What’s the problem?
GDPR (effective 25th May 2018) applies to any data controller and/or processor who will
- process personal data of data subjects (individuals) who are in the EU because of goods/services offered to them or
- “monitor” the behaviour of data subjects within the EU. So, if you meet those criteria you will be responsible for complying with GDPR and crucially, must be able to prove that you do so comply.
Surely Google Analytics is about pseudonymous data not personal data?
GDPR broadens the definition of “personal data” to the extent that if you could identify a natural person “directly or indirectly” using “all means reasonably likely to be used” then the information is personal data. This means that personal data could include pseudonymous data, online identifiers and cookies because, as GDPR explicitly tells us, they can be combined “with unique identifiers and other information received by the servers” and used to create “profiles of the natural persons and identify them”.
Data to and from Google
Consider what data you are allowing Google Analytics to access. Although you shouldn’t (it’s a breach of your agreement with Google) are you, for example, collecting users’ names in page URLs (such as, for example https://www.ABC.org/user/jsmit... where the user name J Smith forms part of the url) or collecting email addresses as part of the log-in process.
What about the data you access from Google? You may argue, for example, that you don’t access IP addresses from Google Analytics (this is possible but not advisable because it breaches your agreement with Google) if you download any report/information it could still pose a problem. You need to ask yourself, can I identify any individual from all the data I hold? Remember it’s not just about the data in one report – it’s whether, if you were to combine all the data you hold (including data from Google Analytics) “using reasonable means” you could identify an individual.
So the data which forms part of your Google Analytics account could be personal data and, therefore, subject to GDPR compliance. It depends on how Google Analytics is set up for your web site. Member specific page visits, for example, will need to be addressed as a risk area under GDPR.
Remember that you need a lawful basis for processing any personal data so you need to consider whether you are relying on the consent of the individual to process their data (most businesses do). If so, under GDPR consent is much more rigid so, even if your consent meets current requirements, it may not be GDPR compliant. Time to check out your terms and conditions.
GDPR will apply to Google and we know that the company is “working hard” to prepare for GDPR. For example, website users have the option to “install the Google Analytics opt-out browser add-on”.
Whilst there are likely to be more changes before May 2018, at the moment we know from Google Analytics’ user terms that you give Google permission to collect data from your website visitors and are “solely responsible” for your use of Google Analytics and for
- not passing any “personally identifiable information” to Google
- making sure that no “personally identifiable information” is collected
So if you breach your agreement with Google you will be liable to Google and that is likely to apply after May 2018. However, irrespective of your relationship with Google, by processing personal data (through Google Analytics or otherwise) you will have to comply with GDPR and be able to prove that you do so.
In our next blog we’ll look at some of the steps you need to take to ensure that you can use Google Analytics and still be GDPR compliant.