General Data Protection Regulation (GDPR) is a European privacy law designed to harmonise data privacy laws within the European Union (EU) but also addresses the export of personal data outside the EU. Its purpose is to regulate how individuals and organisations may obtain, use, store and erase personal data to protect and empower all individuals on data privacy and reshape the way organisations respond to it.
GDPR came into effect on May 25th, 2018.
So to ensure you are complying and keeping your clients’ data protected, below is a list of questions you should be asking yourselves to ensure your organisation is GDPR compliant.
1. Who does GDPR apply to?
GDPR will apply to all organisations from any industry or sector that processes personal data of all EU citizens regardless of where that organisation is based, or where its processing activities take place. GDPR could therefore apply to any organisation anywhere in the world, and these organisations will need to effectively determine whether or not they process any personal data of EU citizens.
2. Are there any specific rules organisations should be following to ensure they remain fully compliant with the GDPR law?
To ensure your organisation is protected, Article 5 of the EU GDPR states that personal data must be:
- Processed lawfully, fairly and in a transparent manner
- Collected only for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and up to date
- Held only for the allocated amount of time agreed upon and no longer
- Processed in a manner to ensure appropriate security of the personal data
3. What rights do individuals have under the GDPR law?
To ensure your clients’ data is protected, they have the right to:
- Be informed about how organisations use their data
- Withdraw from organisations using their data at any given time
- Inspect stored data
- Correct stored data
- Have their personal data deleted or removed without reason
- Block or suppress processing of their personal data
- Receive their data in a portable format
4. What is considered ‘PII data’?
Personally identifiable information (PII) refers to any information relating to an identified or identifiable living person (‘Data Subject’) that organisations use to expose their data on. This data includes but is not limited to an individual’s name, photo, email address, bank details, posts on social networking websites, medical information, cookie identifiers, GPS locations or a computer IP address.
Recommendations to ensure your business remains GDPR compliant
1. PII inspection of your data
Scan your clients’ BigQuery environment for the presence of any accidental PII data that may be exposed in the URL as a result of changes made to the site. We can run it point in time and set up consistent scans and alerts.
2. Turn on the IP Anonymization feature in Google Analytics
A code change is required to enable this function.
3. Ensure your privacy policy is updated
Communicate to your users regarding how their data is collected and the purpose for collecting that data. It is recommended to address key questions such as “What data is collected?” and “How will your data be used?”.
4. Review the length of time your data will be stored in Google Analytics
Google Analytics has provided the option to delete collected data after a period of time which can help your business remain GDPR compliant. Should you require further information, you can read about it here.
5. Review your data collection settings
It’s important to review your privacy policy and discuss any details with legal services. However, we strongly recommend you keep a few key questions in mind such as:
- How is your data collected ?
- Does your data collection exclude information about the identity of a particular person? For example: Does it contain a cookie by itself that has no connection to any other data?
- Is your data being collected via pixels or cookies? (For example: Is it a first or third party cookie? or does your session remain active when you switch between devices or domains?)
6. Filter users from EU countries
You can provide a filter for EU countries and test it in your test view before applying it to your master view. Alternatively, you may set conditions for EU users to prevent cookies from ever dropping to those visitors. One way of enabling this function might be via a pop-up window that asks users whether or not they reside in Europe.
For more information or concerns regarding GDPR, please get in touch with Datalicious at sales@datalicious.com.