Some significant changes have come into effect for websites that market goods and services to Europeans. GDPR (General Data Protection Regulation) is a set of new operating conditions that will protect personal user data for European Union (EU) data subjects. Since websites can be more or less accessed globally, it is essential to conduct a compliance risk assessment to be sure you are in-line with the new rules.
The new rules will affect all internet sites that are used by people within the EU. Violations of the new laws are fairly hefty, weighing in with fines as large as $24.6 million USD or 4% of a company’s total revenue. Many companies that use Google Analytics to analyze customer and user data are going to need to change the way it is used to be in full compliance with the new laws that went into effect on May 25, 2018.
Compliance Risk Assessment Questionnaire
If your company uses Google Analytics and you want to be sure that you comply with GDPR, here is a set of questions that you should ask:
2. Do I know what types of personally identifiable information are being stored and transmitted by my website?
GDPR regulates the types of Personally Identifiable Information (PII) that may be kept, used, and transmitted by internet companies. It is a good idea to audit incoming data for PII to be sure that it cannot be shared or transmitted. Collecting PII is against Google Analytics terms of service but running periodic audits will ensure that companies are in full compliance with GDPR.
3. Do I have a full understanding of what is occurring on my user input pages?
There are a few ways that information can be shared without a person necessarily intending to share it. You are going to want to turn off Google Analytics tracking on web pages with user input areas. Otherwise, Google Analytics will be collecting this data. Another way user information can make it into a third party’s hands on an input page is when the web page has advertisements or marketers that have space on a page where users input information. When users put information into these pages, PII can be grabbed by the third-party inclusions on the page.
4. How are usernames and other information stored, is it secure, and do I have access to remove information from the database?
Websites that make use of user ID’s either as usernames or email addresses should already be storing and retrieving this information using alphanumeric database identifiers. Using this type of method keeps user data private while it is being transmitted from the user server to the site server. The same goes for any other user input data transactions that may occur through the site. Data needs to be encrypted and then transmitted.
Keeping data in the cloud can present security issues; you need to be sure that your cloud storage vendor is also in full compliance with GDPR. If they are not, or if they are selling user data without your knowledge that could result in fines.
When auditing user data, you will want to be sure that the alphanumeric database used to transmit information is not reflective of any specific user. You are also going to need to have a way to delete user data upon request. Auditing databases for the transmittance of plain-text user data and for data that has been requested to be deleted will keep you in compliance with GDPR.
It is important to be aware that data transferred outside of the EU-US data range can be compromised. Having something in place like a data security service, to be sure that the EU-US privacy shield is always in place during data transfer is now a necessity. Doing this will save you from having to encrypt your own user data, but it does not ensure 100% security.
5. Have I changed my site to ask for permission to track users IP addresses?
Additional Suggestions on IP Tracking
Google Analytics allows site owners to anonymize IP addresses. Since the GDPR considers IP addresses to be PII, it is a good idea to take advantage of the anonymization option in Google Analytics.
6. How often is my web data cleaned?
Get rid of all the old data that has been hanging around for years. Decide on a reasonable timeline to keep data around after it has been analyzed and get rid of the data that lies outside of that timeline. Doing this will clean up the data infrastructure and allow organizations to easily detect other issues you may be having with data collection and storage.
If you are using a third-party service for data collection and storage, again, check to be sure they are in full compliance with GDPR. Also, be sure that they are wiping old data that is no longer needed from any database.
7. Am I fully aware of what third-party affiliations are doing with data on my website?
Your business will need to be cognizant of the people that interact with their user data. Site owners using other third-party software for different types of analysis should be sure to update agreements and policies with these companies. It is always important to be aware of who is handling user data collected by a site and what is being done with it. Understanding this ensures that the site owner is in complete compliance with GDPR.
8. Is Google Analytics keeping up with GDPR compliance metrics?
Overall Google Analytics is compliant with GDPR, they have stated that they have been working closely with the EU on data protection for years. They claim to be committed to allowing EU citizens the full privacy that the law ensures them. They have updated policies with companies using AdWords and other Google marketing tools. They are also expanding their privacy practices and looking to build out further audits of data put into the system to meet GDPR standards. It is a good idea, however, for site owners to take the necessary precautions to be sure that they are in full compliance with GDPR.
Carefully going through the questionnaire and taking the above precautions will ensure that you comply with GDPR while using Google Analytics. While Google takes the time to spot check and deliver on new data protection systems, you will need to update privacy policies to be sure everything is clearly spelled out for users concerning their data from the moment of input to the end. All site owners should conduct audits of data input, usage, and storage. Also, IP addresses should be anonymized on Google Analytics, and site owners need to be aware of agreements made with the people or companies that handle user data.
If you are not 100% sure that your website is in compliance after running this compliance risk assessment, you may want to reach out to a professional for a quick consultation to be sure your data is secure and practices are in compliance. The fines are significant, don’t risk your livelihood on something that can easily be changed. To be sure that your customer’s input and data is as secure as possible, think about using an internet security service. GDPR is all about protecting consumers from the unauthorized sharing of customer data, be sure that you are in a position to make sure that happens.