Logo - Full (Color)

GDPR Compliance

GDPR or General Data Protection Regulation, Compliance Definition

What is the GDPR anyway?

The GDPR (General Data Protection Regulation) is an EU Regulation that significantly enhances the protection of the personal data of EU citizens and increases the obligations on organisations who collect or process personal data. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations. The regulate came into effect on May 25th, 2018.

What was the story before the GDPR?

You've likely heard a lot about the GDPR in 2018, but did you know we've had data protection legislation in the EU for quite a while already? Although the 1995 EU Data Protection Directive was replaced by the GPDR in May 2018, the Directive sets out the eight data protection principles which have been governing the treatment of personal data by organizations for over two decades!

Does the GDPR apply to me?

The GDPR applies to businesses that a) market their products to people in the EU or who b) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.

Disclaimer: This website is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how HubSpot has addressed some important legal points. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.

Important components of the GDPR

Consent 

The GDPR steps up the standard for disclosures when obtaining consent, as it needs to be “freely given, specific, informed and unambiguous,” with controllers using “clear and plain” legal language that is “clearly distinguishable from other matters”. Controllers will also be required to provide evidence that their processes are compliant and followed in each case.

Essentially, your customer cannot be forced into consent, or be unaware that they are consenting to processing of their personal data. They must also know exactly what they are consenting to and they must be informed in advance of their right to withdraw that consent. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity. This means that informing the user during the opt-in is becoming more important.

New Rights for Individuals

The regulation also builds in two new rights for data subjects: a "right to be forgotten" that requires controllers to alert downstream recipients of deletion requests and a "right to data portability" that allows data subjects to demand a copy of their data in a common format. These two rights make it easier for users to request that any information stored should be deleted or that information that has been collected should be shared with them.

Access Requests

Data subjects always had a right to request access to their data. But the GDPR enhances these rights. In most cases, you will not be able to charge for processing an access request, unless you can demonstrate that the cost will be excessive. The timescale for processing an access request will also drop to a one month period (but this can be extended a further two months in some circumstances. In certain cases, organizations may refuse to grant an access request, for example where the request is deemed manifestly unfounded or excessive. However, organizations will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria.

If you’re already a HubSpot customer or partner, please contact your account manager if you have any further questions, comments or suggestions.

Learn more about the GDPR compliance

Our GDPR Research

How prepared were others for the GDPR? What do consumers think about the changes? Find out more in our research!

Read Now

ae969371bcd555276888f36106284a26fd80093c

Create a GDPR Strategy

In this lesson, you will learn what the GDPR is, the changes that will help protect personal data and the impact GDPR has on the world of inbound marketing and sales. You will explore the changes that you may need to make for your business and how to best prepare for GDPR.

Get started

Our GDPR Compliance Checklist

Our Free GDPR Compliance Checklist

For our customers and partners, HubSpot created a free GDPR compliance checklist to determine your next steps.

Read Now

GDPR Research On Marketers and Consumers

How Prepared Were Marketers for the GDPR?

Find out how consumers and marketers view the GDPR. We've surveyed over 3,000 consumers to give you the best insights.

Read Now

A glossary with all legal definitions around the GDPR

Our GDPR Glossary

The GPDR was written by lawyers, so it should come as no surprise that it’s got a good bit of legal jargon sprinkled in there. But don't worry, our glossary will help you understand the most important definitions.

Read Now