GDPR Compliance

What is the GDPR anyway?

The GDPR (General Data Protection Regulation) is an EU Regulation that substantially strengthens the safeguarding of personal data belonging to EU citizens and imposes greater responsibilities on organizations that collect or process such data. It extends and enhances many of the requirements for data privacy and security outlined in the 1995 Directive, while introducing several new provisions to reinforce the rights of data subjects and impose stricter penalties for breaches. The regulation became enforceable on May 25th, 2018.

What was the story before the GDPR?

You’ve probably heard a great deal about the GDPR in 2018, but did you know that EU data protection legislation has been in place for quite some time? Even before the GDPR replaced the 1995 EU Data Protection Directive in May 2018, the Directive established eight data protection principles that have been regulating the handling of personal data by organizations for over two decades!

Does the GDPR apply to me?

The GDPR applies to businesses that either a) market their products to individuals in the EU or b) monitor the behavior of individuals in the EU. In essence, even if your business operates outside of the EU, if you control or process the data of EU citizens, the GDPR will still be applicable to you.

Disclaimer: This website does not serve as an exhaustive treatise on EU data privacy nor does it offer legal counsel for your company’s compliance with EU data privacy laws such as the GDPR. Instead, it furnishes background details to enhance your understanding of how HubSpot has addressed key legal aspects. It’s important to note that this legal information does not constitute legal advice, wherein an attorney applies the law to your specific circumstances. Therefore, we strongly recommend consulting an attorney if you seek guidance on interpreting this information accurately. In summary, this document should not be relied upon as legal advice or as an endorsement of any specific legal interpretation.

Important components of the GDPR


The GDPR elevates the standard for obtaining consent by necessitating that it be “freely given, specific, informed, and unambiguous.” Controllers must employ “clear and plain” legal language that is “clearly distinguishable from other matters.” Additionally, controllers must furnish evidence demonstrating the compliance of their processes and their adherence in each instance.

Essentially, customers cannot be coerced into consent, nor can they be unaware that they are consenting to the processing of their personal data. They must have precise knowledge of what they are consenting to, and they must be informed in advance of their right to withdraw that consent. Obtaining consent requires a positive indication of agreement – it cannot be deduced from silence, pre-ticked boxes, or inactivity. Therefore, informing the user during the opt-in process becomes increasingly crucial.

New Rights for Individuals

The regulation also introduces two new rights for data subjects: the “right to be forgotten,” which mandates controllers to notify downstream recipients of deletion requests, and the “right to data portability,” enabling data subjects to request a copy of their data in a common format. These rights simplify the process for users to demand deletion of stored information or to request sharing of collected information.

Access Requests

Data subjects have always possessed the right to request access to their data. However, the GDPR enhances these rights. In most cases, organizations cannot charge for processing an access request, unless they can demonstrate that the cost would be excessive. The timeframe for processing an access request will also be reduced to one month (with a possible extension of two months in certain circumstances). In specific cases, organizations may reject granting an access request, such as when the request is deemed manifestly unfounded or excessive. Nevertheless, organizations must establish clear refusal policies and procedures, and substantiate why the request meets these criteria.

Privacy by Design and DPIA

The GDPR introduces several new principles for entities handling personal data. This includes a mandate to incorporate data privacy “by design” during the development of new systems, as well as an obligation to conduct a Data Privacy Impact Assessment (DPIA) when processing data using “new technologies” or in high-risk scenarios. A DPIA involves systematically evaluating the potential impact of a project or initiative on individuals’ privacy, enabling the identification of potential privacy issues before they arise. This allows organizations to devise strategies to mitigate these issues before the project commences.

Data Privacy Officer

In terms of security, the GDPR mandates many businesses to appoint a Data Privacy Officer (DPO) to oversee their compliance efforts. Organizations requiring DPOs include public authorities, entities engaged in regular and systematic monitoring of data subjects on a large scale, or those processing sensitive personal data on a large scale.

Contracts & Privacy Documentation

Given that transparency and fairness are central to the GDPR, Controllers and Processors must review their Privacy Notices, Privacy Statements, and internal data policies to ensure compliance with GDPR requirements. If a Controller engages third-party vendors to process personal data under their control, they must update their contracts with those Processors to incorporate the new mandatory Processor provisions outlined in Article 28 of the Regulation. Similarly, Processors should assess the changes needed in their customer contracts to achieve GDPR compliance.

One-Stop Shop

A noteworthy feature within the GDPR aims to simplify the responsibilities of Data Protection Officers: the introduction of the “one-stop shop” provision. This provision establishes a “lead supervisory authority” for organizations operating in multiple EU countries. This central authority serves to alleviate the challenge of navigating inconsistent directives from various supervisory authorities.

Reporting Breaches

The GDPR mandates that controllers must notify their country’s supervisory authority of a personal data breach within 72 hours of becoming aware of it, unless the data was anonymized or encrypted. In practice, this implies that most data breaches must be reported to the Data Protection Commissioner. Breaches likely to result in harm to individuals, such as identity theft or breach of confidentiality, must also be reported to the affected individuals.



The GDPR extends its reach to non-EU businesses engaging in marketing to EU residents or monitoring the behavior of individuals within the EU. Hence, regardless of being headquartered outside the EU, if you manage or process data belonging to EU citizens, it’s likely that the GDPR applies to your operations.


