How to stay GDPR compliant without affecting tracking

How to stay GDPR compliant without affecting tracking

It has been three years now since the General Data Protection Regulation (GDPR) was implemented in 2018, driving a complete overhaul of data protection laws as we know it. Since it was introduced, marketing agencies have been affected worst as they have been restricted from accurate analysis of advertising performance to assumptions and guesswork. 

What is GDPR? 

GDPR stands for General Data Protection Regulation. It is a European Union law that came into effect on 25th May 2018. GDPR governs the way in which we can use, process, and store personal data (information about an identifiable, living person).  

It applies to all organisations within the EU, as well as those supplying goods or services to the EU or monitoring EU citizens. 

Therefore, it is essential for businesses and organisations to understand explicitly what GDPR means. It is the legislative force established to protect the fundamental rights of data subjects whose personal information and sensitive data is stored in organisations.  

Data subjects will now have the right to demand subject access to their personal information, and the right to demand that an organisation destroys their personal information. These regulations will affect most sectors within business, from marketing to health services. Therefore, to avoid the crippling fines administered by the Information Commissioner’s Office (ICO) it is essential to become GDPR compliant. 

What are the GDPR key principles? 

The GDPR (General Data Protection Regulation) outlines six data protection principles that summarise its many requirements. 

Personal data shall be: 

  1. processed lawfully, fairly and in a transparent manner;  
  1. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;  
  1. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;  
  1. accurate and, where necessary, kept up to date;  
  1. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;  
  1. processed in a manner that ensures appropriate security of the personal data. 

The data controller (the company holding the data) is responsible for and must be able to demonstrate compliance with the above. 

What does GDPR class as personal identifiable information (PII)? 

It is very easy with some data to work out if it is personally identifiable but other data may be more technical. If by looking at the data you have on the individual you can distinguish them from other individuals, then that data is PII. A combination of data may be needed to identify an individual. For example, a last name on its own may not constitute PII but if it is stored with the first name and postcode then it is. 

The UK GDPR provides a non-exhaustive list of identifiers, including: 

  • name; 
  • identification number; 
  • location data; and 
  • an online identifier (e.g., IP addresses and cookie identifiers). 

So, who is responsible for any PII data? 

Are you a Data Controller or a Data Processor? Knowing this should be high on the priority list. 

What is a Data Controller? 

The correct definition – ‘Data controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Data controllers can be either individuals or “legal persons” such as companies, Government Departments and voluntary organisations. 

Examples of cases where the data controller is an individual includes general practitioners, pharmacists, politicians and sole traders, where these individuals keep personal information about their patients, clients, constituents etc. 

Real world example of a data controller – a bank who collects and maintains records of their customer when new accounts are set-up. 

What is a Data Processor? 

The definition – A data processor is anyone who processes personal data on behalf of the data controller (excluding the data controller’s own employees). This could include storage of the data on a third party’s servers or appointing a data analytics provider. 

Data Processors must not do anything to the data or the collection of data without approval from the Data Controllers Data Protection Officer. 

Real world example of a data processor – a marketing team who are contracted by company A to send marketing content to their clients. The marketing company in this regard is the Data Processor as they are provided with the data by company A for a specific use. 

How to be GDPR compliant Online? 

So now we know what GDPR is, what it involves, what is PII and who is responsible for the data. So how does this translate to online marketing and what can you do and not do? 

Have a Privacy Policy. 

An organisation must have a Privacy Policy statement on their website. This statement, amongst other things, must include:  

  • what data is captured about the user,  
  • what it is used for,  
  • how long it is stored,  
  • whether it will be shared with anyone (and detailing who),  
  • the process for a user to request to be provided with a full exposure of what data is held about the user and 
  • the process for them to request it is completely removed from the organisation’s system – aka ‘the Right to be Forgotten’. 

You need to make sure that your processes and policy clearly states what third party data processors you use and where a subject’s data is passed to. 

Appoint a Data Protection Officer (DPO) & have a data breach process. 

All public authorities and any organisation that processes personal data (the data controller) on a significant scale must appoint a Data Protection Officer (DPO) responsible for monitoring internal compliance of the GDPR regulations within the organisation. Even if you do not feel that your organisation falls into this category, it is a good idea to appoint a DPO for your organisation. This person can keep data protection high on the organisation’s agenda and ensure that GPDR compliance is achieved and then maintained. 

GDPR requires the data controller to have suitable processes defined and in place in case of a data breach. Depending on the severity of the breach, the data controller has a legal obligation to report a data breach (of identifiable or un-pseudonymised data) within 72 hours. 

Continually improve data encryption and security. 

The DPO should continually be looking at the organisations processes and procedures and making sure that there are being followed and there is not any potentially weaknesses to allow a data breach. They also need to continually check any online marketing, especially if it captures any sort of user data or details, such as an eCommerce website – a website that allows the user to have an account with some sort of profile that identifies them or even just a contact form. These websites are at higher risk of allowing a potential for data breaches. The DPO must make sure the websites are set to the highest level of privacy for the user by default and that there are settings the user can choose to downgrade if they wish. DPOs should also be checking that only data that is absolutely essential be captured, is stored securely and only accessible to authorised people in a controlled manner. 

