The new EU privacy law is just around the corner, so it’s about time banks reviewed their GDPR-compliance. One of the more important steps in this process is examining technology partners, including web analytics vendors. Read this guide to learn how to tackle this issue.
25 May 2018 – the day when the new European data privacy regulation enters into force – will arrive quicker than you think. And it’s very possible that finance will be the first industry to audit for compliance.
This state of affairs is quite understandable. After all, financial institutions process a vast amount of personal data every day. That includes confidential and sensitive data like account balances, credit card numbers, credit scores, and more. All that increases the likelihood that the supervisory authorities will increase their focus on the sector, as they will have expanded power to audit and to impose administrative fines.
As it turns out, the industry is well aware of that. In a poll carried out by software solutions provider Varonis in March 2015, the respondents, mainly from the financial sector, said that banks would be first in the line of fire under GDPR.
FREE Guide: Avoid Privacy Risks and Prepare for GDPR
Learn how GDPR will change web analytics and data collection practices:
download FREE guideHow are banks preparing for GDPR?
It would seem that such declarations should be accompanied by serious preparations for compliance. In this case, however, awareness isn’t translating into real action. Or at least this is what recent surveys show.
According to a survey cited in a recent Financial Times article, 76 percent of IT executives at financial services firms (including banks) believe they face serious challenges in becoming compliant with GDPR.
The conclusions of the recently published Symantec’s “State of European Data Privacy Survey” also don’t give much reason for optimism. This study gathered information from more than 900 business and IT decision makers in France, Germany, and the United Kingdom. It reveals that the majority of European businesses are concerned about compliance with the new GDPR regulation, and nearly one in four of them predict that they won’t be fully compliant when the regulation enters into force!
According to the Symantec’s “State of European Data Privacy Survey”, 96 percent of companies don’t fully understand the GDPR, while 23 percent say that their companies won’t be fully compliant by 25 May 2018.
And we must be aware that not being ready for GDPR can cost you a lot of money. As you have probably heard many times before, the new regulation allows for administrative fines which can go as high as €20 million or 4 percent of the global annual turnover of a company.
This sounds even more serious when seen from a wider perspective. A report from the data security solutions company AllClear ID states that European banks alone could face fines totalling €4.7 billion in the first three years of the General Data Protection Regulation. That’s roughly the annual budget of Malta or Iceland!
So, if your company is one of those behind in its preparations for the new EU law, you probably feel like you’re in a race against time. But we’re confident that the right approach and the right use of internal resources will let banks meet the deadline.
Sure, preparations for GDPR in the banking sector will be a tough job, consisting of steps like:
- setting up a GDPR coordination team
- appointing a Data Protection Officer
- drafting a new internal Privacy Policy & ensuring local compliance
- creating a new data breach procedure
- evaluating data processing procedures
- and many, many more.
And by all of that, it may seem overwhelming. But there’s still some time before GDPR comes into force. We dedicated the last couple months to creating a bunch of GDPR-related materials, we hope they’ll prove useful in your case.
If you want to expand your knowledge about GDPR in banking and other sectors, we’ve prepared some very informative resources that may prove useful in your case:
– a whole section on our blog dedicated to this subject
– a couple of informative eBooks named: 12 Simple Steps to Make Your Analytics Efficient and GDPR Compliant & Avoid Privacy Risk and Prepare for GDPR
– a series of webinars titled Web analytics vs. GDPR – you can download it here.
However, in this blog post we want to focus on just one very important aspect of GDPR compliance: ensuring that technology partners process your users’ data in compliance with the provisions of the new law. This rule applies particularly to MartTech and AdTech tools. After all, although data processing associated with performing a service and fulfilling the provisions of a contract doesn’t require users’ consent, collecting personal data for marketing purposes must be approved by the user.
We will discuss this using the example of web analytics, as we take pride in our expertise in this matter. Also, we certainly know how we’re going to address the upcoming GDPR requirements with our products.
So, without further ado, let’s proceed to our main subject.
