As the GDPR deadline date is looming we thought it might be useful to answer some of the questions we’ve been asked recently about GDPR and the impact that it might have on Google Analytics data. We should note that we aren’t qualified lawyers but have provided some advice we’ve used to inform clients on the subject.
What is GDPR and when does it come into effect?
GDPR stands for General Data Protection Regulation and was designed to put in place data protection rules that companies have to abide by to protect all EU citizens. These regulations are coming into effect on Friday (May 25th).
What are the main advantages and disadvantage of GDPR?
In order to comply with GDPR, most companies will need to update their data collection methods or policy and the risk is that by doing this:
- Not all customers that previously agreed to/ signed-up to hear from businesses will choose to sign up again and so the business will lose previous visitor or customer data that they currently use to target marketing campaigns
- If companies are found to not comply to GDPR regulations then regulator fines could apply (see more below).
Data protection rules and guidelines are currently weak and ambiguous. GDPR aims to empower and protect all EU citizens allowing them more control over who holds and uses their data. Businesses will still be able to market to people in many of the same ways as before but the user will have to have given consent to be advertised to.
This ultimately means that email marketing lists will most certainly diminish but it’s best practice to clean up email marketing lists every so often and at least going forward, you’ll know your marketing messages are being seen by those who actually want to hear from you!
What happens if a company does not comply with GDPR regulations?
Significant fines may apply.
There are two tiers of fines:
- Up to €10million or 2% of annual global turnover (of previous year)- whichever is higher
- Up to €20million or 4% of annual global turnover (of previous year)- whichever is higher
Breaches of controller or processor obligations (see definition of both below) will be fined on the first tier, breaches of data subjects’ rights and freedoms will incur the higher tier.
Note- it appears there is the possibility of the fine being lowered depending on how the organisation has acted to comply with the Regulation.
What are the individual rights within GDPR that organisations need to abide by?
GDPR regulations state that personal data should be:
- Processed lawfully, fairly and in a transparent manner
- Collected for a specified, explicit and legitimate purpose
- Adequate, relevant and limited to what is necessary
- Accurate and up to date
- Stored in a form which permits identification of data subjects for no longer than is necessary for which the personal data are processed
- Processed in a manner that ensures appropriate security of the personal data
Individuals will also have the right to be informed about the collection and use of their data. They should also be able to access their data, rectify it, erase it, restrict processing on it, obtain and reuse it, and object to the processing of it.
There are also additional restrictions for companies who are using automated decision making or automated profiling tools.
Data controller v’s processor- which one are you?
Are you a data controller or processor? This is important as the responsibilities for GDPR are based on this.
- A data controller is defined as the person that must exercise control over the processing and carry data protection responsibility.
- A data processor is any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
For example, we might produce reports from Google Analytics for a client and this makes us the data processor but the client who owns the Google Analytics data will remain the data controller.
Under GDPR, data processors have many more obligations to meet i.e. hold a record of all processing operations under their responsibility, execute security measures and inform the controller of any data breach. The data controllers determine the purpose and manner of processing. Data processers then act on behalf of the data controller.
So how does this impact Google Analytics?
You might have noticed emails and notifications on your Google Analytics account regarding new data retention controls. This was introduced to ensure that Google Analytics allows companies to be more compliant with GDPR and provides a company with a choice of how long they’d like to retain their user data for. It allows a company to set an expiry date on user data or to auto reset at every new activity the user makes (return visits will reset the retention period so there is no set date that the data expires on, the date can move based on the last visit).
This change will impact the use of segmentation, some custom reports, and secondary dimensions when applied in date ranges older than your retention setting. Although the notifications sound scary, note that these settings will only be applied to any data that is held on visitors at a user level and will not impact anonymised data where all user data is aggregated- which is the majority of Google Analytics accounts and reports.
What retention period do we recommend?
In our own GlowMetrics Google Analytics account, we’ve chosen to go with the 26 month option as the longest current default cookie expiry date is 2 years (24 months) which is used to distinguish a user. The 26 month option is also the default currently set for accounts.
What else do we need to know?
In addition to the above, you should also consider the below if you are using Google Analytics to track traffic to your website:
- DO NOT track any personal identifiable data WITHIN your Google Analytics account. Common places where PII can (mostly unintentionally) appear include the behaviour report and site search reports. A quick tip is to search for an @ symbol in both these reports and see if any customer details appear.
If they do, you can use Google Tag Manager to block PII BEFORE the hit is sent to GA, see Brian Clifton’s article on how to do this:
Note that this is what Google interprets as PII:
- email addresses
- mailing addresses
- phone numbers
- precise locations (such as GPS coordinates)
- full names or usernames
IP address is not listed above BUT if you want to anonymise this you can easily do this in Google Tag Manager under the variable configuration.
This changes the last number within an IP address string so this can impact any filters set-up on your account that are based on IP addresses.
- You need to create a process for receiving and processing requests for data deletion. Remember this is only for user-related data and Google have a new user deletion tool available in the API currently, but a delete button is soon to be added to the user report:
API details are here: https://developers.google.com/analytics/devguides/config/userdeletion/v3/