What is GDPR and how will it affect New Zealand Businesses?

gdpr online security

On the 25th of May 2018, a new data privacy regulation called the General Data Protection Regulation (GDPR) will go into effect in the European Union (EU).

These days we generate massive amounts of digital information each day, with websites, phones and smart devices all collecting data that can identify us, as individual users. Majority of people have no idea this is even happening, meanwhile, companies like Google and Facebook are collecting an incredible amount of information.

Table of Content:

What is GDPR?

How will GDPR affect New Zealand businesses?

How to become GDPR Compliant with Google Analytics

What are the new Data Retention Controls in Google Analytics?

Summary

What is GDPR?

The key objective of GDPR is to protect EU citizens from privacy and data breaches and consolidate privacy regulations across the European Union. While mainly focused on those in the EU, GDPR requirements stretch out to any website accessed by those in the European Economic Area (EEA) including Iceland, Lichtenstein and Norway.

The implementation of GDPR enforces that all data a company collects will have to have been given consent to by the user, and users have the right to opt out and be removed from tracking. Companies need to be more transparent, show where the data they are collecting is going, how it will be protected, how long it will be stored for and what it will be used for.

Companies that do not comply with the new law, will be fined a substantial amount up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.

How will GDPR Affect New Zealand Businesses?

While this regulation isn’t being directly enforced in New Zealand, any business that handles personal data relating to EU citizens will have to comply with the changes. Even if you don’t have a physical presence in the EU, as long as you provide goods and services to EU citizens, you are affected by these changes.

If you have a website in the EU and are advertising within the EU, then having a website that complies with GDPR should be a top priority. With enhanced personal data restrictions and personal data now including a customer’s IP address, cookie identifiers and GPS locations, advertising campaigns from Google Ads, Facebook Ads, and other forms of PPC marketing are all affected.

Interpretations of GDPR vary, so it is advised to seek legal counsel to ensure that your organisation conforms to the new regulations.

How to Become GDPR Compliant with Google Analytics

With new restrictions on personally identifiable information here are some actionable steps to take, to ensure you comply with the GDPR regulations.

Whether you are confident or not that you don’t collect personally identifiable information, now is the time to audit your data and Google Analytics account. Please remember that the definition of personal data is expanded and clarified to include IP addresses, cookie identifiers & GPS locations.

1. Audit Data

  • Check your page URL’s, page titles & other data dimensions to ensure no personally identifiable information is being collected.
  • Ensure data entered forms by users, that is being collected, does not contain personal data.
  • Filtering out data is not enough. For example – filtering data in Google Analytics is not sufficient, it must be addressed at a code-level to prevent the data from ever being sent to Google Analytics in the first place.

2. Anonymise IP Addresses

  • The GDPR considers an IP address personally identifiable information. Even though an IP address is never exposed in reporting, Google uses it for geo-location
  • To be safe it is recommended to turn on an IP anonymization feature, which can be easily done in Google Tag Manager.

3. Audit Collection of Pseudonymous Data

Pseudonymization is the process or separation of personal data in such a way that the data can no longer be attributed to a specific data subject, without additional information.

Programmes such as Google Analytics may already be using pseudonymous identifiers such as; client ID, user ID, transaction ID and hashed/encrypted data such as email addresses, but this should be checked.

4. Update Privacy Policy

Your privacy policy should be updated. It should be written in a clear and concise manner that is easy for the end user to understand. It should address the following concerns –

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain?

5. Build an ‘opt-in’ or ‘opt-out’ Capability

The question everybody wants answering is whether they really need to get explicit consent for tracking from the user. This does require a significant amount of work and is likely to have a substantial impact on the number of users in your analytics data.

For example, if you are collecting user ID or using pseudonymous identifiers, you’ll need to gain consent from the user. The consent needs to be opt-in, and you need to ask users clearly for their permission before your wen analytics programme executes. One approach that has been used is an overlay modal where the page asks for a user’s permission, once granted, the page reloads, and tracking is implemented.

What are the new Data Retention Controls in Google Analytics?

Google Analytics, one of the most popular web analytics tools is committed to maintaining ways to safeguard data and it is important to remember to take advantage of the tools on offer, including customizable cookie settings, data sharing settings, privacy controls, IP anonymization and data deletion on account termination.

Recently Google Analytics added some product updates that will help aid in becoming compliant with the GDPR regulations.

  1. Data Retention Controls – gives users the ability to store data for a certain time i.e. 26 months. Companies often end up accumulating more data than what they need, which increases risk and the company’s liability in the event of a data breach. It is better to minimise the risk by periodically deleting data, or not collecting it in the first place.
  2. User Deletion Tool – this tool will allow you to remove user client ID’s or user ID’s from your Google Analytics or Google Analytics 360 properties data. When a user opts out of tracking you will use this tool to remove their data. The tool will be available from 25th of May 2018.

Summary

Privacy and data security are important and although GDPR is a complex regulation, for the most part collecting analytics data will be business as usual. If your business has a lot at stake, due to these changes, it is highly advisable to seek professional legal advice to ensure you are compliant.

Please contact us if you need any help with auditing your Google Analytics data and GDPR requirements.