Below is a list of issues to address when evaluating your web analytics vendor as concerns GDPR compliance. We’ve also prepared examples of solutions for each of them that will adhere to the GDPR guidelines:
How will your web analytics vendor collect data subject consents?
One of the many changes introduced by GDPR is that you must first ask users for their permission to process personal data. As the legislation says:
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data […]. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct […]. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
It goes without saying that your web analytics vendor should provide you with a way to collect consents in the way the text of the regulation describes – this means that all the collected consents should be given in an affirmative act, undertaken in an unambiguous and informed manner.
Also, remember that you’ll need separate consent for every use of personal data. For example:
- one for content personalization activities, and another for performing web analysis
- one for using first-party cookies, and another for third-party cookies.
As you can clearly see, the issue is quite complex, so it’s really important that your web analytics vendor has a plan to tackle it.
Get this job done:
The text of the regulation doesn’t give specific instructions for acquiring permission to process personal data. However, GDPR clarifies that “affirmative actions” indicating consent may include:
- choosing technical settings for information society services,
- ticking a box on a website, or
- another statement or conduct clarifying the indication of consent.
We think that the best way to address this issue is by using a pop-up displayed when the user visits your website for the first time. Here’s an example of what an ideal pop-up containing all the necessary information could look like the box proposed by PageFair:
What makes it GDPR-compliant is that it:
- lists every purpose for which personal data will be used
- requires an action on the user’s end (after all, they have to click the box if they want to consent)
- links to particular parts of your Privacy Policy, where the user can read more about how their data will be used and further processed.
Once you’ve got all that, you can rest assured that every consent acquired from your user is freely given, specific, informed, and unambiguous – just like the GDPR requires.
However, remember that giving consent is only one of the potential scenarios. There’s also a chance users will refuse to consent to data processing, or won’t give you any answer at all. In the latter case, you can still try to convince them to give consent.
One way you can do it is by displaying a top bar notification reminding them of your request. It could look like this:
Revoking and reviewing consents
You should also remember that even after you’ve obtained valid consent, your visitors should be provided with an easy way to change their mind.
Article 8.2 of the new rules puts it like this:
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
Get this job done
Your web analytics vendor could provide you with a widget to be installed on your Privacy Policy page. It would link to your main page to give users easy access. The widget would let them see the current status of their consents and modify or revoke them any time they want.
However, it’s possible that your users will reach out to you in different ways – for instance, via e-mail, contact forms, or even standard mail. For these cases you need to have a generic link (provided by your web analytics vendor) that we can send to them so they can opt out of data processing or review their consent.
Processing and storing consents
What’s more, your web analytics vendor should store information about opt-in and opt-out given, along with a timestamp and user identifier (to help you identify the user in case they submit a data subject request).
This is crucial, because under GDPR user consents expire after 6 months. After that, you’re required to ask for them once again. Also, if a user has opted out from being tracked, after 6 months you’re allowed to repeat your request.
Every consent and opt-out performed by your users should be stored in one place and presented in a clear form. That way, you’ll be able to easily manage your users’ consents database and present them to the authorities during audits.
Are you the sole owner of your data?
It’s important that your web analytics vendor gives you 100% control over your data. That way, you’ll make sure that your users’ personal data is never shared with or used by a third party.
Although the text of the regulation itself doesn’t disallow you from giving out users’ data to your business or technology partners, it orders you to ask for their consent first. And all that can make your pop-up consent request enormously long and discouraging.
What’s more, it means you get yet another partner whose compliance you’ll need to examine. Afterall, it’s one more entity sharing your responsibilities for properly handling user and introducing new security concerns.
Get this job done
Unfortunately, most SaaS-based web analytics vendors usually claim the rights to the data you collect. They often use it to further develop their own products and services, and at the same time mean you’re not compliant with GDPR.
However, there’s no reason for despair, as there are other options for you to choose from. For instance, you can use private cloud data storage, or even move all the data onto your own premises. That way you’ll be able to implement further data privacy measures and take some of the data processor responsibilities at your end.
