Download - Web Analytics and Privacy
Web Analytics and Privacy
The ubiquity of data is bordering on pervasive, so much that an
acute tension is building between technological capabilities and
ethical uses of data.
Web Analytics and Privacy
If your business is a data processor, you need to follow strict privacy laws in order to avoid fines and protect your
stakeholders.
Web Analytics and Privacy
Here we will focus specifically on privacy for web analytics:
• Evolving Privacy Legislation
• Personal Data vs. Personally Identifiable Information (PII)
• Risk Classification of Web-Analytics and Related Processes
Web Analytics and Privacy
Download free PDF!
You can read full discussion of the issue in our comprehensive
whitepaper...
...or get an overview by exploring this brief presentation
Web Analytics and Privacy
As data flows are rarely limited to a single country, the objective becomes to build flexible and sustainable analytics setups that cover all regions.
Evolving Privacy Legislation
Web Analytics and Privacy
Legislative misalignments can expose you to some serious monetary penalties:
• Fines are typically capped at 500k € in certain countries of the EU
• Upcoming General Data Protection Regulation (GDPR) is expected to allow fines up to as much as 2% to 5% of an organization’s global turnover
• US class action suits can lead to exposure to loss of much larger amounts
Evolving Privacy Legislation
Web Analytics and Privacy
Note that GDPR is the strictest privacy law that has ever been introduced. It will have a significant impact on all businesses dealing with customers within the European Union.
Evolving Privacy Legislation
Web Analytics and Privacy
GDPR will come into force within two years. What are
the core issues regarding Web Analytics?
Evolving Privacy Legislation
Web Analytics and Privacy
Profiling is defined as any form of automated processing of personal data to predict aspects concerning performance at work, economic situation, reliability, behaviour, movements and others.
• GDPR concerns all companies processing personal data about EU residents.
• The profiling process must be automated
• The purpose of the profiling must be to evaluate personal aspects of a natural person
• One cannot use an individual’s PII for profiling purposes unless such profiling is in the public interest
• Explicit consent is necessary as a new legal basis for data processing
• Data subjects must be informed about any profiling activities
Evolving Privacy Legislation
Web Analytics and Privacy
Where should you start to make sure your organization is compliant with the new law?
Web Analytics and Privacy
Guidelines on the Protection of Privacy and Transborder Flows of Personal Data by the OECD have become an internationally accepted set of rules for processing personal information. They will work just fine as a starting point.
Evolving Privacy Legislation
Web Analytics and Privacy
OECD privacy principles:
1. Collection Limitation: Data collection should occur only with the knowledge and consent of the concerned individual (data subject).
2. Data Quality: One should only collect information which is accurate and relevant to a particular aim.
3. Individual Participation: The concerned individual should know if their information has been collected and must be able to access it if such data exists.
4. Purpose Specification: The intended use for a particular piece of information must be known at the time of collection.
5. Use Limitation: Collected data must not be used for purposes other than those specified at the time of collection.
6. Security Safeguards: Reasonable measures must be taken to protect data from unauthorized use, destruction, modification, or disclosure of personal information.
7. Openness: Individuals should be able to avail themselves of data collection and be able to contact the entity collecting this information.
8. Accountability: The data collector should be held accountable for failing to abide by any of the above rules. A dedicated person must be appointed
Evolving Privacy Legislation
Web Analytics and Privacy
Remember that these outlined principles are acceptable as the core of your web-analytics privacy practices, but in many cases they may not be enough.
Evolving Privacy Legislation
Web Analytics and Privacy
Personal Data vs. Personally Identifiable Information (PII)
Knowing the legal redline related to data types is crucial for minimizing the risk of
breaches or violations.
PII is a US-based concept, while Europe refers to Personal Data.
Web Analytics and Privacy
PII data can be linked to a particular individual, whereas Personal Data can relate to someone without identification.
Personal Data vs. Personally Identifiable Information (PII)
Web Analytics and Privacy
E-mail address, name or phone number constitute PII, and the
use of this data to capture an individual’s behaviour may be
considered an abuse under privacy regulations.
Personal Data vs. Personally Identifiable Information (PII)
Web Analytics and Privacy
Personal Data vs. Personally Identifiable Information (PII)
Aurélie Pols
Taking into consideration the broad and vague definition of sensitive data, as enshrined in the European regulations, it is more practical to set up processes to detect PII following the US-based legislation. The recommended practice is therefore to use the US PII lists as a starting point to define escalation procedures and supplement such lists with context-related European practices.
Mind Your Privacy
Web Analytics and Privacy
How can you be sure your company is fulfilling all of its data-related obligations? What methods can help you assign such responsibilities?
Risk Classification of Web-Analytics and Related Processes
Web Analytics and Privacy
The scope of obligations for companies will depend upon the type of data they collect,
process, and share.
Risk Classification of Web-Analytics and Related Processes
Web Analytics and Privacy
Responsible Who is/will be doing this task?
Who is assigned to work on this task?
Accountable Whose head will roll it this goes wrong?
Who has authority to make a decision?
Consulted Who con tell me more about this task?
Are any stakeholders already identified?
Informed Whose work depends on this task?
Who has to be kept updated about the progress?
Risk Classification of Web-Analytics and Related Processes
One popular example of a responsibility-assignment method is the the RACI model, which stands for Responsible,
Accountable, Consulted, and Informed.
Web Analytics and Privacy
Another method useful in certain contexts, particularly the privacy aspects of data uses, is
the Privacy Impact Assessment (PIA). It typically consists of workflow-based questionnaires used by companies to identify and contain risks from
the beginning.
Risk Classification of Web-Analytics and Related Processes
Web Analytics and Privacy
Fluid privacy regulations, changing terms and conditions, excessive authority of legal counsel, and misunderstanding of legislation may indeed cause some companies to come to an analytical
halt.
Risk Classification of Web-Analytics and Related Processes
Web Analytics and Privacy
Taking that into account, responsibility could be divided into three main areas associated with the RACI model we mentioned above. When
relating this to customer relationship, data-risk classification could be seen as follows...
Risk Classification of Web-Analytics and Related Processes
Web Analytics and Privacy
Classification Description Allocation
Green Carry-on, no issues here Full responsibility stays within analytics, no further consultations needed
Orange Bring in an outside counsel to be on the safe date
Analytics remain responsible; consult with provacy
Red
This is cutting edge, involves personal data and/or sensitive information and/or separate legal entitles
Privacy is informed and signs off or suggests risk-mitigation solutions (saying NO is not an answer, as next time they won’t be informed)
Risk Classification of Web-Analytics and Related Processes
Web Analytics and Privacy
Or in other words, the above classification looks something like:
• Green: An individual comes to a digital property and leaves a data trail.
• Orange: A company wants to take a look at which individuals come back and what their technical environment is like; e.g. using cookies.
• Red: A company wants to stitch digital touch-points together.
Risk Classification of Web-Analytics and Related Processes
Web Analytics and Privacy
Aurélie Pols
The trick is to understand when Green, Orange, and Red protocols are best applied to optimize data-privacy management. Remember, context remains of essence to assure privacy rights are respected.
Mind Your Privacy
Risk Classification of Web-Analytics and Related Processes
Web Analytics and Privacy
Download!
If you want to learn more about mitigating data risks,
read our free whitepaper written by renowned
European privacy expert Aurélie Pols:
Thank You
@piwikPRO /PiwikPro /piwik-pro