Interview: GDPR for US Businesses & Agencies. What You Need to Know

What is the GDPR?

Whether you’re B2B or B2C, big or small, you’ve probably heard about the EU’s new regulation, the General Data Protection Regulation (GDPR). It’s a new set of laws aimed at enhancing the protection of EU citizens’ personal data and increasing the obligations of organizations to deal with that data in transparent and secure ways. The GDPR applies not only to EU-based businesses, but also to any business that controls or processes data of EU citizens.


The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organizations who collect or process personal data. It will come into force on 25th May 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations

Example Case:

Let’s say that Ana is a contact of yours and lives in Germany. She's called the "data subject," and your company (let's call it Acme Corp.) is called the "controller" of her data. If you're a HubSpot customer, then HubSpot acts as the "processor" of Ana's data on behalf of Acme.
When do companies in the USA need to pay attention to GDPR?
Now. Knowing about this law and how it is affecting the marketing world is important regardless of how much of an impact.
GDPR is important because it’s goal is to provide better experiences for our customers and the people who trust us with their data.
In that way, they’re perfectly aligned with the concept of Inbound. Be relevant, be helpful, be transparent, and you’ll be on your way to compliance. Be spammy, interruptive, aggressive, and you’ll be in trouble.
Complying with the GDPR will require effort, and that effort may lead to stress between now and deadline day. But, at the end of the day, if the GDPR makes your customers’ lives better, it’ll grow your business as a result.

Lawful Basis
Under the GDPR, you need to have a legal reason, called a lawful basis in the regulation, to use Ana’s data. That reason could be consent (she opted in) with notice (you told her what she was opting into).
Consent is one of those lawful bases, but it’s not the only one. There are six listed in the regulation but the two other key ones for sales and marketing are:
Performance of a contract. For example, if Ana is your customer, you can email her a bill.
Legitimate interest. For example, Ana might be a customer, and you want to email her direct marketing materials about products you sell related to the one she uses.

So not only will you need to be specific about the type of marketing but also the type of lawful basis you are getting too when asking for consent.

But for example when using the GDPR features in HubSpot and trying to send emails it will show those that have consent documenting vs. not so you can make a decision on who to send email to.

A permission pass campaign is a one-time email campaign that requests any contacts who haven’t already used some form of opt-in to confirm that they would still like to receive emails from you. Only the contacts who confirm their subscription status are then kept on your list. Those who don’t confirm will then be opted out of your marketing emails. The result is a highly engaged list of contacts who have proven that they want to continue receiving marketing emails from your company.

Is there a limit to consent will we have to get permission after X days / years?

The regulation also builds in two new rights for data subjects: a "right to be forgotten" that requires controllers to alert downstream recipients of deletion requests and a "right to data portability" that allows data subjects to demand a copy of their data in a common format. These two rights will now make it easier for users to request that any information stored should be deleted or that information that has been collected should be shared with them.

Product Playbook:
Academy Lesson: Create a GDPR Strategy:
GDPR Overview: