How To Comply With The GDPR (General Data Protection Regulation)

How To Comply With The GDPR (General Data Protection Regulation)

May 13, 2018 0 By Hilton Johani

Are you confused about GDPR (General Data Protection Regulation)? If so, you are not alone. I have been getting tonnes of emails from people who received an email from Google Analytics about 2 weeks ago informing them about the changes coming because of GDPR. The GDPR is a regulation that protects the privacy of people in the European Union. But, even if you are not in the EU, you may still need to make changes. If you have people from the EU that use your website, you should comply.

Also, Google Analytics has made changes that make it so that some of your data will only be kept for 26 months. I will talk about how to change that setting so that you don’t lose data. I will also talk about what kind of data you can lose.

I spent several hours reading article after article trying to figure out how these regulations could apply to me even though I’m not in the EU. Many of the posts are confusing and highly technical. So, I distilled my thoughts down into a post. I have added links to some great information sources for you to learn more. I want to thoroughly disclaim that I’m not a lawyer, I’m not an expert on GDPR, and there is a good chance that some of this information is not perfectly accurate. Here are the top questions digital marketers are asking, in bold – plus my thoughts.

If I am outside of the European Union do I have to care about GDPR at all?
The answer to this is “probably yes”. There are two reasons why you have to care about this issue:

If your website receives visits from Europe, then you fall under this regulation.
You may wonder how a regulatory body in another country can affect you, but it sounds like you truly can be fined for not complying. It does sound like it will be difficult for this to be enforced outside of the EU, but it is best to comply just to be sure.

It is possible that you will lose Google Analytics data if you don’t make changes right now to your GA settings. I’ll write more on this below.

What do I do about GDPR if my business is based in the EU, or very obviously has customers there?
If this applies to you, then I would highly suggest consulting with your lawyer. My main point in writing this article is to answer the questions that are being asked by companies outside of the EU who don’t know what to do.

What constitutes “doing business with the EU”?
If you’re a local small business who doesn’t interact at all with the EU, I think that you are probably fine to mostly ignore this regulation. I still would recommend making some changes to your privacy policy, as I’ve written about below and also making the recommended changes in this article to your Google Analytics settings.

But what about a websites like mine? I have visitors all around the world. I have a newsletter that has European subscribers. Even though I’m based in South Africa, I really should make the changes recommended at the end of this post.

Could I just block people from Europe from visiting my site?
That certainly is an option, but it seems extreme to me. Perhaps I will change my stance on this as more information becomes available, but for now I would not recommend blocking EU visitors to your site.

GDPR and Google Analytics

This is where things get interesting. Even if you have no business at all in the EU, you are at risk for losing Google Analytics data if you don’t take action now.

To get ready for GDPR, Google Analytics added the ability to choose how long we keep personalized data. If you do not make changes now, you are at risk for losing some data.

What data will be lost?

Google says the following:

Here is how I interpret this:

  • If you just want to be able to look at traffic trends, that data is not likely to be lost.
  • But, if you have any custom stuff added to GA, then there is a good chance you’ll lose that if you do not change some settings in GA. “Custom stuff” could mean a segment (such as if you’ve bucketed data into things like, users under the age of 18, or users whose actions resulted in a certain amount of revenue, or any other type of custom report. I was originally unsure whether this data included goal completions. According to Jenny Halasz, the standard type of goal completion will not be affected. But, if you have goals that are connected to user info, such as age, demographics, etc. then those goals will likely be removed.

Even if you don’t currently have custom reports or segments currently set up,  there is a possibility that you might want to do so in the future. As such, if you are not heavily involved in dealing with EU customers, I am advising that you do make changes to your GA settings.

Changes you should consider making today

First, Go into Google Analytics → Admin → Account settings and Click on “Review Amendment”, and accept and save the agreement.

Go back to admin and click on “tracking info”, then “data retention”:

You’ll see that, by default, your account is set to delete some information after 26 months:

Change this to “do not automatically expire” and then hit save:

Note: If you are actively involved in business in the EU, then this is where you need to consult with your lawyer. I do think that you may have to keep this at 26 months. It is possible that the length of time you are allowed to keep data may differ from country to country.

What changes should you make with your privacy policy in order to comply with GDPR?

This is where things get confusing again! This is a section that really does require legal advice.

Here is what I am advising business owners:

  • First, if at all possible, consult with your lawyer to get help with writing this policy.
  • Include information on the following:
    • Who is collecting the data?
    • What data is being collected?
    • What is the legal basis for processing the data?
    • Will the data be shared with any third parties?
    • How will the information be used?
    • How long will the data be stored for?
    • What rights does the data subject have?
    • How can the data subject raise a complaint?
  • Make sure that your privacy policy is easily found on your website. A link from your footer should suffice.

What should you do if you do email marketing?

Most of the common email providers have made changes to make it easy to comply with GDPR. If you are sending emails to customers in the EU, then you really should make sure that you comply. I use Mailchimp for my emails. They have a document that explains what they have done to become GDPR compliant. It includes things like making it possible for users to close their account or request deletion of data. They are also soon to be adding a custom signup form which you can use for EU customers so that they can specifically opt in to your emails in a GDPR compliant way.

Check in with their email provider to see if they should make changes. I think though, that if you’re using one of the recognizable providers, they should have things covered for you.

tl;dr

Here is a summary of my recommendations at this point:

  • If you are in the EU or have a customer base in the EU, you really do need to consult with your lawyer. The rest of this list does not apply to you.
  • If you either have no EU clients or possibly have some visit your website or get your emails then you really should make changes.
  • You should consider changing your data retention settings in Google Analytics so that you do not lose data. Even if you are not using custom segments, you never know what you may want to do in the future. I’m going to set my GA settings to “do not automatically expire.” To cover myself here, I’m going to say that you should consult with a lawyer to determine whether you should do this too.
  • You should have a privacy policy that is linked to from your footer and thoroughly explains how you deal with personal information.
  • If you have a newsletter or send emails to a subscriber list, you should make sure that your email provider is GDPR compliant.