Ask for consent. 

You must prove a way for a user to give explicit consent for you to hold any data about them and give details about what it will be used for. For example, if someone contacts your company or organisation through your website with an enquiry, you can contact them back regarding that enquiry however it does not give you permission to add them to your email marketing list. If the enquiry form had a checkbox that explicitly asked if you wanted to be added to a newsletter/marketing list and the user accepted the terms stating how their data would be used, then this would be acceptable. A log of when they agreed to the terms must be recorded somewhere so that it can be recovered and provided to the user if they request it. 

Is website tracking PII? 

So, we now know that you need to ask consent before storing any data about a user, but does tracking that user on the website mean you are storing PII data about that user? 

Most tracking services such as Google Analytics will store a tracking number (identification number), location data and IP address. This means that unless you are using a privacy-focused analytics service that has been specifical designed to be GDPR compliant then you will be collecting PII data.  

How does this affect Website Tracking? 

Most organisations comply with GDPR by user consent. This has littered websites with frustrating pop-ups on entry asking permission to track website usage. However, user consent compliance has also often meant that websites will experience a loss of web tracking data and vital insights into performance. This is due to the user’s choice not to give consent to the website trackers, which restricts collection of website usage data, and you are left blind on statistics of website performance and ad reach. This creates an enormous issue for marketing agencies especially when being rated on the performance of a campaign and half the audience chooses to opt out of marketing. 

Can you track website performance without consent? 

As we have previously identified most website analytics services collect PII data which is an issue. Web analytics in the early days did not capture as much information however, then came the days of Google Analytics. It moved the analytics from systems to the cloud, drove deeper business insights, broadened analytical capabilities, and integrated additional services such as ads and remarketing.  

Although more power to analyse the data and produce more detailed reporting is very useful, this functionality is often not used for standard performance success reporting.  

So, is there anything I can do to collect website performance data removing the need to a user to give consent removing inaccuracies in data? 

In theory “YES” you can track website usage as long as it contains no PII. The ICO defines it as “Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it ‘relates to’ the individual.” 

When GDPR was legislated, many systems (e.g. Google Analytics) for tracking website usage would not allow for anonymous tracking making it very difficult (due to their revenue being made by having this data!).  

However, there are a few options that you can achieve this while staying GDPR compliant: 

Privacy-focused analytics 

Privacy-focused analytics following a cookieless architecture is a respite to SaaS companies and start-ups of all sizes. 

It involves no user data tracking, sharing, or selling them to third-party companies. Hence, it protects users’ privacy. In addition, they comply with regulations such as GDPR, CCPA, PECR, etc. 

If you go for a privacy-focused solution, as explained in the subsequent section, you have another advantage. Since these solution providers are mostly software firms, not advertising companies, they never collect or share your data for advertising or for any other purpose. 

Google Consent Mode 

In September 2020, Google launched Google Consent Mode (GCM). In a nutshell, the Google Consent Mode bridges the gap between data privacy and data-driven digital advertisement by making sure that your website’s analytics and marketing can run seamlessly based on each specific user’s consent choice. 

This sounds perfect and just what is needed; however, GCM is still in Beta and there have been reports from early adopters of issues with the reliability of the data collected. This is something to keep a close eye on but currently would not recommend implanting for commercial use. 

Anonymised Tracking 

As Google Analytics is not GDPR compliant out of the box, if you are intent on using it there is another option. There are settings that will need changing within your Google Analytics account and custom tracking code that is required on your website to restrict Google from collecting certain data. In order to utilise full Google Analytics tracking, you will then need to switch some of these settings back on once a user has accepted your privacy policy. This is the most technical option, and you will need to disable some key features in Google Analytics – reducing the amount of data collected and the connectivity with other services. However, to date this is the only option if you still want to use Google Analytics without losing analytics data to rate the performance of your website or campaigns. 

In conclusion… 

Since GDPR was released, website tracking has become very technical and a potential legal minefield if done incorrectly. Tracking visitors on your website, its performance and the success of your marketing has been severely hampered and currently there is no clear option to resolve these issues. You do have several options to overcome the issues, but all have their drawbacks.  

LAW Creative is one of Europe’s leading integrated marketing agencies. At LAW Creative we specialise in Digital Marketing and have a dedicated inhouse team of experts that can advise you on how best to make your website compliant and run your digital campaigns and online marketing whilst minimising any tracking issue created by GDPR. If you would like advice or assistance with any of your digital media or campaigns, please contact brett.sammels@lawcreative.co.uk.  

LAW Creative part of Selbey Anderson Group of agencies. 

Sources: Google, ICO, Cookiebot, DeltaNet and InfoTrust