In part 1 of this article, we covered what the GDPR means for your digital analytics data, notably in terms of personal data and user rights. This week, we’re defining 3 more crucial questions you must consider and understand regarding your digital analytics solution in preparation for the GDPR.
3. Where is your analytics data stored? Is it transferred outside the EU?
If personal data is transferred outside the European Union, the GDPR requires the country or countries to which you are transferring to have adequate data protection – meaning protective measures that guarantee EU-level standards. The end user must also be informed that his or her data is being transferred or stored outside of the EU.
Again, as digital analytics solutions collect and store personal data (and often store it outside the EU), it’s critical to ask your analytics provider where it stores the personal data collected via its solution, if this data is transferred anywhere, and whether end users are clearly informed of these storage and transfer locations.
How does AT Internet comply?
4. What is the scope of your analytics provider’s responsibility?
It’s crucial to ensure your analytics provider (a “data processor”) has clearly defined the scope of its responsibility in your contract. With fines going up to €20 million or 4% of your global annual turnover (whichever is higher!), you don’t want to be left holding the bag if your provider has not clearly defined this scope in the Data Processing Agreement (DPA). (Or worse – if your provider has transferred 100% of responsibility to you!)
As a data controller, you are also expected to take care in choosing a data processor and deciding which types of data processing activities you will engage in. In other words, select your vendors wisely – they must be GDPR-compliant!
Where does AT Internet stand?
AT Internet’s Analytics Suite is GDPR-compliant, as is the AT Internet group as an organisation. We therefore commit to full transparency for our customers in our Data Processing Agreement (DPA).
We will provide each of our customers with a DPA to precisely define our scope of responsibility as a data processor, and yours as a data controller, regarding the processing of personal data.
If you work with a different digital analytics provider, we strongly recommend you verify the terms of your contract to ensure that responsibility is not automatically transferred to you (via limitations on liability clauses), and to ensure that your provider clearly indicates how it handles and protects personal data.
5. For what purposes is your analytics data used? Do you practice profiling?
Under the GDPR, personal data must only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.
In other words, your visitors’ data should only be used to achieve the specific thing(s) you’ve informed them of, such as (in the case of analytics) improving their experience on your site, or providing them with tailored content. Your visitors’ data should NOT be used in other ways for which they have not given consent.
It’s also important to understand the notion of “profiling” as defined in the GDPR: “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating
to a natural person, in particular to analyse or predict aspects concerning that natural person’s […] behaviour,
location or movements.” If you use analytics data for profiling activities, you must carry out a Data Protection
Impact Assessment (DPIA) to ensure and demonstrate accountability and compliance.
If you perform any other data processing activities that potentially put the rights and freedoms of users at risk,
you must also carry out a DPIA to evaluate these risks. Should the results of your DPIA indicate high residual
risk, you must consult your local supervisory authority, who can advise you appropriately.