GDPR Compliance - How Does It Affect You?

The EU's General Data Protection Regulation (GDPR) will be in affect as of 25th May 2018.

With the upcoming roll out of these new regulations, marketing automation systems everywhere have been sending out notifications to their users to inform them about the changes and how they will affect the EU data an organisation possesses and uses.

• Facebook for Business has outlined the GDPR changes and how they are getting prepared for their users. Read Facebook's GDPR info here.
• Google has stated their commitments to complying with the GDPR. Read Google's GDPR info here.
• Google Adwords has also outlined changes to their ad policies to comply with the GDPR.
• HubSpot has developed a product roadmap detailing how they will make their platform as compliant as possible for users before the 25th May. Read HubSpot's GDPR info here.

In this article, we'll be using HubSpot as an example for how you should prepare for the new EU data regulations. If you don't use HubSpot, the information in this article still applies to any marketing automation systems, or any system that collects data from EU citizens. We recommend you find information from your specific platform/s to ensure you know where you stand for the GDPR.

HubSpot recently sent out an email to its users concerning changes to how EU citizen data will be regulated on the platform.

The email states:

As of May 25th, all organisations working with the data of EU citizens will need to be GDPR (General Data Protection Regulation) compliant.

If you received HubSpot's email, or an email from other marketing automation systems or ad platforms, and you're not sure what to make of it, don't have time to read up on GDPR compliance or you're just not sure if it affects you or not, we've consolidated the most important information in this post. We'll lay out exactly what you need to know about GDPR and provide some recommendations for how to proceed with your EU data (if you have any).

What is the GDPR?

GDPR stands for General Data Protection Regulation. It's the new European standard of data protection and it will be rolling out on the 25th May 2018.

HubSpot explains here:

"The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data."

The GDPR applies to any business that controls or processes data of EU citizens (aka not just within the EU). If you're an Australian business collecting or using data about EU citizens, or if you're not sure, continue reading.

What are the main points of the GDPR?

The full official text of the GDPR can be found here.

HubSpot has highlighted the most important changes that could affect users:

• Consent: a customer/lead/site visitor cannot be forced into consent. The process of giving their personal data to your company should be explicit, they should know exactly what they are consenting to and they must be informed before providing data that they can withdraw that consent at any time. Basically, be transparent and inform the user on the opt in form, page or email, etc.
• Individual Data: an individual has the right to request any information about them be deleted or the information collected to be shared with them to review.
• Access Requests: individuals have always had a right to their own data. The GDPR will drop the time period allowed to process a data access request to 30 days. If an organisation refuses to share an individual's data with that individual, they must have evidence of internal refusal procedures and policies (why they won't share the data) and how those policies apply to the particular individual.
• Data Privacy Impact Assessment (DPIA): when developing new systems or using new technology/tools, a company must perform a DPIA to consider the potential impact the project might have on the privacy of individuals. It is the company's obligation to come up with a solution to any issues before the project begins.
• Data Privacy Officer (DPO): a DPO might need to be hired at a company to oversee compliance efforts.

HubSpot's GDPR compliance overview has more information about the key changes associated with the GDPR.

Why does the GDPR affect HubSpot users?

The EU has already had data protection legislation for over two decades. The GDPR is just a replacement that builds on and enhances the current rules (called the Data Protection Directive).

With these changes, HubSpot will need to ensure their own practices are compliant with the new legislation. Other companies are doing this too. Both Facebook and Google have made commitments to making their platforms GDPR compliant. HubSpot is working on new product features (some have already been rolled out) to help users understand GDPR compliance and make sure the platform is as GDPR compliant as possible.

HubSpot will be undergoing some changes in these areas:

• Product Changes
• HubSpot Legal Documentation.

You can find HubSpot's Product Roadmap for the GDP changes here. On that page you can also sign up to receive notifications if the roadmap gets updated. We recommend you follow any news about the GDPR. Props to HubSpot for acting out or preparing these needed changes so promptly.

However, this does not mean that you don't need to do anything. Your business will need to understand the GDPR and ensure your processes on any marketing or ad systems adhere to the regulation.

Does the GDPR affect me?

The GDPR applies to you if:

• You market products/services to people in the EU, OR
• You monitor the behavior of people in the EU.

If you're not sure, it's better to be safe than sorry and practice GDPR compliance on HubSpot and any other marketing automation systems you use (Facebook, Google, etc). We'll cover this in the next section.