If you want to read more on the advantages and disadvantages of both cloud and on-premises web analytics for banking and other data-sensitive sectors, check out these blog posts:
– How To Tell If You Have Secure Cloud Analytics,
– 5 Things to Consider Before You Set Your Mind on a Self-Hosted Web Analytics Platform
How will they process data subject requests?
GDPR introduces six data subject rights with enormous consequences for every party involved in dealing with personal data:
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (also known as the right to be forgotten) (Art. 17)
- Right to restrict processing (Art. 18)
- Right to data portability (Art. 20)
- Right to object to processing (Art. 21)
As a data controller you’re obliged to ensure that data subjects can exercise their rights (here’s an informative infographic about it: Data Subject Rights – What You Need to Know).
Under GDPR, you’ll have 30 days to process every request of a data subject. It is hard to predict how often users will exercise their rights. However, it is important for your web analytics vendor to develop some sort of standardized procedure for handling requests by a data subject. Otherwise, you may not be able to keep up with the queries. This would expose you to fines for not performing your duties.
Get this job done
Data subject requests can be divided in two groups based on the method of processing:
Request to access and correct data
Such requests are based on the rights to access and correct data, and the right to data portability.
In order to complete such requests, your web analytics vendor must meet certain technical requirements. Your users’ data should be stored in a way that ensures full accessibility and portability. This will let your visitors easily obtain, move, rectify and transmit all the relevant information collected by your marketing tools (in this case: web analytics). GDPR does not specify the form in which data should be provided. However, it seems that a .csv file can be considered a bare minimum.
You may not be able to process data subject requests if your web analytics vendor samples your data. Not sure what we mean? Then you definitely should read this blog post: What is Data Sampling and Why Should You Avoid It?
Request to erase (aka ‘right to be forgotten’)
For these types of requests, the biggest challenge is to remove the user data from backups. Unfortunately, this type of data is usually stored in a compressed form, so restoring it can be an extremely time-consuming and resource-intensive procedure.
Nevertheless, users have the right to request the removal of all data about them, and your web analytics vendor must be ready to provide a way to complete this task. You should definitely learn how your technology partner intends to address this problem.
Remember to establish a reliable workflow for processing data subject requests!
You should also take care to set up a reliable procedure for handling data subject requests. This way you ensure that all user queries will be resolved timely and every party is aware of their responsibilities during the process. The kinds of things you should detail there include:
a) How you’re going to confirm a user’s identity
For instance, you may ask them to confirm their e-mail, phone number, or first and last name.
b) Where the data subject should place their requests
Your web analytics vendor could, for instance, extend the opt-out page (the one where your visitors review and revoke their consents for data processing) and add there a form where your users could submit these requests.
c) A reliable timeframe for processing data subject requests
As the text of GDPR specifies, data subject requests should be handled within 30 days. Exceeding this deadline may result in fines from the authorities. That’s why it’s important for both parties to be aware of when they should deliver certain information in order to meet the deadline.
d) Where will records of data subject requests be stored?
Keep in mind that your web analytics vendor should store information on every data subject request along with a timestamp, user identifier, and status of the request. It’s almost certain that the authorities will examine these records during audits.
Can they help you minimize the collection of your data?
Paragraph 1 (c) of Article 5 of GDPR highlights that “personal data shall be adequate, relevant and limited in what is necessary in relation to the purposes for which they are processed”.
This might sound ambiguous. However, we believe that the best way to go about this is to cultivate data minimization. Not sure what we mean? The term applies to the practice of limiting the collection of personal data to cases where it’s directly relevant and necessary to accomplish a specified purpose.
Get this job done
There are many ways to limit the amount of processed data. Here are some examples of solutions that may be useful in this case:
Cookie-free tracking and masking IP addresses
This is not explicitly required by GDPR, but it decreases the amount of personal data tracked by your web analytics instance. This will let you collect valuable information about your users without increasing your personal data collection. Sounds pretty useful, right?
