What is GDPR?
The General Data Protection Regulations (GDPR) is a set of laws designed to to give European Union (EU) citizens more control over their personal data. The laws cover how people are informed of how the data is used, how they consent to its use (or limit use), the right to “be forgotten”, to export their data, and to seek damages if they suffer from misuse or breach of their data. It means that organizations need to receive explicit permission to store personal data, store it responsibly, and be transparent about how they are storing it.
Who does GDPR apply to?
GDPR will affect any organization that (a) collects any personal data from citizens of the EU for any purpose, whether that be membership, advocacy, fundraising, programs, marketing, and etc., or (b) market their services to EU residents; (c) accepts currency of an EU country; (d) has a domain suffix of an EU country.
What is “personal information”?
- Email address
- Biometric identifiers (fingerprints, iris patterns, DNA)
- Physical or physiological attributes
- Medical/Health/Income information
- IP address
- Website cookies
Why Should Your Organization Care?
Effective as of May 25, 2018, failure to comply with GDPR can result in a fine ranging from 10 million euros to 4% of the company’s annual global turnover.
Fines will depend on the severity of the breach and on whether the company is deemed to have taken compliance and regulations around security in a serious enough manner.
In a recent speech, Liz Denham, the UK information commissioner, had this to say to organizations concerned about GDPR fines:
“…I hope by now you know that enforcement is a last resort. I have no intention of changing the ICO’s (Information Commission Office’s) proportionate and pragmatic approach after 25th of May. Hefty fines will be reserved for those organizations that persistently, deliberately or negligently flout the law. Those organizations that self-report, engage with us to resolve issues, and demonstrate an effective accountability arrangement can expect this to be a factor when we consider any regulatory action.”
How to Comply?
Step 1: Notify users that you are using cookies, and give them a way to actively opt-in to cookies.
Your organization’s website has to have the following attributes:
- Instructions on how to come back and update their privacy options later;
- A log capturing user content.
Step 2: Configure Google Analytics tracking to look for opt-in cookies.
You can only track with Google Analytics, if the user has agreed to accept your analytics tracking cookies. The easiest way to handle the opt-in/opt-out is to set a cookie that indicates that the user has opted into cookies. All other cookies must look for the presence of this opt-in cookie before additional cookies can be set.
One way to set this up using Google Tag Manager (GTM) is to create an exception trigger for all tracking tags that blocks tracking from being fired unless the user has opted into cookies.
If a user indicated that they would like to opt out of behavioral or advertising tracking, you should set a cookie that indicates the user has opted out. Then you can place an additional exception on your tags to block tracking if the user has opted out of behavior tracking such as Google Analytics.
Step 3: Remove Personally Identifiable Information from Google Analytics.
Some nonprofit CRM tools capture Personally Identifiable Information (PII) in the URL, which is then recorded in Google Analytics. The GDPR respects the user’s “Right to be Forgotten.” GA has stated that it will have a tool that will allow you to retroactively remove user data by user ID or GA cookie ID. If a user requests to be forgotten, this new tool will allow them to remove their data. Users can also request removal of their content from any of available Google services: https://support.google.com/legal/troubleshooter/1114905
To identify, prevent this information from being captured, there are several solutions to remove or redact this information:
Step 4: Anonymize IP Addresses.
While Google Analytics does not report on individual IP addresses in the reporting interface, it does use IP addresses for geographic reporting. Since it’s possible that a user could be personally identified via their geographic location, it is recommended that you anonymize IP addresses before sending them to GA.
Note that geographic location reports will still work but they will be less precise. Additionally, it is important to know that this change will impact any IP address filters you have in place. As a workaround, you will need to adjust your filters by changing the last octet of your IP filters to 0. This change may filter more IPs than you need, but will be necessary if you are subject to GDPR.
Step 5: Accept Data Processing Agreement in Google Analytics.
In Google Analytics, under Admin > Account > Account Settings, you will need to agree to the Data Processing Amendment.