GDPR Compliance Checklist for HubSpot Marketing Automation Workflows

Why GDPR Compliance in HubSpot Workflows Demands Attention

Marketing automation workflows are powerful—but they're also where GDPR violations happen most frequently. Every workflow that sends an email, updates a property, or triggers based on contact behaviour involves personal data processing. If your legal basis isn't solid or your consent tracking is broken, you're exposed.

HubSpot provides GDPR tools, but they don't configure themselves. The platform gives you the building blocks—subscription types, legal basis tracking, consent banners—but assembling them correctly is your responsibility. This checklist will help you audit existing workflows and build compliant ones from scratch.

Section 1: Consent and Legal Basis Configuration

Verify Your Legal Basis Tracking Is Active

Before touching any workflow, confirm your HubSpot portal has GDPR settings enabled:

1. Navigate to Settings > Privacy & Consent > Data Privacy Settings
2. Ensure "Turn on data privacy settings" is toggled on
3. Verify the legal basis properties are visible on contact records
4. Check that subscription types align with your actual marketing activities

Map Each Workflow to a Specific Legal Basis

Every marketing workflow needs a documented legal basis. Create a simple mapping document:

• Consent (Article 6(1)(a)): Newsletter sequences, promotional campaigns, event invitations
• Legitimate Interest (Article 6(1)(f)): Transactional follow-ups, service-related communications
• Contract Performance (Article 6(1)(b)): Onboarding sequences for paying customers

For each workflow in your portal, add a note in the workflow description stating the legal basis and where consent was captured. This documentation matters during audits.

Build Enrollment Filters That Check Consent

Never enroll contacts without validating their consent status. Your workflow enrollment triggers should include:

• "Legal basis for processing contact's data" is "Freely given consent from contact"
• "Email subscription status" for the relevant subscription type is "Subscribed"
• Consider adding: "Unsubscribed from all email" is not equal to "True"

For legitimate interest workflows, you still need enrollment filters—but they should check that contacts haven't opted out rather than confirming opt-in.

Section 2: Data Minimisation in Workflow Actions

Audit Property Updates Within Workflows

Workflows often set properties automatically. Review each workflow for:

• Properties being set that aren't necessary for the workflow's purpose
• Personal data being copied across multiple properties (data sprawl)
• Properties being populated with inferred data that could be inaccurate

The GDPR principle of data minimisation means only processing data necessary for the stated purpose. If a workflow sets a "Marketing Qualified" property, that's legitimate. If it's also logging browsing behaviour into custom properties without clear purpose, that's questionable.

Review Integration Actions

Workflows that sync data to external tools (via native integrations or Operations Hub) require extra scrutiny:

• Does the receiving system have appropriate data processing agreements in place?
• Is the data transfer necessary, or are you syncing "everything just in case"?
• Are you sending data outside the EEA without appropriate safeguards?

Create a list of all external systems your workflows touch. Cross-reference with your data processing agreements.

Section 3: Suppression Lists and Right to Erasure

Implement Workflow Exclusion Lists

Contacts who've exercised GDPR rights need automatic exclusion from all marketing workflows. Set up:

1. A static list called "GDPR Suppression - Do Not Contact"
2. Add this list as an exclusion criterion to every marketing workflow
3. Create a workflow that automatically adds contacts to this list when certain properties are set (e.g., when "GDPR deletion requested" equals "Yes")

Handle Deletion Requests in Active Workflows

When a contact requests deletion but is mid-workflow:

• They should be immediately unenrolled from all workflows
• Create a workflow that triggers on deletion request property changes
• Use the "Remove from workflow" action for all marketing workflows
• Consider a delay before actual deletion to ensure all systems sync

Audit Your Suppression Process

Test your suppression flow monthly:

1. Create a test contact with a clearly fake email
2. Enroll them in several workflows
3. Trigger your suppression/deletion process
4. Verify they're removed from all workflows within your stated timeframe

Section 4: Documentation and Audit Trail

Document Every Workflow's GDPR Rationale

For each marketing workflow, maintain documentation including:

• Workflow name and ID (the ID is in the URL when editing)
• Legal basis for processing
• Data processed (which properties are read or written)
• Retention period (how long contacts stay enrolled, when data is cleared)
• Last review date and reviewer name

Store this in a spreadsheet or your documentation system. Update it whenever workflows change.

Set Up Consent Audit Reports

Create saved reports in HubSpot that help you spot compliance issues:

• Contacts enrolled in marketing workflows without valid consent
• Contacts with missing legal basis properties who've received marketing emails
• Contacts who've opted out but have recent workflow enrollment history

Schedule these reports to email your compliance team weekly.

Implement Workflow Change Logging

HubSpot's workflow history shows enrollment data, but not configuration changes. Establish a change log process:

• Before modifying any workflow, screenshot current settings
• Document what changed, why, and who approved it
• For significant changes, note whether a GDPR re-assessment was needed

Practical Implementation Checklist

Use this checklist for every marketing workflow:

• Legal basis documented in workflow description
• Enrollment criteria include consent/subscription checks
• GDPR suppression list added as exclusion criterion
• All property updates are necessary and documented
• External integrations have valid DPAs
• Workflow reviewed within the last 12 months
• Unenrollment triggers exist for opt-out/deletion requests

Moving Forward

GDPR compliance isn't a one-time project—it's an ongoing operational discipline. Schedule quarterly reviews of your marketing workflows, especially after campaigns or when new team members build automations. The hour spent reviewing beats the alternative: explaining to your DPO why 10,000 contacts received emails they never consented to.

Start with your highest-volume workflows. Those touch the most contacts and present the greatest risk. Once those are solid, work through the long tail of nurture sequences and event-triggered automations. Your future self—and your compliance team—will thank you.