Are you ready for the European General Data Protection Regulation (GDPR)?
Whether your answer is a confident “Yes” or an anxious “No”, there’s no putting off May 25, 2018 – D-Day for enforcement of the GDPR.
Still unsure whether the GDPR applies to you? The answer is most likely “yes”:
If you deal with personal data from users in the European Union – so if you use digital analytics to measure the actions of EU-based visitors on your website or mobile app – then yes, the GDPR applies to you.
The regulation is complex, and non-compliant businesses face major risks (read: gigantic fines). So to help ensure your analytics activities are GDPR-ready, we’ve boiled down the 5 essential questions that you should be able to answer regarding your digital analytics data. We’ll cover them in this 2-part article, and transparently explain how AT Internet’s Analytics Suite is a fully GDPR-compliant analytics solution.
Let’s get right to it. The first question you must be able to answer with certainty is:
1. What kinds of “personal data” do you collect, and how is it handled?
According to the GDPR, “personal data” is “any information relating to an identified or identifiable natural person […] who can be identified, directly or indirectly, in particular by reference to an identifier…”.
In plain language, personal data is data that can be used to identify someone, such as:
- Direct identification: name, picture, phone number, address…
- Indirect identification: IP address, user names…
The GDPR requires that personal data only be kept as long as it’s needed for its initial purpose, and that end users must be informed of this period.
As many types of personal data can be collected by your analytics solution, it’s important to clarify with your analytics provider which personal data is collected, how it is managed, where it is stored, and how long it is kept.
Don’t forget! Under the GDPR, both you and your digital analytics provider are required to document the above information to map out and record how personal data flows through your organisation.
How does AT Internet comply?
By default, AT Internet considers all data related to IP address, GPS location and cookies as personal data. We store all this data within the EU.
We only keep:
- IP address data for 6 months maximum (learn more about how we process and anonymise IP addresses)
- GPS location data for 6 months maximum. (During collection, we truncate all GPS coordinates to two decimal degrees – we never collect GPS coordinates in their entirety. Truncated coordinates are then converted into a heatmap graphic providing country-level-only information. Full details are never displayed.)
- Our cookies are active during a fixed period of 13 months, after which they disappear from a user’s computer. (AT Internet’s cookie only contains a unique alphanumeric ID – no other data is stored in the cookie.)
2. Are you transparent about which data you’re collecting from users, and their rights?
The GDPR requires companies and organisations (“data controllers”) to be completely transparent, “using clear and plain language”, when informing end users (“data subjects”) about which personal data is collected, where it is stored, and for how long it is kept (see point #1 above). You and your analytics provider are also required to clearly inform end users of their rights, which include the right to:
- request access to their personal data
- request that personal data be modified or erased, or to restrict processing
- data portability
- withdraw their consent at any time
- open a complaint with a supervisory authority
See Article 13 of the GDPR to learn more about which information must be clearly provided.
The GDPR requires organisations to respond to a data subject’s request “without undue delay”, and no later than one month after receiving the request.
To sum up, at any time, an Internet user can request that you retrieve, modify, and/or erase all data pertaining to him/her, so you must be able to do this easily – and rapidly!
Can your analytics provider locate and erase all personal data for a single given person? Does your analytics provider have a Data Protection Officer (DPO) to ensure that end users’ rights are being respected?
How does AT Internet comply?
AT Internet has the resources required to retrieve, edit or erase any personal data in a timely manner. We will liaise directly with end users on this matter when necessary.
AT Internet also has a DPO, Nicolas Boudillon, whose responsibilities include ensuring AT Internet’s compliance, liaising with customers and end users on privacy-related requests, liaising with data protection authorities, and keeping AT Internet employees informed of updates to data protection requirements. Meet Nicolas and learn more
In part 2 of this article next week, we’ll cover 3 other must-know points regarding your digital analytics data and solution in preparation for the GDPR. Or, discover them now in this free downloadable handbook (no email address required):
Digital analytics & the GDPR: 5 things you must know
Want to discuss GDPR-compliant digital analytics in further detail? Our teams would be happy to get in touch – just leave us your details here.