We know from our previous blog that using Google Analytics can potentially cause a conflict with your GDPR obligations. So, if you rely on Google Analytics for your web visitor analysis it’s time to make sure that, once GDPR becomes effective (25th of May 2018), your use of the tool will comply with GDPR. After all, GDPR demands that all data controllers and data processors processing personal data comply with GDPR and can prove that they do so. Google is rapidly rewriting all its terms and policies so you can be certain that much of the responsibility will lie with you.
What should you do?
(1) Examine and cleanse your existing data
Many organisations have developed a habit of grabbing and retaining data, including downloading data from Google Analytics. We know that under GDPR, personal data will include anonymised/pseudomised data if you can identify an individual from it (whether it’s from that data alone or when it’s combined with other data you hold). That means that your Google Analytics data could be defined as personal data. It all depends on how you use it combined with the information from your web site.
On that basis undertake a data ‘spring clean’ (you need to do this well before Spring) of all your data by examining:
- what data you currently hold and
- what data you are continuing to collect and
- why and how you are using that data
- what you need and should retain
- This should also include analysing how you use Google Analytics and examining what personal data could or does form part of your use. Ecommerce data and membership sites are very likely to contain personal data.
If you can’t justify why you have or need the data then it’s time for a data cleanse. Remember that under GDPR if you no longer use or require your data you should delete it or at least ensure that it is completely incapable of identifying an individual which, considering all the data you hold, may be more difficult and a longer process than you first anticipate.
(2) Check how you are using and sharing Google Analytics data
Once you’ve completed your data cleanse you need to set parameters for how you are going to use Google Analytics in the future.
This will mean looking at what data you will capture and taking care that you don’t breach your obligations under your agreement with Google. Remember that you have agreed that no “personally identifiable information” will be passed to Google or be collected by you.
Part of this will also include thinking about who will have access to your Google Analytics account so that you can be careful about not capturing personal data and how you can monitor use and GDPR compliance.
As an aside, where agencies are involved, it’s common for the ownership of a Google Analytics account to become blurred so make sure that this (and responsibility for it) is clarified. Similarly, you might have allowed admin or read only access to freelancers and others over time, look at all the permissions and remove those no longer needed immediately.
(3) Data transfer compliance
Using Google Analytics moving forward you’ll also need to check Google’s GDPR compliance on transferring data outside the EU to confirm which of the approved transfer mechanisms are used. Currently Google are relying on the EU-US Privacy shield, this may change - it’s your responsibility to be aware of this. A simple checklist showing that you have considered these types of issues will help provide you with evidence of your own compliance. This means including reviewing Google’s rapidly changing legal policies and agreements on a regular basis and making required changes and proving you have done so.
(4) Data subject rights
Don’t forget that you will also need to:
- Enable visitors to opt-out as easily as they opt in, and at any time they choose.
Are you using client specific pages on your web site, in a membership or secure area? If you are then you will find our next blog useful as we will be tackling Google Analytics and Client Specific Pages.Return back to Knowledge