In the era of digital workspace, an arsenal of SharePoint plus analytics tools doesn’t break new ground. It’s simply a must-have. You can rely on it when you want to foster productivity, create an effective business road map, and support teamwork in your organization. The pinpoint precision of your reports allows you to make well-informed decisions.
If you’re going to track your intranet, you should be aware of the risks you might be running. The insights you gain come from data, either shared, stored, or transferred. As we know, the perplexing issues of processing personal and sensitive data, acquiring consent, collecting PII, and many more make analytics a tricky matter from the legal standpoint. Even worse, legislation varies widely across the world.
For businesses operating within the digital field, the primary laws are GDPR and ePrivacy Regulation.
However, the legal compliance of tracking and analyzing SharePoint activities won’t necessarily be on the line if you are familiar with the existing and upcoming legislation with regards to data protection and security.
We have already covered a wide spectrum of its rightful processing and we will guide you further on how to deliver precise reports from your digital workplace and stay legally compliant.
For safe tracking of your digital workspace, the paramount issue is what kind of data it handles. Not all information you gather is of the same importance. In this post, we cast light on the threats that lurk so you can guard your business against them.
Compare 4 Leading SharePoint Analytics Vendors
Learn how Webtrends, Piwik PRO, NGAGE and CardioLog Analytics differ from each other and find out which vendor fits your business’s needs.
Download your copyKeep it tight within the borders
Let’s say your organization operates in the pharmaceutical industry. This means you aggregate huge amounts of data about people’s health issues. It’s quite understandable that you rely on reports from your SharePoint analytics for business purposes. But remember, the data you’re collecting is probably categorised as “sensitive” data, which is also called a “special category of personal data” under GDPR. You surely know that managing personal data is lawful only under certain conditions, so handling sensitive stuff calls for additional safeguards and constraints.
Article 9 of GDPR regarding sensitive data states that: “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”
In general, processing sensitive data is forbidden, but there are exceptions. You can send this category of data to a third-party country, including the United States, but only under certain circumstances. Bear in mind that territorial reach plays an important part under GDPR.
For example, a transfer is possible within the Privacy Shield framework, but each case must be reviewed by your organization’s compliance team. What’s more, the European Commission is “monitoring closely” the current implementation of Privacy Shield. Experts think this means changes are imminent. So you may not be able to count on mechanisms like Privacy Shield for long. With that in mind, think closely about the information you want to share.
Update: As of July 16th 2020, Privacy Shield is no longer a valid legal framework for transferring data from the EU and Switzerland to the US. The situation is evolving fast, though. Here we’ve written about the decision and will provide updates when anything changes. And here we’ve written about how such limitations affect users of Google Analytics.
This isn’t just a matter of data security, but also of your organization’s reputation. At the end of the day, if you want to stay in line with GDPR, the best practice is to keep this data on your servers inside the EU.
That’s why having the right analytics suite is so important. Not every SharePoint reporting tool allows you to precisely predefine what data you collect, nor lets you control the whole process. Some intranet analytics tools, like Piwik PRO, let you decide where to store information, and provide flexibility in hosting without threatening your organization’s legal compliance.
Authorize access
Ensuring tight security for collected data shouldn’t come at the expense of precision in reports from your intranet analytics tool. Because your organization’s digital workspace serves as a sharing platform, and you want to make the most of it, you need to pay careful attention to who gains permission to particular content.
The platform is your point of collaboration, but for a host reasons – particularly security – you should decide who gets access to published content. Suppose you’re a part of an international organization traded on the stock exchange. In that case, you are dealing with confidential information. If it gets leaked or shared with unauthorized individuals, this could be detrimental to your listings. Decisions about investments should be kept at the management level.
To stay on the safe side, you need to decide carefully where you install the tracking tool and set up granular permissions for the intranet reporting generated by dedicated SharePoint analytics. Sharepoint allows you to define the site collections you want to track.
This is crucial, because if you set it to Master Page then you won’t be able to switch off tracking or manage it from the outside. What’s more, you can also encrypt user IDs for better security. Finally, consider establishing a policy setting out publishing rules within your organization.
Keep an eye on your code
Threats to your legal compliance might lie in wait somewhere in your tracking code. When you need your tracking to be precise and simple but also efficient, you probably use JavaScript tagging. It gives you advanced reporting, but you need to stay alert if you are gathering information covered by the personal data definition. This might be the case if you implement third-party JavaScript code.
Firstly, make sure your tracking code doesn’t pass any personal data when you’re operating in a jurisdiction which prohibits that. Secondly, safeguard any confidential data to prevent it from being sent to a third party.
Let’s say you capture data from your department, like job titles. Your third-party vendor then changes your code, which now gathers the full names of your employees or their home addresses, and sends it on to other third-party vendors. This is one of the worst scenarios you could imagine. It makes all your efforts to remain compliant totally worthless.
Compare 4 Leading SharePoint Analytics Vendors
Learn how Webtrends, Piwik PRO, NGAGE and CardioLog Analytics differ from each other and find out which vendor fits your business’s needs.
Download your copyFinal thoughts
As you can see, the threat to your legal compliance takes various forms and there’s no way to present all of them at once. If you expose your intranet analytics to legal risk, it might cost you your reputation, the trust of your customers, employees, and even your position on the market.
The good news is that you can shield your organization from such a plight by making data protection and security your priority. What’s more, we’re here to clue you in with best practices.
If you want to know how our intranet analytics complies with data privacy regulations, reach out to us for consultations. Our experts will give you all the details about how Piwik PRO ensures compliance.
