GDPR Compliance Risk Assessment of Google Analytics

Some significant changes have come into effect for websites that market goods and services to Europeans.  GDPR (General Data Protection Regulation) is a set of new operating conditions that will protect personal user data for European Union (EU) data subjects. Since websites can be more or less accessed globally, it is essential to conduct a compliance risk assessment to be sure you are in-line with the new rules.

The new rules will affect all internet sites that are used by people within the EU. Violations of the new laws are fairly hefty, weighing in with fines as large as $24.6 million USD or 4% of a company’s total revenue. Many companies that use Google Analytics to analyze customer and user data are going to need to change the way it is used to be in full compliance with the new laws that went into effect on May 25, 2018.


Compliance Risk Assessment Questionnaire

If your company uses Google Analytics and you want to be sure that you comply with GDPR, here is a set of questions that you should ask:

1. Is my privacy policy GDPR compliant?

Have you updated your privacy policy to be in line with the new GDPR rules? Overall GDPR requires your privacy policy to clearly lay out how data is being collected, stored, and used. A large part of GDPR focuses on transparency.

Your privacy policy should clearly cover each of the following: how is user data collected, why data is being collected, who is collecting the data, who will data be shared with, and how will the data be shared? The policy should then delve a bit deeper into the realms of how users will be affected through the use of their data and take a look at why users may not like the way their data is being used.

Including all of these items in a privacy policy should make everything about the data that is gathered from start to finish crystal clear for EU users. The privacy policy should exhaust all possible questions that users may have around the collection and use of their data in order to be fully compliant with GDPR.

2. Do I know what types of personally identifiable information are being stored and transmitted by my website?

GDPR regulates the types of Personally Identifiable Information (PII) that may be kept, used, and transmitted by internet companies. It is a good idea to audit incoming data for PII to be sure that it cannot be shared or transmitted. Collecting PII is against Google Analytics terms of service but running periodic audits will ensure that companies are in full compliance with GDPR.

3. Do I have a full understanding of what is occurring on my user input pages?

There are a few ways that information can be shared without a person necessarily intending to share it. You are going to want to turn off Google Analytics tracking on web pages with user input areas. Otherwise, Google Analytics will be collecting this data. Another way user information can make it into a third party’s hands on an input page is when the web page has advertisements or marketers that have space on a page where users input information. When users put information into these pages, PII can be grabbed by the third-party inclusions on the page.

4. How are usernames and other information stored, is it secure, and do I have access to remove information from the database?

Websites that make use of user ID’s either as usernames or email addresses should already be storing and retrieving this information using alphanumeric database identifiers. Using this type of method keeps user data private while it is being transmitted from the user server to the site server. The same goes for any other user input data transactions that may occur through the site. Data needs to be encrypted and then transmitted.

Keeping data in the cloud can present security issues; you need to be sure that your cloud storage vendor is also in full compliance with GDPR. If they are not, or if they are selling user data without your knowledge that could result in fines.

When auditing user data, you will want to be sure that the alphanumeric database used to transmit information is not reflective of any specific user. You are also going to need to have a way to delete user data upon request. Auditing databases for the transmittance of plain-text user data and for data that has been requested to be deleted will keep you in compliance with GDPR.

It is important to be aware that data transferred outside of the EU-US data range can be compromised. Having something in place like a data security service, to be sure that the EU-US privacy shield is always in place during data transfer is now a necessity. Doing this will save you from having to encrypt your own user data, but it does not ensure 100% security.

5. Have I changed my site to ask for permission to track users IP addresses?

GDPR considers all user data; even IP addresses as PII. The way sites are currently set up, pages with tracking are automatically loaded with a notification that the site uses cookies to collect user data. This practice is not compliant with the new GDPR regulations. The best way to get around this is to automatically load the site without tracking and allow users the option to be tracked before proceeding to use the site. This can be done in a variety of ways; the critical piece is that users have the opportunity to decide if they are willing to be tracked or not. When a user opts in, a new page can be loaded with analytics attached; this ensures explicit consent.

Additional Suggestions on IP Tracking

Google Analytics allows site owners to anonymize IP addresses. Since the GDPR considers IP addresses to be PII, it is a good idea to take advantage of the anonymization option in Google Analytics.

6. How often is my web data cleaned?

Get rid of all the old data that has been hanging around for years. Decide on a reasonable timeline to keep data around after it has been analyzed and get rid of the data that lies outside of that timeline. Doing this will clean up the data infrastructure and allow organizations to easily detect other issues you may be having with data collection and storage.

If you are using a third-party service for data collection and storage, again, check to be sure they are in full compliance with GDPR. Also, be sure that they are wiping old data that is no longer needed from any database.

7. Am I fully aware of what third-party affiliations are doing with data on my website?

Your business will need to be cognizant of the people that interact with their user data. Site owners using other third-party software for different types of analysis should be sure to update agreements and policies with these companies. It is always important to be aware of who is handling user data collected by a site and what is being done with it. Understanding this ensures that the site owner is in complete compliance with GDPR.

8. Is Google Analytics keeping up with GDPR compliance metrics?

Overall Google Analytics is compliant with GDPR, they have stated that they have been working closely with the EU on data protection for years. They claim to be committed to allowing EU citizens the full privacy that the law ensures them. They have updated policies with companies using AdWords and other Google marketing tools. They are also expanding their privacy practices and looking to build out further audits of data put into the system to meet GDPR standards. It is a good idea, however, for site owners to take the necessary precautions to be sure that they are in full compliance with GDPR.


Carefully going through the questionnaire and taking the above precautions will ensure that you comply with GDPR while using Google Analytics. While Google takes the time to spot check and deliver on new data protection systems, you will need to update privacy policies to be sure everything is clearly spelled out for users concerning their data from the moment of input to the end. All site owners should conduct audits of data input, usage, and storage. Also, IP addresses should be anonymized on Google Analytics, and site owners need to be aware of agreements made with the people or companies that handle user data.

If you are not 100% sure that your website is in compliance after running this compliance risk assessment, you may want to reach out to a professional for a quick consultation to be sure your data is secure and practices are in compliance. The fines are significant, don’t risk your livelihood on something that can easily be changed. To be sure that your customer’s input and data is as secure as possible, think about using an internet security service. GDPR is all about protecting consumers from the unauthorized sharing of customer data, be sure that you are in a position to make sure that happens.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.