The regulation has the potential to levy considerable fines on your business for a breach of the legislation. As under the legislation, if you use Google Analytics, Google is your data processor but you are the data controller since you control the data being fed into the analytics tool.

We have put together a list of tasks your company should be executing to become and stay GDPR compliant. If you have already undertaken these actions, let this list serve as a reminder to stay compliant.

It is important to note that GDPR covers a whole lot more than just analytics. Companies had been given a 2-year period in order to put together the infrastructure to meet the compliance of this legislation. While the list can be considered best practice, it is advisable for your company to take legal counsel to ensure compliance in its entirety. This is primarily due to the many interpretations that can come up with GDPR depending on your legal knowledge.

So, What Is GDPR

General Data Protection Regulation widely referred to as GDPR is a regulation collective came into effect on 25^th of May, 2018 that requires businesses to actively protect the personal data and privacy of EU citizens (Learn how to protect your business HERE) . GDPR aims to place high levels of control in the hands of citizens, concerning the collection, storage and processing data or their personal information.

GDPR effectively sets out principles and guidelines that align data management practices with rights of individuals in the digital age. Non-conformance or breaching GDPR can lead to companies being fined heavily.

While it is a legislation within the EU protecting citizens within this area, if your company operates outside the EU but has customers within the EU, GDPR applies to you.

GDPR Compliance With Google Analytics – Key Points

Ensure no PII is recorded
Personally Identifiable Information (PII) is any piece of data that can be used to reveal the identity of an individual. Data pieces that can be considered PII are phone numbers, IP Addresses, usernames, email IDs etc.

Under GDPR your organisation needs to ensure no PII is being recorded, stored or transmitted. Simply filtering out PII through analytics does not translate to GDPR compliance. Your organisation needs to ensure that at the root level no PII data is being transmitted to analytics. A simple start to this would be to thoroughly audit all the data you store and ensure PII is not being transmitted.

Talk to your development team and ensure your URLs and Page Titles and other data dimensions are not a transmitting source. An example of this is to check if your page URL contains an “email=example@site.com” parameter. This string usually implies a PII leak to other marketing and tracking technologies on your website.

Review your website’s privacy policy 
Go back to your website’s privacy policy, especially if features such as “Advertising Features” are enabled in your GA. Your company needs to ensure that the privacy policy is informative to the end user. The notice has to be written in a way that is clear, understandable and concise. The policy needs to cover (but not limit itself to):

• Information website users voluntarily provide to you and information you automatically collect from them
• Details of technologies you use on the site (tracking, cookies etc.) to collect and store information upon their landing on your site
• Details on information gathered from third-party sources and apps (social media, databases etc)
• How your company protects data collected on users

Additionally, if you have enabled any Google analytics features you are now required to notify users by disclosing the following information:

• The Google Analytics features you have implemented
• How you and third-party vendors use first-party cookies (such as the Google Analytics cookie) or other first-party identifiers, and third-party cookies (such as Google advertising cookies) or other third-party identifiers together
• How your visitors can opt-out from having their data tracked by these features (ad-settings etc.)

Explicit Consent For User-ID Tracking

If your organisation utilises the User-ID feature of Google Analytics you need to now acquire explicit consent from your users that you are going to track their activities across devices. As per GDPR, the data should be stored strictly only after the consent has been provided by the user.
A more ethical manner to approach this would be to manage your tracking through tag manager. This allows you to set user IDs only when the visitor has given consent for identification.

Use Data Retention Controls (Google Tool 1)
To guide companies in achieving compliance under GDPR, Google released a set of tools to help. The User Data Retention Controls is the first tool being covered here. This tool allows to set the time limit before user-level and event-level data stored by analytics is automatically deleted from the server. This time limit applies to user level and event leave data associated with cookies, user identifiers, ad identifiers (Doubleclick cookies, Ad ID etc.)
However, the standard aggregated Analytics reporting remains unaffected. This data is managed by the setting is required only when advanced features such as custom segments in reports or unusual custom reports are being developed.
The ideal method here would be to modify the setting in a way that reflects your own data retention policy to ensure best practice alignment. The default period is set by GA at 26 months, this is due to standard cookies having an expiration time of 24 months or lower. Unless you are dependent on granular data retention or have cookies set for over 26 months as an expiration period, adjustments do not have to be made.
A requirement of signaling to GA that you have acknowledged the changes needs to be completed. This can be done through the following steps:
Admin –> Property –> Tracking Information –> Data Retention –> Save

User Deletion Tool (Google Tool 2)

Another crucial step to be taken is switching on IP Anonymisation in GA as under GDPR IP addresses are considered PII. Although IP addresses (by default) are not exposed in the reporting process, Google does use it to provide geo-location data, which in turn can breach GDPR. To stay compliant and avoid a breach, it is recommended to turn this feature on in GA, which requires a simple code change to execute.
This can be done with Google Tag Manager by adjusting your tag or Google Analytics settings variable. The steps is as follows:
More settings –> Fields to set –> Add new field (Name it “anonymizeIp” with a value of “true”)
Note that if you do not use tag manager, your tag management system may have this setting exposed as an option and you may have to edit the code directly.

Watch this space for more information on all things Digital, Online Marketing, Web Design & Development, UX/UI, SEO, Analytics, and Advertising.

by :

Federico Conti