Here’s Everything You Need to Know About GDPR

Rob Anderson / 21st May 2019 / Comment

… and YES it does Impact Your Business!

General Data Protection Regulation or GDPR is probably the most crucial change in data privacy regulation in the last two decades. This is an EU legislation that came into effect on 25 May 2018.

The primary objective is to make it easier for EU residents to protect their personal data and privacy across the web. While the broad definition may at first appear daunting, here’s all that you need to know.

GDPR affects your business if you offer goods or services to people in the EU or collect any personally identifiable information (PII) on your site from an EU citizen. If for any reason you choose not to comply with the regulation, be ready for the consequences including a penalty up to 20 million Euros, if not higher.

What if your business is located far beyond the borders of the EU

To be affected by GDPR, you don’t have to be located within the EU. If you’re running a website that has the traffic coming from Europe, and you are collecting the personal visitor data (financial information, contacts, physical addresses, email id’s, or the IP address), you have to arm yourself and protect this data GDPR-style.

That’s precisely the reason why you might have seen an increasing number of notices about privacy policy updates on almost every website these days. Fact is, if you have a site that’s open to visitors from all over the world, you must comply to GDPR.

…and that’s exactly what we’re going to discuss today.

Let’s start with the basics of GDPR, shall we?

Remember the idea here is to warn you about the basics, especially dealing with Google Analytics. So, we’ll start by discussing the three main components of GDPR that every website owner should be aware of.

Explicit Consent – An EU citizen has the right to explicit consent before any data is collected. So if you have EU prospects on your site, make sure they get a notice that informs them to check a box before you collect any data about them… and they have the right to decline.

Right to Be Forgotten – If you’re dealing with EU citizens, GDPR also includes the right to be forgotten. So if you’re collecting their data, you need to have the ability to delete all that data, and if you don’t have the ability to do that, you are violating the protection regulations.

Penalties for Non-Compliance – Understand that there are severe penalties for non-compliance. If you are collecting personally identifiable information (PII) and you don’t have the ability to remove or scrub it from your systems, there are severe monetary consequences.

What could be a potential PII?

Just think about the kind of data that you collect and whether that data could be used to allow further someone to figure out the identity of your site visitors. So, this goes beyond the common pieces of data like one’s social security number, first and last name, or physical address.

Even if you take non-personally identifiable information and you transform it in a way that further allows you to figure out who an individual might be, you’ve run afoul. Something you should think about.

What if I use Google Analytics tracking through Google Tag Manager?

Google Analytics (GA) tracking through Google Tag Manager (GTM) is usually safe under GDPR if you follow some basic rules:

#1 – Check in GA/GTM to make sure that the “anonymize IP” field is set

In today’s day and age, if you know someone’s IP address, you could target them directly. So, make sure that the “anonymize IP” field is set. This is an important step to make sure you can’t trace back someone’s IP.

#2 – Check GA to verify that PII is not in any named content

Collecting personally identifiable information in GA is still not allowed under Google’s Terms of Service. However, you need to make sure that GA does not pick up some PII inadvertently. For instance, when GA picks up a full URL that includes PII (which is quite common, especially when sending emails), you end up committing a big mistake.

Also, this effectively means that along with a GDPR violation, there’s a violation of Google’s terms of service as well. So if you’re collecting email addresses, check that there should not be any email address in the query string.

For instance, here at Wheelhouse DMG, we had to go back to our client and advise them to shut off an account only because they had inadvertently collected so much PII. The account became almost unusable. It was an extreme case!

It’s the perfect time to re-evaluate your data security policies
We believe that GDPR offers an ideal opportunity to re-evaluate your data security policies and specifically your Tag Management System. That’s precisely the reason why a lot of our clients work with us so they can proceed with bulletproof confidence while legally managing their data and adhering to global privacy standards.

Yes, GDPR applies to American businesses as well

If you are primarily a US-based company, you should probably be following the GDPR anyway for a couple of reasons.

1, it makes sense just from a Google Analytics perspective. Google doesn’t care if you’re in the US. It’s just their terms of service.

2, the state of California has recently passed a privacy law for California citizens that is not the same as GDPR, but very similar. There is a high chance that the rest of the country will probably ask for the same privacy laws. More details can be found here.

So you can avoid yourself headaches two or three years from now by making your processes GDPR proof today. For instance, if you have several international sites, make sure all of your checkboxes default to unchecked when it comes to cookie policies and, other important similar things. As a matter of precaution, don’t collect data, that you shouldn’t be collecting by GDPR standards, even if you’re US based. Stay proactive.

GDPR is not that complicated!

It seems like there’s a fair amount of ambiguity and consternation around GDPR. However, it’s not truly complicated. You just have to know what you’re collecting if you’re collecting PII.

… and you might need to make changes. For example, there needs to be a C-level position in every organization for data privacy, like CTO. If there isn’t someone at your organization that has that role identified, you need to think about that aspect.

As agencies, analysts, strategists, and marketers, we hope to achieve actionable insights through a data-driven culture… and the data that you collect about users and what you’re able to gather from that data tells a story about your values.

… and values are what defines culture.

For instance, our teams at Wheelhouse DMG are proud of our values of stewardship, joy, and generosity. With that in mind, I advise you to think in terms of how you think about data, and how you’re using that to drive your marketing campaigns.

Let us know your thoughts about GDPR implementation in the comments section.

By Rob Anderson