Introduction to GDPR & Analytics

The new GDPR (General Data Protection Regulations) come into force across the European Union in May 2018. This will effect virtually every person trading who stores, uses, transmits and manages data, yes this includes Google Analytics!

Most people are versed on the usual Data Protection Act and Cookie Policy guidelines that have been floating around the internet for a few years now, but this is about to change. From May this year the new GDPR guidelines are enforced which will lay out a new wave of rules and regulations on the storing, managing and use of data considered personally identifiable.

We are by no means legal experts so please only take this blog as an interesting read, or as a jolt to actually check GDPR out officially. This is simply based on our own research on how GDPR will impact the way our websites will collect and manage data. We will always advise any trader to seek professional legal advise in regards to GDPR, this blog post is not that!

For most, considering GDPR has been a minefield of complicated terms, sections and terminology but the general principle has been accepted and understood however services such as Google Analytics or similar statistic software is often overlooked, forgotten or ignored when it shouldn’t be.

Imagine receiving a disclosure request (right of access) and the requesting customer asks for full disclosure on any web analytics that you hold on them. How would you respond? is any data personally identifiable? does the cookie policy stand up? and how does the right of rectification or right of erasure stand up? This may seem a bit far fetched but it has to be considered.

What is Personal Information in GDPR

Personal data within the GDPR goes a step further as related snippets of data that can be combined to produce personal data will now be treated exactly the same as personal data. This even stands true if you do not know the name of a person as identifiers can be treated as personal (e.g. IP address, UserID, Usernames, Emails). For example you may store a userid, postcode and IP address in a database, this is now considered personally identifiable and should be treated accordingly.

Data Compliance with Google Analytics

Google makes its data storing intentions quite clear from the outset, as it stands its currently against Googles terms to pass or store any personal data inside Google Analytics. If you are ever caught doing so you face your account being stopped and deleted without notice.

Examples of this would include personal information in a URL such as a username, email etc, any data passed through the URL’s such as names, address info (even just a postcode), phone numbers etc. In order to comply with this most users have adjusted their systems to take this into effect, but for some this still hasn’t gone far enough to satisfy the GDPR.

For the majority of our customers the long URL’s

A full lock down approach should be taken to ensure that the Google Analytics accounts are locked down, it’s always worth checking the people who have access and ensure they are current, correct and that all users are trained, or at least having suitable GDPR knowledge to ensure they remain compliant. We generally advise this is kept to a single contact at your business followed by a single contact with any agency or developer who helps manage your site (such as ourselves).

Where do we go from here?

Obviously this effects much more than just your Analytics software and great care and consideration is needed for any services you offer or carry out on your website. From collecting emails for marketing, newsletters etc to tracking users with cookies and analytics. We always recommend a specialist company to carry out a full audit and provide recommendations which we can then help to implement for you.


Pin It on Pinterest