What do I need to do to be GDPR compliant?

In this section we will be referencing HubSpot's GDPR Compliance Checklist.

The following questions has been formulated by HubSpot (you can find it here) and can be used to form the basis of a plan to ensure GDPR compliance.

Keep this list of questions somewhere or print them out and check each question off as you answer it or find a solution to it.

1. Assess whether or not the GDPR concerns you and your data.

Ask yourself the following questions (find your answers by investigating in your HubSpot portal):

1. What personal data do we collect/store?
2. Have we obtained that data fairly, with consent from the individual?
3. Are we keeping and updating the data for as long as we need to, not holding it for any longer than necessary?
4. Are we keeping the data securely?
5. Are we collecting any 'Sensitive Personal Data'? If so, do we meet the standards to collect, process and store this data?
6. Are we transferring the data outside of the EU?

2. Create a plan

Ask yourself the following questions:

1. Have we created a project plan to ensure compliance by the 25th May 2018?
2. Have we secured the resources and budget needed to move the project forward?
3. Do we require a Data Privacy Impact Assessment (DPIA)?
4. Do we need to hire a Data Privacy Officer (DPO)?
5. Are we always considering the potential impact that a project or initiative might have on the privacy of individuals?
6. Have we considered how we handle employee data in our plan?

3. Internal Procedures

Ask yourself the following questions:

1. Are our security team informed to ensure they’re aware of their obligations under the GDPR?
2. Do we have procedures in place to handle requests from individuals to modify, delete or access their personal data?
3. Do these procedures comply to the new rules under the GDPR?
4. Do we have security notification procedures in place to ensure we meet our enhanced reporting obligations under the GDPR in case of a data breach in a timely manner?
5. Are our staff trained in all areas of EU data privacy to ensure they handle data in a GDPR compliant manner?
6. Do we review and audit the data we hold on a regular basis?

4. Documentation

Ask yourself the following questions:

1. Do we have a Privacy Policy in place and if so, do we need to update it to comply with the GDPR?
2. Do we have a defined policy on retention periods for all items of personal data, from customer, prospect and vendor data to employee data? Is it compliant with the GDPR?
3. Are our internal procedures adequately documented?
4. If we’re a data processor, have we updated our contracts with the relevant controllers to ensure they include the mandatory provisions set out in Art. 28 of the GDPR?
5. In cases where our third party vendors are processing personal data on our behalf, have we ensured our contracts with them have been updated to include those same processor requirements under the GDPR?

Takeaways

The XEN System recommendation for this regulation roll out is to get prepared now. If you're pretty sure the GDPR changes don't affect you and what you do on HubSpot, Facebook or any of the Google tools (or any other system you use that collects data) double check by going through the questions above. Formulate your plans now and have the peace of mind of being GDPR compliant well before the 25th May 2018.

Below are a few simple things you can do right now.

Update opt-in forms on your website:

• Update the form to use language that reflects the GDPR definition of consent.
• Make sure the form states exactly what the individual will be signing up for. For example, if the form is for a content download piece but you also want to add their email address to a monthly newsletter list, state this clearly.
• Somewhere before the form is submitted, you should include a line stating that the individual has a right to stop consenting to their data being collected or used at any time.

Update your privacy policy:

• Your privacy policy should already be on your site. If it isn't, add a page for your privacy policy. Most sites usually link to their privacy policy in the footer of the site.
• Include any points from the GDPR that apply to your organisation. Create a new section within your privacy policy for this.
• Users on your site will appreciate that you care about data regulations affecting their personal information.

Perform a Data Privacy Impact Assessment (DPIA):

• Perform a DPIA according to Article 35 of the GDPR.

Refer to your marketing automation system/ad platform/any other database system you use and understand your GDPR compliance requirements.

More GDPR Resources

Legal Vision has written an in-depth article about the GDPR covering your obligations and understanding the difference between the GDPR and the Australian Privacy Act.

The GDPR & HubSpot - "Here's what we're doing to help you comply."

GDPR Compliance - "The GDPR will come into force in May 2018. Are you ready?"

Are You GDPR Ready?

Full GDPR text

Disclaimer

All information gathered from various platform reports on the GDPR changes and the GDPR text. You may not rely on this as legal advice, nor as a recommendation of any particular legal understanding.