GDPR or General Data Protection Regulation, Compliance Definition

GDPR Compliance

The GDPR will come into force in May 2018. Are you ready?

What is the GDPR anyway?

The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data. It will come into force on 25th May 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.

The full text of the GDPR can be found here and a glossary of all the legal terms you'll need to know can be found here.

What was the story before the GDPR?

You're likely hearing a lot about the GDPR recently but did you know we've had data protection legislation in the EU for quite a while already! Although the 1995 EU Data Protection Directive will be replaced by the GPDR next May, the Directive sets out the eight data protection principles which have been governing the treatment of personal data by organisations for over two decades! Since the GDPR builds on and enhances these principles, we recommend you familiarise yourself with the current laws before you dive into the changes under the GDPR.

If you want to read more about the 1995 Directive and eight original data protection principles, please scroll down to our FAQ section to learn more. 

Does the GDPR apply to me?

While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who a) market their products to people in the EU or who b) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.

Find out if you are GDPR ready with our checklist!

Disclaimer: This website is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how HubSpot has addressed some important legal points. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.

The most important changes under the GDPR

  • Individual’s Rights
  • Internal Procedures
  • Supervisory Authorities
  • Scope, Accountability and Penalties

Individual’s Rights

Consent 

Whenever a data subject is about to submit their personal information the data controller (usually a company) has to make sure the data subject has given their consent. The GDPR steps up the standard for disclosures when obtaining consent, as it needs to be “freely given, specific, informed and unambiguous,” with controllers using “clear and plain” legal language that is “clearly distinguishable from other matters”. Controllers will also be required to provide evidence that their processes are compliant and followed in each case. Previously, under the DPD, consent could be inferred from an action or inaction in circumstances where the action or inaction clearly signified consent. Thus, the Directive left open the possibility of “opt-out” mechanism. However that will change under the GDPR which requires the data subject to signal agreement by "a statement or a clear affirmative action."

Essentially, your customer cannot be forced into consent, or be unaware that they are consenting to processing of their personal data. They must also know exactly what they are consenting to and they must be informed in advance of their right to withdraw that consent. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity. This means that informing the user during the opt in is becoming more important in the future.

New Rights for Individuals

The regulation also builds in two new rights for data subjects: a "right to be forgotten" that requires controllers to alert downstream recipients of deletion requests and a "right to data portability" that allows data subjects to demand a copy of their data in a common format. These two rights will now make it easier for users to request that any information stored should be deleted or that information that has been collected should be shared with them.

Access Requests

Data subjects always had a right to request access to their data. But the GDPR enhances these rights. In most cases, you will not be able to charge for processing an access request, unless you can demonstrate that the cost will be excessive. The timescale for processing an access request will also drop significantly from the current 40 day period. In certain cases, organisations may refuse to grant an access request, for example where the request is deemed manifestly unfounded or excessive. However, organisations will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria.

Internal Procedures

Privacy by Design and DPIA

There are several new principles for entities that handle personal data, including a requirement to build in data privacy "by design" when developing new systems and an obligation to perform a Data Privacy Impact Assessment (DPIA) when processing using "new technologies" or in risky ways. A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals so that potential privacy issues can be identified before they arise, giving the organisation time to come up with a way to mitigate them before the project is underway.

Data Privacy Officer

On the security side, the GDPR will require many businesses to have a Data Privacy Officer (DPO) to help oversee their compliance efforts. Organisations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is currently known as sensitive personal data on a large scale.  While the GDPR currently preserves the DPD’s approved methods for ensuring "adequacy" when transferring personal data to third countries (including the Privacy Shield and the Model Clauses), DPOs will also be helpful in overseeing a controller’s relationships with vendors who process and store personal data, helping to review vendors’ security practices and inform vendors of data subject requests.

Contracts & Privacy Documentation

Since the GDPR is all about transparency and fairness, Controllers and Processors will need to review their Privacy Notices, Privacy Statements and any internal data policies to ensure they meet the requirements under the GDPR. If a Controller engages third party vendors to process the personal data under their control, they will need to ensure their contracts with those Processors are updated to include the new, mandatory Processor provisions set out in Article 28 of the Regulation. Similarly, Processors should consider what changes they’ll need to make to their customer contracts to be GDPR ready by May 2018.

