How to work with digital analytics after GDPR


GDPR could be the biggest ever change in digital analytics – it potentially destroys an entire ecosystem of martech and result in massive fines for leading companies who ignore it.

This blog post is for anyone who is working with digital analytics and wants to know how the EU General Data Protection Regulation (GDPR) will affect their job.

First, everyone (should) know the deadline for compliance to GDPR by now: 25th May 2018.

After that date, GDPR prescribes that companies must be in control and stay in control of personal data held by the company.

Everyone seems to first talk about legal compliance to GDPR as the goal – mostly motivated by avoiding the massive fine for non-compliance.

It grabs headlines when the fine is up to 20 million EUR, or if greater, up to 4 % of the total worldwide annual turnover of the preceding financial year.

Certainly, being a public example of data non-compliance would bring harm to your company reputation and the inability to use the collected data.

But GDPR could also be considered a blessing in disguise for any company who wishes to engage on a personal level with their customers, whether creating a single customer view, making data driven decisions or other applications.

The impact on your business from the insights hidden in your data is enormous and is crucial for your business’ competitive advantage.

Once compliance is ensured, you can be more secure in using that data and the insights to drive your business ahead.

A closer look at GDPR legal roadblocks

Hold your breath – legal stuff coming up:

Working with online analytics data you are, in GDPR legal framework, a data controller according to GDPR Art. 4.

Your analytics provider, such as Google or Adobe, are the data processor.

The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller.

The distinction is important: the data controller (and not the data processor) is the principal responsible party for implementing appropriate technical measures and organisational measures for processing the data in a GDPR compliant manner.

In simpler terms: You are accountable.

What things should I be thinking about?

The biggest task is by far the data discovery. Knowing where you keep data and what type of data you hold is the foundation of being able to stay in control.

HR data, CRM data and even the reception area sign-in book are applicable, and has probably already been mapped by your organisation as sources of personal data. It is easy to understand when visitors explicitly register their name that that data is personal data.

However, digital analytics data is not usually first in line when companies start mapping and risk evaluating sources of personal data. The process of mapping the sources has been initiated by a lot of companies already, so its worth checking if that also includes your domain of digital analytics.

Because a web analytics tool such as Google Analytics is only know as “that marketing tool” outside of the department, combined with, often, little organisational knowledge of what is actually tracked, some companies may not be considering it as a source for personal data.

However, if for example you are collecting data from online form fields, collecting IP addresses, user location etc. that data is stored somewhere and may be subject to auditing.

GDPR also requires that users have the right to erasure. The user or website visitor, the “data subject” in GDPR terms, has the right to be forgotten.

This means two things:

1) You should have an area of you site where this can be requested and

2) You should be able erase the data upon request.

The latter is by far the hardest part.

Does Google Analytics and similar tools hold personal data? Well…most likely.

Is it an issue you need to address? Yes.

Personal data in digital analytics tools

Whether your own digital analytics tools hold personal data largely depends on your online setup and your users.

A user could accidentally enter their social security number in a search field on your website, after which you process personal data even without expecting it.

On our own website, IIH Nordic has a blog post regarding Google Maps. As a consequence, several visitors on our website have perhaps mistaken that for the real Google Maps, and have entered in our website search field their own home address. We obviously don’t have a useable search result they can use, but we do now have personal data that needs to be considered.

Can you erase personal data if requested?

We encounter a lot of clients with data silos.

The same user’s data is being stored separately within several of their systems, often in different parts of the organisation: CRM data, invoices in accounting departments and marketing data all may hold data on one individual. This can be even more diverse for bigger organisations which can have different systems for say each country.

Once you receive a request to delete that data, this will involve going from one system to another searching for the person, which could be a long, expensive and tiresome process.

Centralising your data in a DataLake

To help cope with this and for its other benefits, IIH recommends that you store your online data in a centralised place. Whether you call it a Datalake, a data hub or something similar is up to you.

The task of forgetting someone becomes trivial as you only have to search one place.

This also makes the mapping of sources a lot easier (given of course, that you delete the original data that you transferred to the Datalake).

IIH offers a Datalake service built on top of Googles BigQuery. Within that service, we offer a data governance program to keep track of what data you are storing and controls who can access it, and being on the Google Cloud Platform integrates well with other Google services such as Google Analytics, AdWords, YouTube, DoubleClick, DataStudio as well good support for non-Google services, as well as giving access to features such as the Data Loss Prevention API, that can scan and redact your data for you.

Get in touch if you want to know more.

GDPR discovery audit

Processing personal data is not a crime.

The GDPR Art. 6(1) states six different cases where the processing is done lawful.

To help you be secure in your data, IIH offers a GDPR discovery audit which evaluates your online analytics data providing an overview and action plan if you have personal data hidden somewhere, aimed at giving you the control to make your data work for you.

The GDPR discovery audit includes:

I Revision of your privacy policy to ensure you are gaining the correct user consent.

  • Automatic auditing of the data you are collecting
  • A data action plan on how to become GDPR compliant
  • Data filtering to ensure personal data is not captured by accident
  • Legal advice

In summary, we at IIH Nordic think the GDPR presents you a new opportunity to make your data more reliable and work better, with secure informed consent from your users. Being compliant should reassure your users that you are reputable, and using their data to provide better services.

We are passionate about making the most of this new data landscape, and look forward to working with you. What are your thoughts on GDPR? We invite you to contact us for a discussion.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *