I received this email from the Google Analytics team last night which I think is well worth sharing.
As you should already be aware, the EU’s General Data Protection Regulatuons (GDPR) are due to take effect in the UK from the 25th May 2018.
The new regulations put an even greater burden of responsibility on business to protect the data they hold than current regulations.
This new regime at first appears to be “a bit of a minefield” and a great many third party vendors have been touting their services to help businesses through GDPR.
However, the cool headed advice is that if, as a business, you hold data then you should do so with good reason, with consent and you must ensure that the data you hold is secure. That’s my view of GDPR so please correct me if that’s not right/not everything in a nutshell.
One specific and more detailed issue is that organisations need data retention policies i.e. if you hold data then it can only be hold for specific purposes for a certain period of time and then must be deleted if you’re not using it.
As a digital marketer the field of GDPR has been a bit of a headache in terms of the tools we use are so often US-based and what implications does this have for GDPR? Notably, is it OK to hold EU citizens’ data on US-based servers and are our friends across the pond compliant with the new GDPR regs?
The answers to all those questions are a bit of a mixed bag but search giant Google have obviously had to be particularly upfront on the new regs. After all, how much data do we all have on Google’s services?
Well, looking at Google Analytics alone, the team have released a memo on their new data retention controls. As an Analytics practitioner it’s worth a read:
[Action Required] Important updates on Google Analytics Data Retention and the General Data Protection Regulation (GDPR)
Dear Google Analytics Administrator,
Over the past year we’ve shared how we are preparing to meet the requirements of the GDPR, the new data protection law coming into force on May 25, 2018. Today we are sharing more about important product changes that may impact your Google Analytics data, and other updates in preparation for the GDPR. This e-mail requires your attention and action even if your users are not based in the European Economic Area (EEA). Product Updates Today we introduced granular data retention controlsthat allow you to manage how long your user and event data is held on our servers. Starting May 25, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select. Note that these settings will not affect reports based on aggregated data. Action: Please review these data retention settings and modify as needed. Before May 25, we will also introduce a new user deletion tool that allows you to manage the deletion of all data associated with an individual user (e.g. site visitor) from your Google Analytics and/or Analytics 360 properties. This new automated tool will work based on any of the common identifiers sent to Analytics Client ID (i.e. standard Google Analytics first party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase). Details will be available on our Developers site shortly. As always, we remain committed to providing ways to safeguard your data. Google Analytics and Analytics 360 will continue to offer a number of other features and policies around data collection, use, and retention to assist you in safeguarding your data. For example, features for customizable cookie settings, privacy controls, data sharing settings, data deletion on account termination, and IP anonymization may prove useful as you evaluate the impact of the GDPR for your company’s unique situation and Analytics implementation. Contract And User Consent Related Updates Contract changes Google has been rolling out updates to our contractual terms for many products since last August, reflecting Google’s status as either data processor or data controller under the new law (see full classification of our Ads products). The new GDPR terms will supplement your current contract with Google and will come into force on May 25, 2018. In both Google Analytics and Analytics 360, Google operates as a processor of personal data that is handled in the service.
- For Google Analytics clients based outside the EEA and all Analytics 360 customers, updated data processing terms are available for your review/acceptance in your accounts (Admin ? Account Settings).
- For Google Analytics clients based in the EEA, updated data processing terms have already been included in your terms.
- If you don’t contract with Google for your use of our measurement products, you should seek advice from the parties with whom you contract.
Updated EU User Consent Policy Per our advertising features policy, both Google Analytics and Analytics 360 customers using advertising features must comply with Google’s EU User Consent Policy. Google’s EU User Consent Policy is being updated to reflect new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consent from, end users of your sites and apps in the EEA. Action: Even if you are not based in the EEA, please consider together with your legal department or advisors, whether your business will be in scope of the GDPR when using Google Analytics and Analytics 360 and review/accept the updated data processing terms as well as define your path for compliance with the EU User Consent Policy. Find Out More You can refer to privacy.google.com/businesses to learn more about Google’s data privacy policies and approach, as well as view our data processing terms. We will continue to share further information on our plans in the coming weeks and will update relevant developer and help center documentation where necessary. Thanks, The Google Analytics Team