5 GDPR Analytics Mistakes to Avoid in 2018
5 GDPR Analytics Mistakes to Avoid in 2018
With the GDPR getting closer by the day, we take a look at how your organization can ensure that the data it stores is compliant with these new regulations.
Join the DZone community and get the full member experience.Join For Free
The Global Data Protection Requirement (GDPR) is the European Union’s newest set of regulations that are intended to protect customer data. The GDPR will replace the previous data protection guidelines that were implemented back in 1995.
The GPDR was developed to tackle the newest consumer privacy and safety concerns that were raised by the expansion of big data and new analytics technology throughout the EU. All organizations that store analytics data on EU users must modify their policies to ensure compliance.
Unfortunately, meeting these directives will be challenging for some organizations that still operate under the outdated data protection guidelines. Here are some common GDPR mistakes to look out for while adopting new analytics solutions.
Failing to Ensure That Purpose Limitation Principal Guidelines Are Met
The GDPR stipulates that data can only be stored for valid purposes. You must outline a documented purpose for every variable that you track in your analytics platform. For example, e-commerce platforms may justify the collection of IP addresses to track the percentage of returning and new visitors to their digital platforms.
You are going to need to document a clear chain of events throughout your entire funnel. You need to specify when data is collected and when it is implemented in your funnel.
Choosing Third-Party Analytics Platforms That Are Not GDPR Compliant
The growth of the analytics tool market makes for competition and diversity, which, overall, helps professionals to find products that do exactly what they need for minimum cost. The problem with the globalization of analytics solutions is that many software providers are not familiar with, or aren’t prioritizing compliance with, the GDPR.
It is important to do your due diligence before choosing any third-party data analytics provider. Fortunately, many of the leading tools work on top of other platforms. For example, Google Analytics, which dominates the market for website traffic reporting, is home to a thriving ecosystem of third-party tools that help professionals to visualize and make sense of their site metrics. Analytics doesn’t provide much in the way of visitor-specific data, as it’s primarily structured to report on page interactions – not the people who interact with your pages. The lack of cookie technology in this type of solution works to your advantage in the age of GDPR, as you’ll be exempt from asking visitors to consent to your tracking methods.
Even Leadfeeder, an audience intelligence tool that uses Google Analytics data with reverse DNS lookup technology to reveal the companies that visit your site, doesn’t tell you which specific employees browsed your content. Instead, it provides information about the people who work for that company and allows you to reach out and offer help. If any of these contacts end up engaging with you, then they can be considered to have displayed “legitimate interest” in your business, which means that according to the GDPR standards, it’s okay to include their information in other systems, such as your CRM.
Not Appointing a DPO and Giving Them Access to Your Analytics Data
The GDPR requires all organizations that collect consumer data to appoint a Digital Privacy Officer (DPO) to ensure compliance. The DPO must be given full access to all analytics applications, so they can adequately fulfill their responsibilities.
Problems are more likely to arise in highly decentralized organizations. When fragmented teams are given autonomy to implement their own data retention and analytics solutions, they may fail to provide the credentials to their reporting DPO. Make sure that all teams understand the importance of coordinating with the DPO and providing complete transparency with them. The DPO should be given:
- The names of all analytics applications used by each team.
- The purpose of each analytics platform and every piece of field data that is collected.
- A detailed, evolving record of all data collection retention efforts by the team.
- The duration that the data will be stored and an update anytime data is destroyed.
- A monthly or bi-monthly report to the DPO on any data retention changes.
Cooperating with the DPO may feel overwhelming for many teams at first. Team leaders must understand that they play an essential role.
Being Unable to Demonstrate Data Compliance Efforts to Regulators
Making sure that you don’t violate the principles of the GDPR isn’t enough. Showing regulators that you are taking the steps to ensure compliance is necessary.
“Under the GDPR, companies have to be able to account for all of the data belonging to every individual. It is very challenging because traditional technology for data discovery doesn’t help you find an individual’s data. It wasn’t designed for that," said Dimitri Sirota, CEO of BigID.
Neglecting to Periodically Update Your Security and Data Integrity Solutions
The GDPR continually emphasizes the importance of preserving data integrity. It also stipulates that all data must be encrypted, whether it is currently being accessed or remains dormant.
As malicious users find new ways to attempt to access data via security breaches, you need to find more effective ways to secure it. Encryption standards will continue to evolve over time. Even though the GDPR may not specify new standards, it is assumed that all organizations will update their data integrity protocols to be in line with the newest technology. Organizations that don’t update their data integrity solutions for three years or more may not be violating the written letter of the GDPR, but they may be found not to be compliant by regulators.
Opinions expressed by DZone contributors are their own.