and straightforward as giving it in the first place.
Of course, one sensible approach or first step to take is to run an audit of all the personal data you do hold, and assess what you can get rid of. Unnecessary personal information should be securely deleted from your database because the less data you hold, the less you have to account for. This can be a good opportunity to clear out your contact database and shed dead leads, or those who are unlikely to fit with the personalised content you are producing in order to generate better leads, so you can focus on those that are more likely to become customers.
The erasure of data, and the right to be forgotten, are two big issues that need to be seriously addressed. The legislation states that the individual, or data subject, has the right to obtain the erasure of personal data without undue delay where one of the following applies:
- The personal data is no longer necessary in relation to the purpose for which it was collected or processed
- The data subject withdraws consent for the processing of their personal data
- The data subject objects to the processing of their data where there are no legitimate reasons for it
What is HubSpot Doing?
If you are using HubSpot, an individual can easily withdraw their consent from your subscription preferences page, and you can modify the lawful basis contact property that previously included them in your database contacts. On top of this, direct email lists will have the added functionality of unsubscribe links, so that once this is clicked, the individual will no longer be sent any messaging they deem to be intrusive or unwanted. Yes, email nurturing is a very effective way of converting leads into customers, but if the individual doesn’t want to be engaged with, you not only have to respect that, but make sure it never happens.
You will also soon be able to perform a GDPR-compliant permanent delete of an individual’s data in the HubSpot portal.
It must be noted that simply hitting ‘delete’ on an individual’s data in your contact database won’t be enough, because you need to remove that data from every source. That means permanently removing the data from every file, register, index and mailing list, including the data held on your server and any back-ups.
That is easier said than done, because every trace of information needs to not only be removed, but must be incapable of being linked back to the individual in any way. This is where encryption comes in. Encryption is mentioned many times in the GDPR legislation as a secure way to render data unusable, and therefore adequately erased. It’s a quick and effective way to ensure compliance with the right to be forgotten.
What is HubSpot doing?
As part of its across the board data security upgrade, HubSpot is tightening its controls so that on top of industry standard practices around encryption, they are also working to improve their systems for authentication, authorisation, and auditing to better protect the data of individuals.
This is a work in progress, which will be updated soon.
If you are interested in learning more about GDPR and the steps you need to take to be compliant, find out how we work with our partners to help you assess how much you need to do to meet regulatory requirements.
Send an email to firstname.lastname@example.org and we will get back to you as soon as possible, giving you a clear idea of how we can help your organisation.