HubSpot GDPR and consent management

Close the scattered-consent, audit-exposure, and breach-risk gaps.

Three consent problems HubSpot solves

Consent is tracked in scattered notes and spreadsheets, so the business cannot reliably say who agreed to what or when.

An audit or a subject access request would expose the gaps, because consent and preferences are not held as defensible records.

Marketing risks breaching the rules, because it cannot easily exclude people who never consented or who have opted out.

Why is consent scattered and unreliable?

HubSpot records consent and subscription preferences against each contact, with the legal basis and the timestamp, so the business can say exactly who agreed to what and when. The scattered notes give way to one defensible record.
So when consent is questioned, the answer is on the contact, dated and sourced, rather than reconstructed from memory.
Consent in scattered notes cannot be relied on. Held against the contact, it becomes defensible.

Why is consent scattered and unreliable?

Airport1_Security_LightSkin_Illustrations_Color_LightBG

Why would an audit expose the gaps?

Because consent, preferences, and the lawful basis are structured records, an audit or a subject access request can be answered from the CRM rather than a scramble. The gaps that would have been exposed are closed.
So when a regulator or a customer asks what is held and on what basis, the record is there to produce.
Consent that cannot survive an audit is a liability. Structured records are what make it defensible.

Why would an audit expose the gaps?

Data_Library_Illustrations_Color_LightBG

Why does marketing risk breaching the rules?

Because consent and subscription status govern who can be contacted, marketing automatically excludes those who never consented or have opted out. The risk of emailing someone who should not be contacted is designed out.
So when a campaign sends, it reaches only those with a valid basis, because the CRM enforces it rather than relying on a manual check.
Marketing that cannot reliably exclude the non-consenting risks a breach. Built-in consent control removes the risk.

Why does marketing risk breaching the rules?

Driven_Results_Illustrations_Color_LightBG

Name Credas

Great quick service

"PYB stepped in and sorted our setup within a few days having not looked at our system before. They are knowledgeable and quick to act."

Jonathan Bennett

Digital Marketing Manager

Ready to discuss your HubSpot project?

Let's take our relationship up a level.

Simply fill in the form below...

(I'll get back to you ASAP)

Prefer another way?

FAQs

How long does consent management take to set up?

Most run 4 to 8 weeks. Weeks 1 to 2 cover architecture: the lawful bases, subscription types, and how consent is captured and recorded. Weeks 3 to 5 cover the build: consent properties, subscription management, form controls, and suppression rules. Weeks 6 to 8 cover review and training, so the team handles consent correctly.

Can HubSpot model consent and lawful basis?

Yes. HubSpot records consent, subscription types, and the lawful basis for communication against each contact, with timestamps, and enforces them in marketing. PYB has set up GDPR-aware consent management for clients whose consent was scattered and undefensible. Note that this is general guidance, not legal advice.

How does HubSpot help with subject access and erasure requests?

Because contact data, consent, and history are held in one structured place, a subject access request can be answered and an erasure carried out from the CRM rather than hunting across systems. PYB configures the processes that make these requests manageable. For specific legal obligations, take your own legal advice.

What HubSpot products does consent management need?

Marketing Hub Professional for subscription types, consent, and suppression. Operations Hub for syncing consent across systems. The relevant Hubs for where contact data is used. Custom Objects (Enterprise tier) where consent relates to a bespoke model.

Does HubSpot meet the standards for handling personal data under GDPR?

HubSpot holds SOC 2 Type II and ISO 27001, offers data residency options, and provides the consent and data-subject tools GDPR compliance relies on. PYB adds its own ISO 27001 and ISO 9001. The platform supports compliance, though responsibility for it rests with the business and its legal advisers.