How to Prepare Your Google Analytics and Other Google Services for GDPR

On May 25th in 2018 all the citizens and residents of EU are getting the full control of their data, thanks to General Data Protection Regulation. Every business dealing with data will probably notice the huge fine amounts for breaking the new data protection rules. It will be the biggest amount of two: €20 M or 4% of the company’s annual turnover. Sounds scary, but don’t panic! We’ll share the most important points about GDPR to help you comply with the new data security standards.

Also in this article we’re giving more details on how to accept the new GDPR terms in the accounts of Google services, as well as the Data Retention point in the settings of Google Analytics.

Let’s start with the fact that there’s no clear definition of what PII is. Surely, it’s any kind of data that can help you identify a person: name, location, picture, video, IP, etc.

What’s more confusing, is that there’s data that can be both, personal and not personal. To understand it, imagine that you own a jewellery shop. That’s why you’ve got video cameras all over the shop to provide the necessary security level. In this case you get video data for security purposes, which is not personal. However, you can connect video cameras to a face recognition system and send newsletters to your shop visitors. This is how data becomes personal, and you start breaking GDPR rules. Unless your shop visitor provides consent to be filmed for ad purposes, of course.

GDPR introduces two new concepts: privacy by default and privacy by design. These concepts mean there won’t be any already put ticks right next to the point «I agree to personal data processing.» This point should become more obvious in the interface as well.

Moreover, users will get the right to withhold consent in the following cases:

• When a user is forced to give consent.
• When a user is asked to provide more data than, according to the user’s opinion, necessary for data processing.
• When a user is requested to give consent to transfer personal data to any third parties without giving proper explanation on how the data will be used.

Oh, and another one. According to new GDPR standards, users will get the right to withdraw their consent at any time necessary, even if a user is given proper explanation on how the data will be used.

The policy of data processing should now be described in plain language without resorting to any legal terms or long explanations. It’s because most users simply scroll down to the explanation ending and put a tick next to the point they may not agree with.

In fact, GDPR requires companies to inform their users of data collecting and processing in the most simple and clear way. The consent itself should now be given within a really user-friendly interface, and for each of the data processing or monitoring operations. For example, if you are going to send some promo materials to your users over the phone or by email, you’ll have to get a user consent for the both, email and phone. If, say, you’re planning to use geo segments, you’ll need to also get users’ consent to collect the user geo data first.

Starting on May 25th in 2018, cookies are not allowed to use for advertising purposes or analysis, unless on lawful business, like a contract or an obtained user consent. This means that notifications «using our website, you agree to the cookie use policy,» when users first come to your website, are becoming useless.

GDPR introduces two new roles: data processor and data controller who has more responsibility than processor. To provide an example, let’s say that your company uses Google Cloud Platform to store your customers’ personal data. In this case, GCP is a data processor, and your company is a data controller as you are the one to decide what to do with the customers’ data.

Another thing about GDPR is that each company, dealing with processing or monitoring user data, has to hire a data protection officer. This is necessary to make sure that user data is safe and sound. The data protection officer will also check every new business technology that is connected with data processing or monitoring.

Right to be forgotten is probably the most interesting aspect of GDPR. It means that any user can demand from any company to change or even completely delete user’s personal data, as well as to demand any company to stop using his or her data. The exception is when the user data is collected for a certain purpose like, say, security. In such case, a company has to inform the user about data collecting for security purposes, and mention that third parties may also use the data.

Right to restrict processing allows any user to demand from any company to simply stop collecting and processing his or her data in case the user is against it or the reasons for collecting and storing are illegal. Any user can also ask to restrict data processing when it is no longer needed for the purposes that user agreed on. By the way, Google Analytics has even released a browser add-on for opting out GA because of GDPR.

