Is Your Analytics Tool GDPR-Compliant? Here’s What You Need

Author avatar
By Søren Laumand
janv. 22 2018 — GDPR, Website Analytics, Website Management

Decorative image

When the European Union’s General Data Protection Regulation (GDPR) takes effect this May, it will represent one of the most impactful events in the history of online privacy. Any organization that deals with the data of EU citizens will need to reassess how it collects, stores, and processes personally identifiable information. (That includes people’s names, email addresses, IP addresses, and much more.)

Even with the deadline looming, surveys have shown that a significant percentage of organizations have barely begun to prepare for the GDPR.

So while there’s no shortcut to developing a comprehensive data protection strategy, choosing an analytics tool that allows for easy GDPR compliance can go a long way toward getting your website up to speed. Here are a few key things to keep in mind:

Data Ownership

A key requirement of GDPR is having the proper measurements in place for processing personal data. Any data related to an EU citizen must be physically stored in the European Union or a country whose data protection measures the GDPR deems acceptable, unless the user explicitly consents to having his or her data housed elsewhere.

This requirement presents some obvious hurdles for organizations not based in the EU. Some of those challenges can be offset by employing an analytics tool that comes with a clearly stated data ownership policy. Siteimprove Analytics, for instance, vows “not to share any data with a third party without the express written consent of the customer”, and also promises to destroy all data upon request related to customers who unsubscribe from the service. By having an established ownership statement in place, you provide your users with that much more peace of mind.

IP Anonymization

One possible solution for organizations looking to be GDPR-compliant while still tracking data for research or reporting purposes is anonymization. GDPR standards still allow organizations to collect certain data, provided it’s “rendered anonymous in such a way that the data subject is not or no longer identifiable.” This can be useful for organizations that want to record general demographic information that doesn't need to be personally identifiable.

Siteimprove Analytics includes an IP Anonymization option that allows your website to purge all incoming and historical data about your visitors’ IP addresses, making it possible for marketing and IT teams to retain useful tracking data without putting privacy at risk.

Screenshot of Siteimprove's IP anonymization settings

Siteimprove Analytics' IP anonymization settings enable you to purge incoming and historical data about visitors' IP addresses, ensuring greater privacy.

“Do Not Track” Settings

Many browsers offer a “Do Not Track” setting for users who are concerned about preserving their privacy. By turning on this setting in the browser, users send a signal to websites and analytics tools to stop tracking their activity.

In theory, this setting should stop a visitor’s browser from accepting cookies that alert advertisers and other companies to their online habits and interests. But technically, websites are not required to abide by these settings.

Screenshot of Google Chrome's "Do Not Track" disclaimer

Internet browsers like Google Chrome allow you to send a signal to websites that you do not want your personal information or behavior tracked. However, the outcome depends on "whether a website responds to the request, and how the request is interpreted."

Since "Do Not Track" settings require proactive action by the consumer rather than the website owner, they are not directly addressed by GDPR. Still, organizations that are serious about protecting their users’ privacy should consider going the extra mile and setting their analytics tools to comply with these requests.

With Sitemprove Analytics, you have the ability to accept the "Do Not Track" settings directly in the tool. It’s a simple action that goes a long way in establishing trust, and demonstrates to your users that your organization believes in doing more than simply abiding by the letter of the law. Just be aware that accepting “Do Not Track” requests will reduce the overall number of visits your site logs.

Screenshot of Siteimprove's "Do Not Track" settings

By switching on the "Do Not Track" settings within Siteimprove Analytics, you agree to respect the privacy of website visitors who have requested that their cookies not be tracked.

Other Factors

There are plenty of other analytics angles to consider with the advent of GDPR, from the feasibility of self-hosting your own tool to setting up consent notifications for your users. By starting with a working knowledge of GDPR requirements and a tool that’s up to the job, you’re creating a more secure and productive environment for your visitors, and ultimately for your organization as a whole.

Want more tips for GDPR compliance on your website? Download the free e-book, GDPR Compliance: Working Together for a Compliant Website.

Download the e-book

Søren Laumand is the Analytics Product Expert at Siteimprove. Søren has a degree in Management of Innovation and Business Development from Copenhagen Business School, and has worked in the digital industry since 2011. Additional analytics, legal, and IT experts within Siteimprove also contributed to this article.

Post a comment

You accept the use of cookies by continuing to browse the site or closing this banner. Read more about cookies in our Privacy Policy.