From 25 May 2018, we must all comply with the more stringent legislation on data protection and the storage of European citizens' personal data. This short guide will give you some quick wins on how to comply with the new General Data Protection Regulation (AVG or GDPR)!

In just a few steps, we list the various adjustments you need to make to comply with the GDPR standards. We take a look at the settings of Google Analytics as well as Google Tag Manager (GTM). 

GDPR 6

1. GOOGLE ANALYTICS

A lot of settings need to be adjusted in Google Analytics. An overview is given below.

1.1 Sharing data settings

  • Go to administrator/admin > account settings
  • We advise you to uncheck all options at 'Data Sharing Settings'. This way you no longer share data with other Google products.

1.2 Adjustments to data processing

  • Under the table above you will find ‘adjustments to the data processing’
  • Click on ‘updated amendment’
  • Then approve the conditions
  • If you have a DPO, this can be communicated when you click on 'Manage DPA data'.
  • Then click on save
GDPR 1

1.3 Collecting data for advertising functions

  • This can be found under 'properties' > 'trackinginfo' > 'data collection'.
  • Check that these options are also unchecked. If you leave this tracking on, it should be included in your cookie policy.
Acpq

1.4 Data retention settings

Google will let you determine the period for the storage of user data from 25 May. You can choose between deletion after 14 months, 26 months, 38 months, 50 months or not at all. In this way, Google wants to place the responsibility with the companies themselves, but which period should you choose now?

  • Data retention only applies to modified reports or modified segments. It does not affect the overall results in Google Analytics. When data retention is enabled, the selected period (e.g. 14 months) is the maximum period that data is retained.
  • In addition to the period, you can choose to renew the expiry date for repeat visitors. For example, if data retention is limited to 14 months and someone visited the website 20 months ago and again 10 months later, this data will not be deleted.
  • Unless you have a good reason, we recommend limiting data retention to 14 months. GDPR does not set an explicit deadline, but you should have a good reason to keep data longer, "for the statistics" is not enough. Moreover, the impact on your data is limited.

1.5 Reports on demographic and interest categories

  • Admin > property settings
  • Check here to see if you are collecting 'demographic and interest reports
  • This may well be switched off. If this is enabled, it should be included in your cookie policy.
gdpr5

1.6 Anonymising IP addresses in Analytics

You can anonymise an IP address in various ways:

  • By adding the following code to your tracking code. This must then be done on all pages.
    ga('set', 'anonymizeIp', true); 
  • Or you can also solve this by using GTM (Google Tag Manager). We prefer this method. You can then easily provide your Analytics tracking code with an extra field to anonymize IP addresses. This can be found by clicking on more settings > fields to Set. Field name: anonymizeIp and the value is: true

 

1.7 Stripping Parameters from URLs

  • When filling in a contact form, for example, check that you do not include any personal data in the URL such as an "email=querystring" parameter.
  • The best method is to remove these queries via GTM. This way they will not be placed on Google Analytics servers and you can guarantee privacy. That is why filtering out this information in your views is not enough. You need the variable "Page URL". If required, you must activate it first.
  • You can also solve this using JavaScript code. It is best to ask your webdeveloper for this. Should you need our help with this, our web developers will be happy to help you. Please do not hesitate to contact us. 

1.8 Users

Find out who has access to Google Analytics and remove any people who no longer need access.

2. Google tag manager

  • All tags that relate to personal data, such as Hotjar, remarketing, LinkedIn Insight Tag, Facebook tracking pixel ... must be stopped until the website visitor approves your cookies.
  • To do this, you need to create a new trigger that only fires if the website visitor has approved the cookies.
gdpr7

3. Cookie banner

  • A cookie banner will have to appear on the website, giving the website visitor the opportunity to accept or reject cookies.
  • Ideally, you should also give them the opportunity to choose which cookies can be placed and provide additional information about this.

4. Cookie policy

In the cookie policy you need to give a clear overview of the items below:

  • What information is kept
  • Who collects this information
  • How was this information collected?
  • Why is this information kept
  • How are you going to use this information
  • With whom is this information shared
  • What is the effect on the individuals who visit your website?
  • A clear overview of First & Third party cookies
  • Google Analytics: That a processing agreement has been concluded
  • Google Analytics: That data is processed anonymously
  • Google Analytics: 'data sharing' is disabled
  • Google Analytics: that no use is made of other Google services in combination with Google Analytics cookies.
  • Explanation on how to delete cookies

Be sure to have a look at our own cookie statement.

GDPR 2

5. Copy website

For each contact form, registration form, newsletter registration, ... provide a text where you indicate:

  • why you need that information and
  • what you are going to use that information for, and
  • how long you keep the information.
GDPR 8

6. Double opt-in

If visitors subscribe to your newsletter, don't forget the text in the first place (see section 5. Copy website).

In order to be able to prove that the user has given permission (the 'accountability') to receive newsletters, for example, the use of a double opt-in is ideal. After filling in his/her e-mail address, the visitor will receive an e-mail asking for an additional verification. Only after confirmation, the e-mail address will be included in the database.

CarFreeDay Leuven

Do you have any questions about GDPR for your website? Please feel free to contact Calibrate.