Right to data portability is definitely aimed at user comfort. The idea is that customers will no longer need to transfer data when switching from one data controller to another one. To understand how it works, let’s take an example. Say, one of the customers has decided to start shopping in your online store. Before that, he or she shopped at another online store, but yours has lower prices. For more user’s convenience, the previous online store has to collect all the user data in the format for machine processing, and send the data to your store. This means that a user won’t have to enter the information about his or her favorite type of cell phones and cameras. Sounds great, doesn’t it? However, there’s no manual to how to provide this feature to customers yet.

One more important thing about GDPR is data breach notification. Each company now has to inform users and the body concerned within 72 hours from when the company found out about the user data breach.

To make a long story short, all business, involved in data processing or monitoring EU citizens and residents, have to comply to GDPR, regardless of where the business’ office is. That also concerns companies already working with EU citizens and residents, no matter if the whole company or just a department is involved.

This is when you might want to know what to do, if an EU citizen is your customer by accident. According to GDPR, even in case there’s the slightest chance that you start processing data of an EU citizen, your company has to comply. However, GDPR doesn’t provide clear directions on how to identify accidental EU citizens and residents among all of your customers yet.

With the account of main GDPR standards, here’s a short list of recommendations to all of the businesses dealing with data procession or monitoring:

• Check if all the company’s ways of data collecting, processing and monitoring comply with GDPR.
• Encrypt and / or pseudonymize the data of your customers.
• Update the privacy policy and regulations considering data processing in the user agreements of your services.
• Assign or hire a data protection officer.
• Provide a special training on GDPR to all your employees that are engaged in data processing and monitoring.
• Get ready to possible queries and requests from EU regulatory authorities and data subjects.
• Demonstrate the value of GDPR standards to your customers.

Google has done a great job ensuring that all users of GA Suite products are aware of the new data processing terms concerning GDPR. However, if you somehow missed newsletters on that topic, below is the simple manual on how to review and accept the terms.

Google Analytics

• Open the "Admin" panel, then "Account Settings".
• Scroll down until you see the "Review Amendment". Read it and choose "Accept".

Google Optimize

• Open the "Edit Account Details" point.

• At the bottom of the page click on the point "View the Data Processing Amendment". Here you’ll need to accept the data processing terms.

Google Tag Manager

• Navigate to the "Admin" panel, next find "Account Settings".

• Open the "Review Amendment", then click "Done".

Google Data Studio

• Navigate to "User Settings".

• Choose "Account and Privacy".
• In the "Data Processing Terms General Information" point click on "Yes".

You’ll definitely get notifications from Google concerning GDPR like, say, appointing you a data subprocessor, or any other significant updates. That’s why we highly recommend to specify the necessary legal entity and your contacts for that. Here’s a quick guide ho help you do that.

Analytics, Optimize, Tag Manager and Attribution

• Go to Suite Home organization page, and select the organization you need.

• Navigate to "Organization Settings".

• Click on "Data Processing Amendment".

• Specify the legally registered name of your organization in the "Legal entities" point and add up the contact details.

Google Data Studio

• Find "User Settings", and choose "Account and Privacy". Make sure there’s a tick next to "Yes".

• Provide the necessary contact details and save.

Did you know that Google will delete any user data older than 26 months, starting with May 25th in 2018? Have no fear! Here are some tips on how not to not lose the data.

How to set up the data retention term

You’ll need the "Edit" permission for the GA property you’re going to use. Follow these steps:

1. Navigate to the "Admin" pane, then choose the necessary property.

2. Next, find "Tracking Info", and select "Data Retention".

3. Choose the retention period: 14, 26, 38 or 50 months. You also can choose the "Do not automatically expire" option.
4. Leave the "Reset on new activity" switch on, if you’d like to reset the retention period of the user ID with each new event from that user. In case you’ve set the retention period to "Do not automatically expire", you can turn the switch off.

GDPR is a serious step ahead in user data protection, bringing new standards to data security all over the world. It is likely that customers will give more trust to companies that comply with GDPR. That’s why we recommend starting to implement the new data security standards as soon as possible, as this will help your company avoid huge fines and data breaches.