The General Data Protection Regulation will soon be in effect and will cover all EU citizens and residents and all organizations collecting data from them. And, as well you know, the GDPR will directly affect web analytics and digital marketing—it changes the way we understand certain processes and even certain terms. That’s why we prepared this clear and informative infographic. In it we’ll tell you how to safely collect and analyze data while respecting user rights (data subject rights in GDPR-speak) and guide you through the whole data processing flow.
Let’s get right to it!
When it comes to the data processing flow, we have three entities playing the GDPR game: data controllers (your company, you’re controlling, reviewing, and aggregating data about your customers), data processors (the company delivering the tools, to collect data), and data subjects (every person is considered a data subject) dealing with personal data (any information relating to an identified or identifiable natural person).
There is a possibility for the line between data processor and data controller to become blurred, as it depends on the type of web analytics vendor. When you have an on-premises web analytics solution, the vendor can be excluded from the process altogether, as the data controller takes over all the responsibilities. But for the sake of our example, let’s assume that the data processor will be in a SaaS role, as is the case for Piwik PRO Cloud.
So how should all this work?
Respecting the GDPR while collecting and processing personal data requires you—the data controller—to think about all of the new regulations when planning to create new services. And one very important aspect you need to always consider is the scope of data you will be collecting.
Evaluate Your Web Analytics Solution Towards GDPR In 12 Steps
Find out if your analytics solution guarantees data accuracy and privacy, including GDPR compliance:Download FREE Guide
So the first step, before you even ask data subjects for consent and start collecting data, is to define the scope and purpose of data collection. Later, you’ll also need to ensure your knowledge is accurate and up to date. This is important in the case of a supervisory authority demanding you to present proof of compliance.
So if you already know what kind of data you want to collect and why, you can go ahead and start with your new service. Then as people are using it—visiting your websites, buying your products online, etc.—you need to ask them for data processing consent to start collecting their data.
How should you construct the consent request? Well, the GDPR has a number of guidelines and regulations for how you should build it. The request should:
- Be easy to understand, concise, and specific.
- Explain what data are you collecting, why you want it, how long will you keep it.
- Include the name of your organization and any third parties.
- Remind data subjects that they can withdraw consent at any time.
- Be kept under periodic reviews.
It’s most important to remember this: You’ll probably have to change the way you ask for consent. Any pre-ticked boxes, opt-out boxes or default settings do not constitute a valid consent request! So be sure not to make a mistake here at the very beginning of the data collection process.
The new approach to the consent request comes from the expansion of data subject rights. If you want to learn everything you need to know about them, check out our infographic.
Now it’s the time for the data subject to make a decision—they can give you the consent and both you and the data processor will receive details of this decision. Keep in mind, however, it’s your responsibility to keep records of user consent.
So, after the data subject gives you his consent, a data processing entity, like Piwik PRO Cloud is delivering results so you can analyze and use them for the purposes that you previously specified in the consent request.
Of course, the data controller may want to use the data for some new purpose. Maybe he wants to collect more information or store it longer. Or maybe there is a third party that will now be involved in the data collection process. In any of those situations the data controller needs to redefine and update the consent request accordingly.
But that’s not all. Once the changes are performed, the message about the changed purpose of data collection must reach the data subjects. They have to review the new consent request and have the option to change their decision if they’d like to. The record of this decision needs to override the previous one.
So this is roughly how the process should look if everything is implemented as currently intended in the GDPR. But there’s another aspect of providing consent, which is a clear expansion of individual rights.
The data subject has the right to withdraw their consent at any time and it has to be as easy to withdraw as to give consent.
Never forget about this, as your users have the right change their mind at any point in time. You need to be able to react quickly and stop collecting and processing their data.
Find out how to safely collect and analyze data, respect data subject rights and adhere to the GDPR with our infographic.
Download The Infographic How to Collect and Process Data Under GDPR?
Please feel free to share this infographic on your site. If you do, we kindly ask that you attribute Piwik PRO with the embed code below:
<a href="https://piwik.pro/blog/infographic-process-data-under-gdpr/" rel="nofollow"> <img src="https://piwik.pro/wp-content/uploads/2017/08/01infograph_How-to-Collect-and-Process-Data-FINAL.png" alt="Piwik PRO Process Data Under GDPR" width='1334' height='7000' border='0' /> </a>
If you liked this post, I’m sure you’ll love our other infographic on GDPR. So be sure to check out this blog post and infographic:
GDPR Data Subject Rights – What You Need to Know