The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) deadline is approaching fast (25th of May) and if you are an inbound marketer you better do your homework now. The GDPR applies not only to European businesses but to everyone who is collecting data of Europe-based users! We’ve summarised a couple of points for you to check if your marketing is up to scratch AND compliant:

1. Cookies

Under the GDPR, visitors need to be given notice that you are using cookies on your website and agreed to be tracked. Consider updating your cookie settings.

2. Lawful basis

Under the GDPR, you need to be able to prove that you have a lawful reason to use someone’s data. In other words, you need to be able to prove that you have a legal process and a legal reason to communicate. A legal process could be ‘store data in CRM’ or ‘send ebook after opt-in’. A legal reason to communicate could be ‘send marketing email’ or ‘sales rep to follow up’.
If you are using a CRM / marketing automation tool you should consider updating the property for your contacts to have a lawful basis (that the legal reason) attached to a contact.

Regarding the legal reason to communicate, you need to ensure you have the proper consent of the user in your system. If you have legally acquired your contacts and not bought them, then your CRM / email marketing system should hold this info (e.g. date of opt-in). Please note, that if you don’t have it, consider creating subscription types and setting up your forms to establish a lawful basis moving forward.

3. Deletion

Under GDPR, your contacts have the right to request to be deleted from your database as well as to receive a copy of all the data you have on record about them. Hubspot recently added a ‘GDPR delete’ function what permanently deletes a record after requesting this. Surely, other CRM / marketing automation providers will follow.

Your data and the GDPR

Sounds all very legal? Here is an example of how this will look like in reality:

Let’s say that Sonja is a contact of yours and lives in Germany. She’s called the “data subject,” and your company (let’s call it 4DP.) is called the “controller” of her data. If you’re using a CRM / email marketing platform, then this acts as the “processor” of Sonja’s data on behalf of 4DP.

Here is how a customer/lead interaction might look like:

  • Sonja comes to 4DP’s website for the first time
  • Sonja fills out a form (or gets created in 4DP’s database manually / via API)
  • 4DP sends Sonja an email
  • Sonja requests to see, modify, or delete the information 4DP has about her

Now, we’ll show you how to handle each step of her journey in the HubSpot software, with the GDPR in mind.

Sounds easy, right? Ok, let’s see how the GDPR comes into the game.
When Sonja visits the 4DP website and 4DP uses a marketing automation tool such as Mailchimp, Drip, Hubspot or Infusionsoft to collect information about Sonja then 4DP needs to let Sonja know about it. There are now certain rules about how 4DP can collect data about Sonja’s activity on the website.

  1. 4DP needs to give Sonja notice (in form of a banner or pop-up) in a language that she understands!
  2. Sonja needs to consent that her activity is being tracked.
  3. If Sonja doesn’t consent, then she needs to be able to opt-out. Easily. With a click of a button so to speak.


Ok, that all sounds easy and doable, right? So let’s assume Sonja consents. What happens next?
Maybe Sonja fills out a form to download an ebook. Under the GDPR, you need to have a legal reason to contact Sonja in future. By downloading an ebook, Sonja opted-into your database. You now need to let Sonja know that she did. While it may seem obvious, it’s worth stating: it’s possible to have a lawful basis to process but not to communicate. If that’s the case, under the GDPR, you can’t communicate with Sonja.

This is why consent is so important now as it would then give you a legal reason to contact your customer. Consent is one of those lawful bases, but it’s not the only one. There are six listed in the regulation but the two other key ones for sales and marketing are:

  1. Performance of a contract. For example, if Ana is your customer, you can email her a bill.
  2. Legitimate interest. For example, Sonja might be a customer, and you want to email her direct marketing materials about products you sell related to the one she uses.

Legitimate interest is an interesting topic in itself and basically allows you to communicate with a customer/lead without their consent if you could prove that the information communicated is of importance to them. This will open Pandora’s box for many dodgy markers until clear guidelines are brought into space…

Anyhow, what does this all mean for your forms on your website? So when Sonja fills out a form on your website, e.g to download an ebook you now need to give her the option to opt-out of storage (process) as well as of communication. That means the following updates will be made to her contact record in your CRM:

  • Lawful basis to process will be set to “consent”
  • Lawful basis to communicate will be reflected in the new subscriptions section of the contact record. Same as above.

In Hubspot, for example, this could look like this

Hubspot GPDR Interface

That’s the full rundown of GDPR updates and how we see them affecting marketers from the end of May onwards.

If you have specific questions about your company’s GDPR compliance, you should work with your data privacy advisor or your lawyer.

Curious to read more about HubSpot and GDPR? Here are a few additional resources: