GDPR is coming, Are you ready ?

Just this evening received a notice from Google, about the steps they are implementing to comply with these GDPR regulations. Likewise anyone who is connected to a Google Analytics or Search Console (aka Google Webmaster Tools) account will have also received the same.

//* I use google webmaster tools & analytics for this blog//* 

Essentially Google are changing the rules and options associated with how long they retain user and event data within Google Analytics and Search Console.

Previously this was set to always (aka Do not automatically expire) for Google Analytics and circa 88 days for Search Console.

Search Console (beta) changed recently to extend the 88 day period, in effect saving this data per the “Do not automatically expire” approach. But there are also specific impacts that relate to your site’s Google Analytics, and similar changes will be coming down the line from the other providers.

Google has confirmed it will automatically delete user and event data that is older than the retention period you select.

The biggest change from Google relates to granular data retention controls, see below.

You can now choose how long Analytics retains data before automatically deleting it:

• 14 months
• 26 months
• 38 months
• 50 months
• Do not automatically expire

When data reaches the end of the retention period, it is deleted automatically on a monthly basis.

So what do you need to do?

• Share this article with your Data Protection Officer

• Ask them what your policy will be, remember this announcement only came out this morning (April 12th 2018) so they may not even have sight of this yet

• Go to your Google Analytics admin page and review these data retention settings prior to when it takes effect from May 25th 2018

• Update your Privacy & Data Policy page to reflect how your store data via Google Analytics and Search Console

Remember, according to Google these are settings for “user-level and event-level data associated with cookies, user-identifiers (e.g., User-ID) and advertising identifiers (e.g., DoubleClick cookies, Android’s Advertising ID, Apple’s Identifier for Advertisers)”, but do not affect reports based on aggregated data.

Other changes Google is now introducing include:

• A new user deletion tool
• Customisable cookie settings
• Privacy controls Data sharing settings
• Data deletion
• Account termination
• IP anonymisation

GDPR also impacts on your contractual relationship with Google, and it has been rolling out updates to its T&C's for many products for several months, so check that you understand these, and how variations between being a data processor and a data controller might apply to your own status.

You should also be ensuring that all forms on your website now have clear statements about the precise purpose you intend for all data you request.

As Google has done, it is best to adopt a granular approach to consent, and ensure you record the consent for each purpose independently.

If you use advertising features on Google Analytics and Analytics 360 you will also need to comply with Google’s new EU User Consent Policy. It sets out your responsibilities for making disclosures to, and obtaining consent from, end users of your sites and apps throughout the European Economic Area. (Brexit Alert: The EEA is not a synonym for the EU. Brexit won’t make any difference to GDPR, as the UK is part of the EEA, so you need to act on this.)

Pen-ultimately you can’t delay any longer.

If this all seems a bit overwhelming, don’t stick your head in the sand. Get in touch with ICO & ensure your website at least is compliant in time for the deadline.