HubOps: Revenue Operations in the HubSpot ecosystem

How to Manage Opt-Ins and Subscriptions in a CRM: Customer email and HubSpot's GDPR settings

Written by Nikita Smits-Jørgensen | Sep 11, 2023 2:22:12 PM

To put it simply, when conducting business with individuals, it is crucial to respect their right to privacy as mandated by the GDPR. However, this can often pose challenges for Revenue and Marketing Ops professionals, particularly when it comes to managing opt-ins and relevant subscriptions in your database.

In this particular scenario, I will delve into the strategies that can be employed to ensure effective communication of important customer or contract-related information, even when customers have opted out of receiving marketing communications.

If you're just here for the HubSpot how-to, skip ahead. If you'd like to understand why this is important, read the entire post. 

Managing the legal base for processing data in a CRM system is of utmost importance for businesses. It ensures compliance with data protection regulations and safeguards the privacy rights of individuals. The legal base determines the lawful grounds on which the CRM system can process personal data, such as consent, contract performance, legal obligation, vital interests, public task, or legitimate interests.

It is crucial to append this information with a new legal basis when a prospect becomes a customer. This transition from prospect to customer changes the nature of the relationship and the purpose for which their data is processed. By updating the legal basis to 'customer', businesses can ensure that they are processing the data lawfully and in line with the customer's expectations. This not only enhances trust and transparency but also helps businesses avoid potential legal issues or penalties associated with non-compliance.

Stay in your lane

'Staying in your lane' was one of the most useful phrases I've picked up when I completed my CIPP/E certification with the IAPP (Read: Train with a lawyer on the meaning of the GDPR, learn about the history of European privacy law, read the actual text of the GDPR several times and prep for the most challenging exam since I stopped being subjected to mathematics exams many years ago). 

It refers to the 6 legal grounds you can have as a business to process (store, read, use, basically do anything at all) with someone's private data such as their company email address. When you're in a commercial role at a private company, one of the following lanes will be what you're focussed on:

Consent

This is the most commonly discussed lane in the marketing world. It occurs when someone fills out a form on your website and willingly agrees to receive marketing materials from you or allows you to process their data in some other manner. It is crucial that the text explaining consent is crystal clear and unambiguous. It should not be pre-selected, negative (such as "If you do not wish to..."), or part of a contract. The latter means that you cannot withhold an offer if the person does not consent to receiving further materials from you. Additionally, it is your responsibility to keep a record of consent. This means that you must be able to provide evidence that a person has given their consent to you.

The contact in question has given you consent. Consent is a big one in the GDPR so keep reading for more detail on this lane. As the owner of a commercial database, it's important to remember that consent can be withdrawn and if you have valid reasons to switch lanes, we should always try and prioritize another lane if we reasonably can.

Consent is something all Marketing and Sales professionals need to understand.

Contractual necessity

This is the foundation for processing personal data in order to fulfill a contract. It also encompasses any necessary steps that must be taken before entering into a contract, such as completing an RFP (request for proposal document) to secure a contract or conducting a credit check before finalizing the deal.

A practical example of utilizing contractual necessity is the ability to communicate with existing customers regarding their purchases. For instance, a kitchen appliance store can contact me regarding the fridge I bought (warranties, cleaning instructions, replacement suggestions, etc.), but they cannot reach out to me about cookers. Since I didn't purchase a cooker, I would need to have specifically opted in to receive other marketing information.

Once a contract becomes invalid or ends, there is no longer a legal basis for processing personal data under this circumstance.


Legal obligation

Legal obligation provides the right to continue processing personal data for legal reasons, such as retaining files for audits, tax purposes, or in compliance with EU or member state laws.

However, it's important to note that this legal basis does not grant permission to market to the individual. Even if you are legally obligated to hold the data, you cannot start sending promotional emails or offers without explicit consent. Nevertheless, if the data subject requests to be forgotten, you are permitted to retain the necessary personal data to fulfill your legal obligations. It's crucial to communicate this clearly to maintain transparency and trust with your customers.


Legitimate interests

Navigating the grey area of legitimate interests requires careful consideration. While it allows for the continuation of your business, it does not give you free rein to email a cold list indiscriminately. Legitimate interest must be proportional and fall within reasonable expectations.

For example, if your email address is publicly available on your website, it is reasonable to expect that you may receive one-on-one offers with the option to opt out of further communication. However, it would be unreasonable and unexpected if your email address was added to a generic marketing email list, bombarding your inbox with multiple offers.

This particular lane is often utilized by sales teams for personalized business development. It's important to note that spammy marketing emails should never be sent, as they go against the principles of legitimate interests.

Remember, ensuring compliance and respecting your customers' preferences should always be a priority.

A note on consent

I often get asked if the copy on a text box if compliant or I'm asked if we really have to add so much copy to a form. As a marketer, I get it. As a prospect I definitely get annoyed with long blocks of text to decipher if I just want to get access to a downloadable asset. This is the copy from the GDPR on consent though and I have to stick with making sure we have some specific copy, a checkbox and last but not least: Split your consent for processing and your opt-in for email marketing. 

‘Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data … This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means.’

 

Changing legal basis from 'Consent' to 'Legitimate interest' in HubSpot

 

First, check which legal basis you're using for your contacts This is where you can see what your legal basis is for communicating with a client: Navigate to a contact, view all properties and search for 'legal'.

After initially subscribing to receive marketing communications from this company, I later decided to unsubscribe due to the lack of relevance in the emails.

But now that I have become a customer, the marketing team wants to send me a crucial email regarding the product I am using. Unfortunately, as you can see on the timeline, they are unable to send this email because there is no legal basis that complies with GDPR for sending it.

 



When the company my contact is associated with transitions into a customer, it is crucial to update the legal basis for processing to Legitimate interest. This ensures compliance with GDPR regulations and allows for the necessary communication regarding the product being used.

I know, I said to choose a lane and stick with it. However, a prospect becoming a customer or the relationship with a contact fundamentally changing, is a valid reason to change lanes. 

How do you keep your commercial database up-to-date?

It is essential to ensure that individuals who have the authority to modify the legal basis for processing a contact possess a comprehensive understanding of GDPR regulations. Additionally, I highly recommend automating these processes whenever possible to streamline efficiency and compliance.

One suggestion is to create a simple workflow that updates the legal bases to 'Legitimate interest' or 'Performance of a contract' when a deal closes or the lifecycles stage changes to 'customer'. You can find the example below:


How about your customers? Do you ensure that all relevant communication goes out to them even when they've opted out or unsubscribed from your marketing emails? This should always be part of your subscription management tactics when optimizing your customer communication tactics.