List detailing all the data being collected
This way you can prove the transparency of data processing, as well as limit the amount of data collected to the absolute minimum. This list should be included in the privacy policy on your site, so that visitors can review it and decide whether they want to reveal this kind of information to you.
A piece of advice
If you’re interested in limiting data amounts, a tag management system (TMS) may also prove useful. This tool will allow you to pre-define what particular kinds of data you’ll gather with your web analytics solution. However, it’s extremely important to find a TMS that will not jeopardize the privacy of personal data you want to collect. That’s why you should definitely look for a privacy-friendly tool (like the on-premises version of Piwik PRO Tag Manager—if you want to read more about it, we encourage you to visit this page).
There are certainly more ways ways to limit the amount of data collected by your web analytics platform. However, it’s important that your vendor presents a convincing plan for adapting their technology to this GDPR requirement.
Do they provide you with safe data storage, ideally located within EU?
Storing data within the EU is not an explicit requirement of GDPR. The regulation states that transfer of personal data is lawful, as long as an adequate level of security is guaranteed. However, keeping data in the EU can be considered a good practice and is highly advisable. It’s also a good idea because the Privacy Shield often shifts shapes and introduces very questionable changes. There are legitimate concerns that at some point it will no longer protect the interests of European citizens in a satisfactory manner.
Update: As of July 16th 2020, Privacy Shield is no longer a valid legal framework for transferring data from the EU and Switzerland to the US. The situation is evolving fast, though. Here we’ve written about the decision and will provide updates when anything changes. And here we’ve written about how such limitations affect users of Google Analytics.
Do they provide you with safe data storage, ideally located within EU?
Storing data within the EU is not an explicit requirement of GDPR. The regulation states that transfer of personal data is lawful, as long as an adequate level of security is guaranteed. However, keeping data in the EU can be considered a good practice and is highly advisable. It’s also a good idea because the Privacy Shield often shifts shapes and introduces very questionable changes. There are legitimate concerns that at some point it will no longer protect the interests of European citizens in a satisfactory manner.
Get this job done
There are two ways you can address this issue:
- Taking advantage of private cloud servers located somewhere within EU (ideally in Germany, as their national law forbids you to store the data of German citizens outside the country)
- Deploying a web analytics instance on your own servers located in EU
This will allow you to collect and evaluate your website traffic without any interruption, nor the threat of potential fines or prosecutions. However, it also narrows down the list of web analytics vendors able to meet your demands.
Data Processing Agreements are key
As you can see, the list of requirements for web analytics vendors is really long and complex. So it’s possible they won’t be able to fulfill all of them. You’ll need to be sure you have a provider whose services are in line with GDPR guidelines.
But if your web analytics vendor presents you with a reliable plan for handling obligations imposed by GDPR, that’s great news.
However, there’s also one other thing you need to take care of before considering your quest ended. You need to establish a reliable chain of responsibility between you and your technology provider, and include it in Data Processing Agreements (DPAs). That way, you’re on the same page as your technology provider and you both know what’s expected of you under the new laws. This type of contract is also required by the GDPR itself, and will certainly be evaluated by the authorities during any audit.
FREE Guide: Avoid Privacy Risks and Prepare for GDPR
Learn how GDPR will change web analytics and data collection practices:
download FREE guideGDPR in banking – some conclusions
2018 will certainly bring many changes and challenges for the banking sector. The very beginning of the sees the new PSD2 payment regulation come into force. The months after that will bring new requirements for personal data processing under GDPR and ePrivacy (the current state of this legislation is discussed in our recent blog post). It will certainly be a time of hard work for everyone involved in the preparation process.
However, we believe that meeting the new requirements will certainly pay off. The new rules will help build relationships with customers based on greater trust and transparency.
We also trust that this blog post has given you a decent overview of what your technology partners should do to help you with the task. And if it turns out that your present vendor is not able to meet the requirements imposed by the new regulations, keep Piwik PRO in mind. We’ll be happy to show you how we can help you fulfill the requirements of GDPR in banking.