Supervisory Authorities

One-Stop Shop

One particular item in the GDPR should serve to make the lives of these DPOs easier: the GDPR’s new "one stop shop" provision, under which organizations with offices in multiple EU countries will have a "lead supervisory authority" to act as a central point of enforcement so they don’t struggle with inconsistent directions from multiple supervisory authorities.

Reporting Breaches

The GDPR contains a new requirement that controllers must notify their country’s supervisory authority of a personal data breach within 72 hours of learning of it, unless the data was anonymised or encrypted. In practice this will mean that most data breaches must be reported to the DPC.  Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned.

Scope, Accountability and Penalties

Scope

While the current legislation, the 1995 EU Data Protection Directive, governs entities within the EU, the territorial scope of the GDPR is far wider, in that it will also apply to non-EU businesses who market their products to people in the EU or who monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.

Accountability

This new concept will require Controllers and Processors to be able to demonstrate their compliance with the GDPR to their local supervisory authority. Processes should be recorded, implemented and reviewed on a regular basis. Staff should be trained and appropriate technical and organisational measures should be taken to ensure and demonstrate compliance.

Severe Penalties

The importance of the GDPR’s new provisions is underscored by the new penalties it imposes for violations. Depending on the type of violation in question, controllers and processors who mishandle personal data or otherwise violate data subjects’ rights could incur fines of up to €20 million or 4% of their global annual revenue (whichever is greater).

The changes within HubSpot

As we approach May 2018, HubSpot is focused on GDPR compliance efforts. During this implementation period for the Regulation, we are evaluating new requirements and restrictions imposed by the GDPR and will take any action necessary to ensure that we handle customer data in compliance with applicable law by the 2018 deadline. You’ll receive notifications of new functionality and changes to our Terms within your HubSpot portal in the usual way. We’ll also be updating this page and sharing content over the coming months so don’t be a stranger to this page!

HubSpot GDPR Product Changes

Product Changes

Our tech and security teams are currently hard at work making necessary changes to the HubSpot service to ensure we’re compliant by the May 2018 deadline and to help you meet your obligations under the GDPR to the extent that you use HubSpot to collect and store EU personal data. We will be providing updates between now and the May 2018 deadline, setting out the steps we will be taking to ensure that both we and our product are compliant with the GDPR in advance of the deadline, and recommend that those interested keep an eye on this page.

Our Legal Documentation about GDPR

Our Legal Documentation

Our Legal team are also busy ensuring our legal documentation (namely our Customer Terms of Service, our Data Processing Agreement and our Privacy Policy) will be updated to reflect any product changes and to include the mandatory Processor provisions required by Article 28 of the GDPR. We'll keep you updated on this page as this changes are implemented and we'll also notify you 'in portal' in the usual way.

About GDPR and transfers outside the EU

Transfers Outside the EU

HubSpot, Inc. maintains a Privacy Shield certification with the U.S. Department of Commerce which ensures that adequate safeguards are in place when we transfer personal data from the EU to the US. References to our Privacy Shield certification are included in both our Customer Terms of Service (check out section F.2) and in our Privacy Policy. We also offer a Data Processing Agreement (which contains the EU approved Model Clauses) to certain EU/EEA based customers upon request. The good news is that the rules regarding transfers of personal data abroad don’t change under the GDPR so we’ve already got you covered!

If you’re already a HubSpot customer or partner, please contact your account manager if you have any further questions, comments or suggestions. If you don’t yet have a business relationship with HubSpot, please drop us a line at privacy@hubspot.com

Learn more about the GDPR compliance

  • Although the DPD will be replaced by the GPDR, it sets out the eight data protection principles which the GDPR builds on. These rules govern how organisations should treat personal data and are set out below:

    1. Obtain and process the personal data fairly
    2. Keep it only for one or more specified and lawful purposes
    3. Process it only in ways compatible with the purposes for which it was given to you initially
    4. Keep it safe and secure
    5. Keep it accurate and up-to-date
    6. Ensure that it is adequate, relevant and not excessive
    7. Retain it no longer than is necessary for the specified purpose or purposes
    8. Give a copy of his/her personal data to any individual, on request.

    The DPD is a Directive, which is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals. In Ireland for example, the goals of the DPD were implemented through the Irish Data Protection Act, 1998.

    A Regulation on the other hand, such as the GDPR, is a binding legislative act which applies in its entirety across the EU. 

