Back to blog

How to Classify Risk of Web-Analytics Data and Assign Responsibilities in Your Organization

Data privacy & security Product best practices

Written by

Published March 22, 2016 · Updated February 5, 2018

Data is the new oil, to steal the legendary Ann Winbland’s quote. Treated as an economic asset, it can, and does indeed, get monetized, and while we’re observing a heated debate around data ownership, the practice of sharing information with third parties is also becoming common. As information ecosystems are getting more complex and you need to implement proper risk classification system, how can you be sure your company is fulfilling all of its data-related obligations? What methods can help you assign such responsibilities?

Sharing information has become a daily practice for many companies relying on external resources for data collection, processing, or analysis. Third-party agents either help enrich that data or are an essential part of a property transfer; in the latter, they become co-owners of the data. As we explain in our whitepaper, businesses acquire data through a trust relationship with subjects who, in exchange, expect responsible usage. Thus, it is correct to say the real price for information disclosed to companies is certain responsibilities they have to incorporate into their data-management processes.

How to Leverage Web Analytics

When Your Company is Dealing with Tons of Sensitive Data

Download FREE Guide

The scope of obligations for companies will depend upon the type of data they collect, process, and share. Such liabilities then influence which departments should get involved over the course of the data-risk assessment. A popular example of a responsibility-assignment method comes in the RACI model, which stands for Responsible, Accountable, Consulted, and Informed:

risk classification

Another method useful in certain contexts, especially for the privacy aspects of data uses, is Privacy Impact Assessment (PIA). It typically consists of workflow-based questionnaires used by companies to identify and contain risks from the beginning. However, it’s important to mention that PIA efficiency can be under threat when terms and conditions of digital tools change or relevant legal frameworks lose validity, just to recall the Safe Harbor renouncement in autumn 2015. This implies a responsibility to monitor the contractual side of digital tools — an obligation that usually resides between procurement and legal counsel.

Evaluate Your Web Analytics Solution Towards GDPR In 12 Steps

Find out if your analytics solution guarantees data accuracy and privacy, including GDPR compliance:

Download FREE Guide

Fluid privacy regulations, changing terms and conditions, excessive power of counsel, and misunderstanding of legislation may indeed cause some companies to come to an analytical halt. On the other hand, certain organizations are also playing with fire by ignoring legal warnings, mainly in the mobile arena.

Therefore, assuming analytics and other elements of your digital setup should be seen as fluid, responsibility could be divided into three main areas linking to the RACI model we mentioned above. Relating this to customer relationship, data-risk classification could be seen as follows:

risk classification

Or in other words, the above classification looks something like:

  1. Green: An individual comes to a digital property and leaves a data trail.
  2. Orange: A company wants to take a look at which individuals come back and what their technical environment is like; e.g. using cookies.
  3. Red: A company wants to stitch digital touch-points together — one view of the customer, where the individual is recognized through probabilistic data-matching techniques and/or data is swapped with another legal entity for cookie-syncing, for example.

Data-Privacy Expert Advice: Aurelie Pols of Mind Your Privacy

Expert’s Advice: Aurélie Pols, Mind Your Privacy
Aurélie Pols

“The trick is to understand when Green, Orange, and Red protocols are best applied to optimize data-privacy management. Remember, context remains of essence to assure privacy rights are respected.”

For a full discussion of risk classification according to the above color codes, please read our latest whitepaper.

How to Leverage Web Analytics

When Your Company is Dealing with Tons of Sensitive Data

Download FREE Guide


Ewa Bałazińska

See more posts by this author

Core – a new plan for Piwik PRO Analytics Suite

Privacy-compliant analytics, built-in consent management and EU hosting. For free.

Sign up for free

Upcoming live webinar

May 23, 2024

A practical guide to digital analytics and advertising under HIPAA

Balancing HIPAA compliance with data-driven marketing can be challenging, but it’s possible with the right tools and strategies. Join our webinar led by healthcare analytics experts and learn safe ways to use data to enhance patients’ satisfaction and digital journeys. Explore best practices for implementing compliant analytics and running effective ad campaigns under HIPAA. Finally, stay for a dedicated Q&A session during which the experts will answer all your remaining questions.

Sign up for this webinar