On 25th May 2018, GDPR came into effect across the EU. If your company takes data privacy seriously and is using Google Analytics at the very least to improve and optimise your advertising and outreach initiatives, you should be taking GDPR
The regulation has the potential to levy considerable fines on your business for a breach of the legislation. As under the legislation, if you use Google Analytics, Google is your data processor but you are the data controller since you control the data being fed into the analytics tool.
We have put together a list of tasks your company should be executing to become and stay GDPR compliant. If you have already undertaken these actions, let this list serve as a reminder to stay compliant.
It is important to note that GDPR covers a whole lot more than just analytics. Companies had been given a 2-year period in order to put together the infrastructure to meet the compliance of this legislation. While the list can be considered best practice, it is advisable for your company to take legal counsel to ensure compliance in its entirety. This is primarily due to the many interpretations that can come up with GDPR depending on your legal knowledge.
General Data Protection Regulation widely referred to as GDPR is a regulation collective came into effect on 25th of May, 2018 that requires businesses to actively protect the personal data and privacy of EU citizens (Learn how to protect your business HERE) . GDPR aims to place high levels of control in the hands of citizens, concerning the collection, storage and processing data or their personal information.
GDPR effectively sets out principles and guidelines that align data management practices with rights of individuals in the digital age. Non-conformance or breaching GDPR can lead to companies being fined heavily.
While it is a legislation within the EU protecting citizens within this area, if your company operates outside the EU but has customers within the EU, GDPR applies to you.
Ensure no PII is recorded
Personally Identifiable Information (PII) is any piece of data that can be used to reveal the identity of an individual. Data pieces that can be considered PII are phone numbers, IP Addresses, usernames, email IDs etc.
Under GDPR your organisation needs to ensure no PII is being recorded, stored or transmitted. Simply filtering out PII through analytics does not translate to GDPR compliance. Your organisation needs to ensure that at the root level no PII data is being transmitted to analytics. A simple start to this would be to thoroughly audit all the data you store and ensure PII is not being transmitted.
Talk to your development team and ensure your URLs and Page Titles and other data dimensions are not a transmitting source. An example of this is to check if your page URL contains an “firstname.lastname@example.org” parameter. This string usually implies a PII leak to other marketing and tracking technologies on your website.
Additionally, if you have enabled any Google analytics features you are now required to notify users by disclosing the following information:
Explicit Consent For User-ID Tracking
If your organisation utilises the User-ID feature of Google Analytics you need to now acquire explicit consent from your users that you are going to track their activities across devices. As per GDPR, the data should be stored strictly only after the consent has been provided by the user.
A more ethical manner to approach this would be to manage your tracking through tag manager. This allows you to set user IDs only when the visitor has given consent for identification.
Use Data Retention Controls (Google Tool 1)
To guide companies in achieving compliance under GDPR, Google released a set of tools to help. The User Data Retention Controls is the first tool being covered here. This tool allows to set the time limit before user-level and event-level data stored by analytics is automatically deleted from the server. This time limit applies to user level and event leave data associated with cookies, user identifiers, ad identifiers (Doubleclick cookies, Ad ID etc.)
However, the standard aggregated Analytics reporting remains unaffected. This data is managed by the setting is required only when advanced features such as custom segments in reports or unusual custom reports are being developed.
The ideal method here would be to modify the setting in a way that reflects your own data retention policy to ensure best practice alignment. The default period is set by GA at 26 months, this is due to standard cookies having an expiration time of 24 months or lower. Unless you are dependent on granular data retention or have cookies set for over 26 months as an expiration period, adjustments do not have to be made.
A requirement of signaling to GA that you have acknowledged the changes needs to be completed. This can be done through the following steps:
Admin –> Property –> Tracking Information –> Data Retention –> Save
User Deletion Tool (Google Tool 2)
Another crucial step to be taken is switching on IP Anonymisation in GA as under GDPR IP addresses are considered PII. Although IP addresses (by default) are not exposed in the reporting process, Google does use it to provide geo-location data, which in turn can breach GDPR. To stay compliant and avoid a breach, it is recommended to turn this feature on in GA, which requires a simple code change to execute.
This can be done with Google Tag Manager by adjusting your tag or Google Analytics settings variable. The steps is as follows:
More settings –> Fields to set –> Add new field (Name it “anonymizeIp” with a value of “true”)
Note that if you do not use tag manager, your tag management system may have this setting exposed as an option and you may have to edit the code directly.
If executed correctly, Google will anonymize the IP addresses as soon as technically feasible by eliminating a digit set from the IP (The last portion is replaced with an ‘O’). This will enable the anonymization before storage and processing begin ensuring that the full IP address is never written to the disk. The impact of this step on your reporting is in the form of geographic location accuracy is slightly reduced.
Watch this space for more information on all things Digital, Online Marketing, Web Design & Development, UX/UI, SEO, Analytics, and Advertising.
Get in touch with a brief summary of your requirement and we’ll be happy to discuss your project in an open and transparent manner.Request a Consultation
Explore an extensive guide to digital marketing jobs in Ireland, covering roles like Content Marketing Executive, SEO Specialist, UX Designer, and mor..Read More
Our digital marketing strategy template is based on a combination of many different frameworks as well as years of digital strategy experience, and we..Read More
The GDPR aims to protect EU citizens' personal data, requiring companies to obtain explicit consent before collecting and processing personal data for..Read More
To get customers, it’s imperative to be seen by the mass. Every successful company is unique and needs contrasting digital marketing strategies. Book a meeting with us and we will help you find the correct strategy for your company.Our Approach