The concept of accountability mandates that Controllers and Processors must demonstrate their adherence to GDPR standards to their local supervisory authority. This entails documenting, implementing, and regularly reviewing processes. Staff training should be conducted, and appropriate technical and organizational measures must be in place to ensure and exhibit compliance.

Severe Penalties

The GDPR’s significance is emphasized by its introduction of stringent penalties for infringements. Depending on the nature of the violation, controllers and processors found mishandling personal data or breaching data subjects’ rights could face fines of up to €20 million or 4% of their global annual turnover (whichever is higher).

If you’re currently a Sales Titan customer or partner, kindly reach out to your account manager for any additional inquiries, feedback, or suggestions you may have.

GDPR Compliance

Although the DPD was replaced by the GDPR, it establishes the eight data protection principles upon which the GDPR is built. These principles govern how organizations should handle personal data and are outlined below:

1. Obtain and process personal data fairly.
2. Use it only for specified and lawful purposes.
3. Process it only in ways compatible with its original purpose.
4. Keep it safe and secure.
5. Maintain accuracy and ensure it is up-to-date.
6. Ensure it is adequate, relevant, and not excessive.
7. Retain it only for as long as necessary.
8. Provide individuals with a copy of their personal data upon request.

The DPD was a Directive, a legislative act setting a goal for all EU countries to achieve. However, each country can devise its own laws to meet these goals. For instance, in Ireland, the goals of the DPD were implemented through the Irish Data Protection Act, 1998.

In contrast, a Regulation, such as the GDPR, is a binding legislative act that applies uniformly across the EU.

For those not acquainted with the term, “double-opt-in” is a two-step process wherein an individual must verify their email address after initially subscribing. The GDPR does not mandate double-opt-in (although specific countries might enforce this).

It’s important to highlight that subscribers to the Sales Titan service have the option to enable double-opt-in functionality in their portals. This serves as an extra protective measure to demonstrate that necessary consent was obtained.

In June 2016, a majority of UK voters supported leaving the EU in the “Brexit” referendum. Subsequently, in March 2017, Theresa May invoked Article 50 to commence the Brexit negotiations.

As the terms of Brexit evolve over time, this regulatory resource may prove helpful: [](

If your operations are situated outside the UK but involve vendors or affiliates in the UK with whom you share personal data, it’s important to monitor developments in this domain. With the UK’s departure, cross-border data flows may not automatically possess adequate safeguards, necessitating additional measures to safeguard data transferred to the UK.

While individuals already possessed a range of rights safeguarding their personal data under the 1995 Data Protection Directive, the GDPR significantly enhances these rights. Now, data subjects can:

  •  Request details regarding how their data is processed by an organization or business.
  • Obtain copies of personal data held by an organization.
  • Rectify incorrect or incomplete data.
  • Request erasure of their data by an organization, particularly when there’s no legitimate reason for its retention.
  • Request their data from an organization and have it transmitted to another (Data Portability).
  • Object to the processing of their data by an organization under certain circumstances.
  • Avoid being subject to automated decision-making, including profiling, with some exceptions.

No, the GDPR does not mandate data storage within the EU, and the regulations governing the transfer of personal data outside the EU remain unchanged. This means that, as long as personal data is adequately protected, it can be transferred abroad. For instance, the EU has compiled a list of countries considered to offer an adequate standard of protection (referred to as “white-listed countries”), permitting data transfer to these nations. In cases where a country is not on the EU list (e.g., the USA), the controller must rely on approved contractual provisions (such as the Model Clauses or Corporate Binding Rules) or other alternative measures stipulated by law, such as Privacy Shield certification.

Below, we’ve gathered a list of supplementary websites for further insights on the new regulation. Feel free to explore them:

1. The Irish Data Protection Commissioner’s GDPR website
2. Guidance from the German Federal Commissioner for Data Protection on the GDPR
3. HubSpot’s GDPR compliance functionality
4. EU Data Protection Supervisor
5. HubSpot’s Security Program page
6. Find your Supervisory Authority
7. Full text of the GDPR
8. Full text of the GDPR in German
9. The EU’s GDPR website
10. The UK Information Commissioner’s Office website

Our research on GDPR

Discover the level of preparedness among others for the GDPR and explore consumer sentiments regarding the changes in our research!

Develop a strategy for GDPR

In this lesson, you will gain insights into what the GDPR entails, the enhancements aimed at safeguarding personal data, and the ramifications it has on the realms of inbound marketing and sales. You will delve into the adjustments that may be necessary for your business and strategies for optimal GDPR preparedness.

Our Free GDPR Compliance Checklist

For our customers and partners, Sales Titan has devised a complimentary GDPR compliance checklist to assist you in discerning your subsequent actions.

What was the level of preparedness among marketers for the GDPR?

Discover the perspectives of consumers and marketers on the GDPR. We've conducted a survey with over 3,000 consumers to provide you with valuable insights.

Our GDPR Glossary

The GDPR was crafted by legal experts, so it's natural to find a considerable amount of legal terminology within its text. However, fret not, as our glossary will assist you in comprehending the key definitions.