The EU’s General Data Protection Regulation (GDPR) comes into force on May 25th. The GDPR is intended to give EU citizens – and non-citizens located in the EU – control over personally identifiable data.
That means big changes for companies that collect and process data, regardless of whether analytics is carried out by a third-party like Google Analytics.
The GDPR is a long and complex document, and I would urge businesses that collect and analyze data to familiarize themselves with its contents and seek legal advice. In this article I’m going to talk about some of the consequences to businesses that use personally identifiable data in analytics, but it should not be considered legal advice.
What is the GDPR?
The GDPR is concerned with personally identifiable data, which is defined as:
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly,”
The GDPR introduces stringent rules around data collection and processing, and establishes legal grounds that justify the collection of personal data. There are several grounds for data collection and processing, but the ones of most relevance to analytics are consent and contractual obligation.
Entities that handle personal data are considered to be either a controller or a processor. A controller is an entity that collects data and decides what is done with it. A processor is responsible for processing data on behalf of a controller. An eCommerce store that collects data about shoppers is a controller. A third-party analytics provider who takes that data and uses it to generate reports is a processor.
It is important to understand that controllers are responsible for ensuring that processors comply with the GDPR. Businesses can’t move liability to a third-party by outsourcing analytics. Controllers must ensure that any analytics service they use is compliant.
Analytics and profiling
The GDPR explicitly addresses profiling, which it defines as automated processing to “analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”
There is some disagreement about whether, in the absence of other legal grounds, profiling requires consent, but it is clear that automated decision-making based on profiling does require explicit consent. If an organization uses profiling as the basis for automatic decision-making – perhaps marketing automation or retargeting – it must obtain explicit consent (or have a contractual agreement with the data subject).
Consent is defined more narrowly than in previous privacy legislation. Consent must be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
That may cause a problem for businesses that rely on analytics. A vague opt-in that doesn’t specifically describe the scope of any analytics, especially with regard to profiling and automated decision-making, is insufficient. Consent must be specific and unambiguous.
Many businesses carry out analytics for which they have no specific consent. Indeed, it’s common for businesses to collect information before they know how it is to be used or to repurpose data that was collected for other reasons.
Under the GDPR businesses are required to seek specific consent for each “purpose”. Furthermore, data subjects should be able to opt-out at any point – they can withdraw consent and the controller has to comply.
It is worth noting that there is no “grandfather” clause that allows historical data to be processed outside of the constraints of the GDPR. It applies to all personally identifiable information, regardless of when it was collected.
GDPR puts data subjects in control
The GDPR gives data subjects a set of rights that puts obligations on controllers.
- Right of access – data subjects can request that a controller provides them with all the personal information they have stored. Controllers have to make it easy for data subjects to issue such requests.
- Right of deletion – data subjects can request that their personal data is deleted (or corrected). This right is often referred to as the “right to be forgotten”.
- Right of data portability – data subjects should be able to take the data held by one company and give it to another company.
Businesses have to make it easy for data subjects to make these requests, but the real burden will be ensuring that data is stored in such a way that responding to requests under these rights is possible. Businesses need to know which data they have, where it is stored, and whether it falls under the GDPR.
Businesses that store large amounts of data for analytics may have a lot of work ahead of them if they are not already prepared to respond to the requests of data subjects.
GDPR and Google Analytics
Most of the data provided by Google Analytics cannot be linked directly to a specific individual, but both Google Analytics and its clients do share data that could be “directly or indirectly” used to identify people. As I have already mentioned, IP addresses are now considered personal data.
As you might expect, Google has made efforts to ensure that Google Analytics is GDPR-compliant. When Google Analytics acts as a data processor, there must be a written contract between Google as the processor and its clients as controllers. The contracts should contain a set of standard clauses that describe the data and limit what can be done with it. Google expects to provide updated contractual terms for all its services by the time the GDPR comes into force.
GDPR compliance is a two-way street. The controller must ensure that the processor can provide “sufficient guarantees” that data will be treated in compliance with the GDPR. The processor can only use the data in the ways that the contract specifies.
To be clear, the controller is ultimately liable if organizations they subcontract don’t abide by the GDPR.
Penalties and territoriality
Businesses outside of the EU might be wondering why they should be concerned about the GDPR. If they don’t collect personally identifiable data from EU citizens or other people located in the EU, then the GDPR isn’t relevant to their business.
For businesses based outside of the EU who collect personally identifiable data from within the EU, the situation is more complex.
US businesses with a physical location in the EU can be sanctioned directly but it’s not yet clear how the EU intends to apply the GDPR to businesses without a physical presence in the EU, except that it will involve international law and relevant treaties or trade agreements. US businesses with no physical presence in the EU may be required to designate an EU representative to deal with communications between the company and EU data protection organizations.
The penalties associated with non-compliance with the GDPR are harsh, with fines of up to 20,000,000 Euros or 4% of global revenue, whichever is larger.
Practical consequences of the GDPR
For most businesses that collect data for the purposes of analytics, there are several immediate consequences:
- Businesses should ensure that they get explicit consent before collecting and processing data.
- They should implement systems that allow EU citizens to access, delete, or move their personal data on request.
- They should ensure that any processors – third-parties that carry out data processing on behalf of a data controller – are compliant with the GDPR and that a compliant contract is in place.
Finally, if you have any doubt about the consequences of the GDPR for your business, I strongly recommend consulting a qualified legal expert.
Note: The opinions expressed in this article are the views of the author, and not necessarily the views of Caphyon, its staff, or its partners.