GDPR: The End of Web Analytics?!

The GDPR (European Union General Data Protection Regulation) takes effect on the 25th of May 2018, which is marked by some doomsayers as the end of web analytics.

The opponents of the GDPR complain that the regulation is too strict and the fines too high. Others argue that the privacy rules do not change, it’s all just a formality and web analysts can rest at ease. So what will happen on that auspicious 25th of May?

Privacy law is currently governed by a directive (95/46/EC, in case you were wondering), but will be replaced with a regulation. Directives order Member States to implement legislation, whereas regulations are directly binding. Member States want to maintain their competitive business environments, so they apply directives as lenient as possible. This is why you are not worrying about downloading the series you will binge watch this weekend (breaching the EU copyright directive), but are less inclined to collude with competitors (and risk one of those scary fines of the antitrust regulation). The GDPR increases the fine for a breach up to 20 million euro or 4% of your company’s global turnover. Moreover, the scope of the GDPR is widened and applies to all companies that process data of EU citizens. So, privacy rules become directly applicable, the scope is widened and the fines are increased. No wonder people get uncomfortable. But they have nothing to worry about if they are compliant, right? So…what were those privacy rules again?

They are actually quite sensible. Visitors must give consent to the processing of their data, where the GDPR requires this consent to be clear and distinguishable. The GDPR also introduces the ‘right to be forgotten’, forcing companies to delete personal data if they no longer have legitimate reason to store it. Companies also need to have certain standards and procedures in place to secure personal data, called ‘privacy by design’. So how do you prevent the scary fines? It’s simple, you need to start documenting. In the unfortunate case of a data breach, you must be able to show you took all the required precautions. What did your access management look like? What precautions did you take to secure the data? How did you obtain the clear consent of visitors? If these questions are still difficult to answer, you have some homework due for the 25th of May.

Does the GDPR entail the end of web analytics?
The GDPR does not prohibit the analysis of data, it just ensures that privacy rules are adhered to. This does make web analytics a bit more troublesome, but if you care about privacy (and you should!) then it’s worth the trouble. Sure, visitors don’t seem to care that much about privacy right now, but this will definitely change. Once a big data leak actually occurs in the EU, people will think twice before sharing their sensitive data with companies that are clumsy with managing their data. A customer’s trust is hard to earn, but easily lost.

So, don’t consider the GDPR as the end of web analytics, consider it the start of responsible web analytics. Even without the GDPR, taking common sense precautions to breaches are long overdue. It’s time web analysts take the privacy of their customers serious. Because if you want to remain competitive in the long run, you’ll also need to obtain your customers’ trust, not just their data.