In part 1 of this article, we covered what the GDPR means for your digital analytics data, notably in terms of personal data and user rights. This week, we’re defining 3 more crucial questions you must consider and understand regarding your digital analytics solution in preparation for the GDPR.
3. Where is your analytics data stored? Is it transferred outside the EU?
If personal data is transferred outside the European Union, the GDPR requires the country or countries to which you are transferring to have adequate data protection – meaning protective measures that guarantee EU-level standards. The end user must also be informed that his or her data is being transferred or stored outside of the EU.
Again, as digital analytics solutions collect and store personal data (and often store it outside the EU), it’s critical to ask your analytics provider where it stores the personal data collected via its solution, if this data is transferred anywhere, and whether end users are clearly informed of these storage and transfer locations.
How does AT Internet comply?
4. Does your analytics provider ensure co-responsibility?
Under the GDPR, when two different organisations (“data controllers”) work together to establish the purpose and means of processing personal data, they are considered “joint controllers” and share responsibility. Joint controllers must together determine the details of their “respective responsibilities” for GDPR compliance, especially as it relates to their duties in responding to data subject requests.
In simpler terms, you and your digital analytics provider are joint controllers, and you share the responsibility of complying with the GDPR.
It’s therefore crucial to ensure your analytics provider has clearly defined the scope of this joint responsibility in your contract… with fines going up to €20 million or 4% of your global annual turnover (whichever is higher!), you don’t want to be left holding the bag if your provider has not clearly defined the scope of its responsibility. (Or worse – if your provider has transferred 100% of responsibility to you!)
As a data controller, you are also expected to take care in choosing a data processor and deciding which types of data processing activities you will engage in. In other words, select your vendors wisely – they must be GDPR-compliant!
Where does AT Internet stand?
AT Internet’s Analytics Suite is GDPR-compliant. We therefore commit to sharing full responsibility with our customers for any potential privacy breaches and sanctions under the GDPR.
We will provide each of our customers with a contract addendum – a Data Protection Agreement, or DPA – to precisely define the scope of responsibility.
If you work with a different digital analytics provider, we strongly recommend you verify the terms of your contract to ensure that responsibility is not automatically transferred to you (via limitations on liability clauses).
5. For what purposes is your analytics data used? Is it combined or correlated with other customer data?
Under the GDPR, personal data must only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.
In other words, your visitors’ data should only be used to achieve the specific thing(s) you’ve informed them of, such as (in the case of analytics) improving their experience on your site, or providing them with tailored content. Your visitors’ data should NOT be used in other ways for which they have not given consent.
Do you use data for profiling? If so, take note: The GDPR says any profiling activities require a data protection impact assessment (DPIA) to determine how this profiling affects the protection of your users’ personal data. Correctly performing a DPIA is a complex and onerous process, and if your DPIA is done incorrectly (or not at all), you risk major legal fines. The bottom line? Think carefully about any profiling activities you or your digital analytics provider carry out.
See Guidelines on Data Protection Impact Assessment from the Article 29 Data Protection Working Party
Where does AT Internet stand?
With AT Internet, you always remain the owner of your data. We never use or merge our customers’ analytics data for our own purposes.
We do not carry out any profiling activities, and in light of the GDPR, we strongly encourage our customers and prospects to carefully examine any profiling activities done on their advertising networks, especially when analytics data is being used to establish this profiling.
We hope these 5 points will help you examine your analytics activities with a critical eye, and identify if and where extra efforts and attention are needed to prepare for the GDPR. If you’re unsure of the answers to any of these questions, don’t hesitate to ask your analytics provider for clear explanations. Your provider should be a true partner in ensuring GDPR-compliant analytics data and processes, and should therefore be able to give you transparent and detailed answers to each of these questions.
Already an AT Internet customer? You can breathe easy: By working with us and using the Analytics Suite, you’ve already chosen a digital analytics solution that’s fully GDPR-compliant! An independent European player from day one, we’ve always adhered to – and been shaped by – strict European policies on data protection and privacy. We’ve developed our tools from the very start with privacy in mind. It’s a core value for us and fundamental to how we approach analytics.
Get all this information recapped in a free downloadable handbook (no email address required):
Digital analytics & the GDPR: 5 things you must know
Want the guarantees of an analytics solution that’s 100% GDPR-compliant and fully transparent? Our teams would be happy to get in touch with you.