Most Irish businesses use Google Analytics as their main web analytics tool and for many it’s the only tool they use to tell how their website is working. Firstly its free for most users and it’s relatively straightforward to use
- You (or your developer) install Javascript code on web pages to track (monitor) website users
- When users visit your website, information about which pages they visit, how long they stay and what path they follow etc is collected.
- That information is transferred to and processed by Google Analytics’ servers
- You get invaluable reports which you can access, use, store and even share with others giving you some real insight about your website users.
It’s a simple product that works for many charities, individuals and businesses.
So what has GDPR got to do with Google Analytics?
From 25th May 2018 if GDPR applies to you then you need to both
- Comply with GDPR requirements
- Prove that you comply
We know that GDPR is going to have a wide geographical spread. It will apply to personal data of EU individuals when data controllers and data processors are either
- processing that personal data because of goods and/or services being offered or
- “monitoring” the behaviour of those individuals within the EU.
Regardless of where in the world the data controllers or processor are located.
Does Google Analytics process personal data?
One of the changes in GDPR is the new, much broader, definition of personal data includes data from which you can identify someone “directly or indirectly” using “all means reasonably likely to be used”, so any such information is personal data. Interestingly the GDPR text explicitly mentions IP address and Radio-frequency identification (RFID) as personal data. Beyond that it includes pseudonymous data, online identifiers and cookies which, as the GDPR states, can be combined with other data to create “profiles of the natural persons and identify them”.
The Google Analytics process means that both you are Google are sharing data:
- You are allowing Google to access data
- Google is supplying you with data in the form of reports.
Remember also that it’s not just about one individual data set or Google Analytics report on its own. What happens if you combine data sets that may appear unrelated such as a Google Analytics report with existing data you hold? If you can identify an individual from that combining two data sources then it’s personal data. (Think of the difference between Anonymisation and Pseudonymisation)
Does another organisation manage your account for you? You might even have unwittingly included a 3rdparty, if your web developer handles your Google Analytics. If so, then they are a data processor acting for you and you must have a contract in place that covers what they can or cannot do with your users’ data.
Should you use the user data you collect with Google Analytics?
GDPR says that processing personal data is illegal unless if you have a lawful basis for doing so. There are only 6 lawful basis, and the term “processing data” includes just having it.
6(1)(a) Consent of the data subject
6(1)(b) Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
6(1)(c) Processing is necessary for compliance with a legal obligation
6(1)(d) Processing is necessary to protect the vital interests of a data subject or another person
6(1)(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
6(1) (f) Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
The first step must be to ensure that data gathering is lawful.
Google must have the answers.
People often assume that somehow Google will look after the GDPR side of things for you. Google is certainly taking steps to be GDPR complaint but remember that using Google doesn’t erase your own GDPR responsibilities. In most cases Google are just a data processor and you are the data controller, so responsibility sits with you.
You must also not forget that, according to your agreement with Google, using Google Analytics is your sole responsibility. If you commit a breach of that agreement (including not having a GDPR complaint privacy policy when using Google Analytics) and you will find your access to Google Analytics terminated, at the very least.
What can I do if I want to carry on using Google Analytics?
Start by making sure you’re really clear about what data you currently hold, what you intend to collect and how you are going to use it. Most organisations store far too much “just in case” data so now is an excellent time to cleanse that data, including permanently deleting data that you don’t need or can’t justify retaining.
Next set up some boundaries for using your Google Analytics account including
- How you can stop/monitor the use of personal data
- Who will be involved in that data processing activity
Then think, being realistic think about whether you will be able to use Google Analytics – about your lawful basis for that processing activity. If you want to rely on an individuals’ consent to enable you to use their data in this way, make sure that how you obtain and interpret the consent is GDPR complaint.
Finally, are there any data transfer issues? Google currently relies on the EU-US Privacy Shield which means data transfer outside the EU (to approved compliant areas or organisations) is acceptable, but under GDPR it’s your responsibility to make sure that if personal data you control is transferred outside the EU that personal data will be properly protected. That means, at the very least, having some sort of checking mechanism, even if it is only a quick look to see that the EU-US Privacy shield applies and Google’s membership is valid.