  • For those unfamiliar with this term, "double-opt-in" is a 2-step mechanism where a person must confirm their email address after initially signing up. The GDPR is in fact silent on whether this form of consent is required. We’ve already covered the definition of "consent" above. Recital 32 of the GDPR adds additional clarity on what consent means under the regulation and again, no express requirement for double-opt-in consent. Recital 32 states:

    Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
     

    At the time of writing, there is no official guidance from the Article 29 Working Group in the EU which suggests that this mechanism is mandatory under the GDPR. HubSpot will be keeping an eye on developments and advice in this area and will update this page in the event that any official guidance on this topic is issued by the EU.

    It’s worth noting that subscribers to the HubSpot service may already choose to switch on the double-opt-in functionality in their portals as an additional protective measure in proving they obtained the required consent.

  • In June 2016, a majority of UK voters voted in favour of leaving the EU in the "Brexit" referendum. In March 2017, Theresa May gave notice to leave the EU under Art. 50 which triggered the commencement of the Brexit negotiations and meant that the UK will leave the EU on the sooner of withdrawal terms being agreed and the expiry of two years from giving notice, so by end March 2019. Therefore, it’s highly likely that the UK will still be part of the EU by the May 2018 GDPR deadline. This means if you’re based in the UK, you’ll need to work on your compliance as if Brexit never occurred.

    Once the UK leaves the EU, the GDPR will automatically fall away, unless and to the extent the UK adopts domestic legislation to retain GDPR in whole or part. Current UK government announcements support such retention but we’ll have to wait and see what actually happens!  

    If you’re based outside the UK but have vendors or affiliates in the UK with whom you share personal data, you’ll also need to keep an eye on developments in this area. When the UK leaves, it will become a "third country" for the purposes of transfers of data abroad and therefore additional projections may be required to protect data you transfer to the UK. If the EU determines that the UK meets the necessary standards to adequately protect personal data of EU citizens, they may add them to the list of approved or "white-listed" countries, in which case, additional protections such as the EU model clauses won’t be required to protect these transfers.

  • Individuals already have a lot of rights which protect their personal data under the 1995 Data Protection Directive, but the GDPR significantly strengthens these rights such that data subjects can now:

    • obtain details about how their data is processed by an organisation or business;
    • obtain copies of personal data that an organisation holds on them;
    • have incorrect or incomplete data corrected;
    • have their data erased by an organisation, where, for example, the organisation has no legitimate reason for retaining the data;
    • obtain their data from an organisation and to have that data transmitted to another organisation (Data Portability);
    • object to the processing of their data by an organisation in certain circumstances;
    • not to be subject to (with some exceptions) automated decision making, including profiling.
  • No. There is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU will not change. This means that, as long as the personal data is "adequately protected", data may be transferred abroad. For example, the EU has prepared a list of countries which they deem to provide an adequate standard of protection (known as "white listed countries"), so it is permissible to transfer data to those countries. Where a country is not on that EU list (for example, the USA), the controller must rely on use of approved contractual provisions (e.g. the Model Clauses or Corporate Binding Rules) or one of the other alternative measures, provided for in Law, such as the Privacy Shield certification.

  • We've compiled a list of additional sites for more information around the new regulation down below. Please feel free to check them out. 

    • The Irish Data Protection Commissioner's GDPR website

    • Guidance from the German Federal Commissioner for Data Protections' on the GDPR here

    • HubSpot’s Data Privacy Resources page

    • EU Data Protection Supervisor here

    • HubSpot’s Security Program page

    • Find your Supervisory Authority here

    • Full text of the GDPR here

    • Full text of the GDPR in German here

    • The EU’s GDPR website

When should I be compliant to the GDPR?

The EU General Data Protection Regulation (GDPR) will take effect on May 25, 2018.

Days
Hours
Minutes
Seconds

On May 25, 2018, the EU General Data Protection Regulation (GDPR) has taken effect.

As a current or future HubSpot customer, now it is great time to prepare for the GDPR compliance. The following resources will provide you a robust understanding of where you stand and what's next.

  1. Our GDPR Research

    How prepared are others for the GDPR? What do consumers think about the changes? Find out more in our research!

    Read Now ››
  2. A glossary with all legal definitions around the GDPR

    Our GDPR Glossary

    The GPDR was written by lawyers, so it should come as no surprise that it’s got a good bit of legal jargon sprinkled in there. But don't worry, our glossary will hep you understand the most important definitions.

    Read Now ››
  3. Our GDPR Compliance Checklist

    Our free GDPR compliance checklist

    For our customers and partners, HubSpot created a free GDPR compliance checklist to determine your next steps!

    Read Now ››