Using HubSpot's FREE CRM to Comply with Data Protection Laws

Written by: Tanya Wigmore

Published: 8 August, 2019

CAN-SPAM, GDPR, and now the Cayman Islands Data Protection Law (DPL) have our clients and friends always asking: "how do I know that I'm being compliant with data protection laws?"

Short answer: it's easy to be compliant if you use people's contact info to send them info that they said they wanted to receive or that they expect to receive based on your service agreement. 

✅ Sending your customers information about their services or orders. 

✅ Following up with a potential lead during your sales process. 

✅  Sending marketing emails to people who said they wanted to receive them. 

❌ Sending emails to the customers of a friends' company about your products and services. 

❌ Selling or giving the emails of your leads or prospects to a third-party. 

❌ Sending marketing emails to people who have not expressed any interest in receiving them or who have asked not to receive them. 

"If you say yes now, you can always say no later"

Wise advice not just for that kind of consent but also for data privacy. Don't get accused of mailing someone after they've said 'no'. 

Keeping a Record of Consent. 

The first thing you need to do to ensure you're compliant with data protection laws is to have a record of consent. This is fairly easy to do if you're using a CRM to keep your contacts organized (HubSpot CRM is FREE so there's no reason to not use a CRM). In your CRM you'll be able to identify what your legal basis for contacting someone is and it's stored on their record, so if you're ever getting audited you can identify why you included them in your email. 

If you're using HubSpot Forms (or any other GDPR compliant form that syncs with your CRM) you can set your data collection disclaimer right into the form, so anyone who fills it out has received the proper notification of what you're collecting their information for and how you will use it. You can also set up check boxes to have people opt-in to your mailing lists, which is also tracked on their contact record for their freely given consent for marketing materials. 

Data collection disclaimer on HubSpot forms.

You can change the text in those blurbs as well to customize the message. 

But what about all those contacts who are already in your database that you don't have any record of their consent? Can you still mail these people?

It depends on why you have their info...

Legitimate Interest for Your Current Clients

If a contact is a client, you already have assumed consent to contact them. Go ahead and update your CRM records for these contacts.

HubSpot Legitimate Interest
It's important to note here that you may not have consent to blast your customers with marketing emails. Use your discretion and think 'is this an email that my average customer would want to receive'? Not only is this good advice for DPL compliance, it's good common sense for keeping customers happy. 

One way to get your existing contacts to 'opt-in' to email lists it is to ask them to update their contact info and include the subscription confirmation check boxes as part of that process. If you have a few different mailing lists, ask them which ones they want to remain on or add themselves to. This can easily be rolled into your regular engagement renewal process. 

Create a Segment for Your Current Prospects & Leads

If someone has reached out to you for information and is in your sales process, you already have implied consent to contact them. If they haven't already given consent to be put on all your mailing lists, you might want to hold off. Getting blasted with too many marketing materials might not help you close that sale. What will help you nurture that lead and close the sale are strategic marketing automation emails specific to their conversion funnel and persona. 

Segment Event Attendees, Job Seekers, and Industry Partners

Depending on your line of business and how you added people to your CRM, you may be able to easily segment your contacts into a few different groups. Event attendees who were uploaded from a certain list can be tagged as event attendees. Those who applied for jobs can be tagged as job seekers. Whatever ways you can segment your lists to identify why you have these contacts on your list is essential.  

Conduct a Contact Audit to Clean Out the Junk

Deleting a contact from your CRM causes anxiety in people. It's not just you. Your contact growth is one of the measures of your success as a marketer and going in to WILLINGLY delete them just feels so wrong. 

If you haven't done one recently, it's time for a CRM contact audit. Cleaning out those junk contacts who never existed or no longer exist at that phone number or email address can make the process of identifying who should stay on your list a whole lot easier. 

Asking Contacts to Opt-In

You've received a bunch of emails that asked you to 'opt in so we can keep mailing you'. 

How many of those did you opt in to?

If you're like me, it wasn't many. And now you're in a panic that when you ask contacts to opt-in, no one is going to. 

Send Highly Targeted Emails to Your Segmented Lists

Now that you've created lots of different segmented lists, it's time to get consent from those who you have no documented record of consent for. For those who attended events, send an email that talks about events and keeping up to date with all the events that are coming up next year. For job seekers, tailor the message to be about getting updates for more opportunities. For your industry partners, mention how you're the #1 source for news in the industry (or whatever value you add to the relationship) and give them some FOMO to encourage them to opt-in. 

Email Those Who Are Left

Ultimately, you'll have a few contacts who just don't fit neatly into these lists. For those who you just don't know who they are or why they're on your list, you can hit them with a generic 'stay in touch' email - making sure that you include the benefit to them of staying onboard. 

You Won't Keep Everyone, And That's OK

You're going to have some drop-off and while your shrinking mail list might be hard on the ego, it's great for email engagement rates. 

People who don't want your emails are likely not interested in your products or services. 

Taking these people off your lists is not a bad thing. People who don't want your emails are likely not interested in your products or services and are not opening your emails anyway. If they change their mind and become interested again, they'll find you.


Disclaimer: This article is not intended as legal advice. It is strongly recommended that you familiarize yourself with local data protection laws in your country and in the countries that you are marketing to. 

Attorney Marketing

Written by: Tanya Wigmore

Tanya Wigmore is the founder of CRO:NYX Digital and is passionate about growing healthy teams and businesses. With an extensive background in inbound marketing, search marketing, web analytics, CRO & UX, she's always finding new ways to apply optimize and improve.

Let's Get to Work!

We’d love to chat about how we can help you with your next project.

Get started

Let's Get to Work!

We’d love to chat about how we can help you with your next project.

Get started