What is the GDPR? -no — Adam Cleevely (@ACleevely) May 2, 2018 But my post today isn’t about what you should do to get compliant — that’s specific to your circumstances — and a ton has been written about this already: I’ve found value in the content Ometria has produced on this front, e.g. 6 things e-commerce marketers should know about GDPR and their deeper GDPR guide (registration required) If you work in the area, this GDPR impact on social post from Buffer will get you up to speed there And for the paid marketers among us, this GDPR impact on AdWords article from WordStream is what you need My intention is not to write a general guide, but rather to warn you about two specific things you should be doing with analytics (Google Analytics in particular) as a result of changes Google is making because of GDPR. Unexpected consequences of GDPR When you deal directly with a person in the EU, and they give you personally identifiable information (PII) about themselves, you are typically in what is called the "data controller" role. The GDPR also identifies another role, which it calls "data processor," which is any other company your company uses as a supplier and which handles that PII. The reason I say that this isn’t strictly a GDPR thing is that it is related to changes Google is making on their end to ensure that they comply with their obligations as a data processor. Action: Review the promises being made by your legal team and your new privacy policy to understand the correct timeline setting for your org. Consequence 2: Google is deleting GA accounts for capturing PII It has long been against the Terms of Service to store any personally identifiable information (PII) in Google Analytics. Put more simply, Google will delete your account if they find PII. It’s impossible to know for sure that this is GDPR-related, but being able if necessary to demonstrate to regulators that they are taking strict actions against anyone violating their PII-related terms is an obvious move for Google to reduce the risk they face as a Data Processor. Much like the previous point, and the reason I say that this is related to Google’s response to the GDPR coming into force, is that it would be perfectly possible to get your users’ permission to record their data in third-party services like GA, and fully comply with the regulations.
It should be quite obvious for anyone that knows me that I’m not a lawyer, and therefore that what follows is not legal advice. For anyone who doesn’t know me: I’m not a lawyer, I’m certainly not your lawyer, and what follows is definitely not legal advice.
With that out of the way, I wanted to give you some bits of information that might feed into your GDPR planning, as they come up more from the marketing side than the pure legal interpretation of your obligations and responsibilities under this new legislation. While most legal departments will be considering the direct impacts of the GDPR on their own operations, many might miss the impacts that other companies’ (namely, in this case, Google’s) compliance actions have on your data.
But I might be getting a bit ahead of myself: it’s quite possible that not all of you know what the GDPR is, and why or whether you should care. If you do know what it is, and you just want to get to my opinions, go ahead and skip down the page.
What is the GDPR?
The tweet-length version is that the GDPR (General Data Protection Regulation) is new EU legislation covering data protection and privacy for EU citizens, and it applies to all companies offering goods or services to people in the EU.
Even if you aren’t based in the EU, it applies to your company if you have customers who are, and it has teeth (fines of up to the greater of 4% of global revenue or EUR20m). It comes into force on May 25. You have probably heard about it through the myriad organizations who put you on their email list without asking and are now emailing you to “opt back in.”
In most companies, it will not fall to the marketing team to research everything that has to change and achieve compliance, though it is worth getting up to speed with at least the high-level outline and in particular its requirements around informed consent, which is:
“…any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
As always, when laws are made about new technology, there are many questions to be resolved, and indeed, jokes to be made:
Can you recommend a GDPR expert?
-yes
Can I have their email address?
-no
— Adam Cleevely (@ACleevely) May 2, 2018
But my post today isn’t about what you should do to get compliant — that’s specific to your circumstances — and a ton has been written about this already:
- I’ve found value in the content Ometria has produced on this front, e.g. 6 things e-commerce marketers should know about GDPR and their deeper GDPR guide (registration required)
- If you work in the area, this GDPR impact on social post from Buffer will get you up to speed there
- And for the paid marketers among us, this GDPR impact on AdWords article from WordStream is what you need
My intention is not to write a general guide, but rather to warn you about two specific things you should be doing with analytics (Google Analytics in particular) as a result of changes Google is making because of GDPR.
Unexpected consequences of GDPR
When you deal directly with a person in the EU, and they give you personally identifiable information (PII) about themselves, you are typically in what is called the “data controller” role. The GDPR also identifies another role, which it calls “data processor,” which is any other company your company uses as a supplier and which handles that PII. When you use a product like Google Analytics on your website, Google is taking the role of data processor. While most of the restrictions of the GDPR apply to you as the controller, the processor must also comply, and it’s here that we see some potentially unintended (but possibly predictable) consequences of the legislation.
Google is unsurprisingly seeking to minimize their risk (I say it’s unsurprising because those GDPR fines could be as large as $4.4 billion based on last year’s revenue if they get it wrong). They are doing this firstly by pushing as much of the obligation onto you (the data controller) as possible, and secondly,…
COMMENTS