Getting Ready for GDPR at Collective Idea
Making sure we're ready and compliant
GDPR by The Digital Artis is licensed under CC0 Creative Commons
Does this look familiar?
Yup, a little something called GDPR, or the General Data Protection Regulation, is responsible for all of those emails. GDPR is a new European Union law for data protection and privacy for everyone within the EU and the European Economic Area. If you want a good break down of it all, CNN Money actually has a great explanation.
Just because this is a European law, it doesn’t mean we’re not affected here in the United States. If there’s a chance that someone from the EU might navigate to your website and your website is capturing data on visitors, you could end up capturing data you’re not allowed to.
On May 25, 2018, everyone that does business with the EU or has marketing campaigns that may be seen by EU residents, needs to be compliant. As the Marketing Manager at Collective Idea, I’ve been charged with making sure we’re compliant in terms of the information we capture through Google Analytics. Both collectiveidea.com and deadmanssnitch.com have visitors from around the world, so I needed to do a few tweaks to Google Analytics to make sure we’re respecting people’s data.
Because analytics data is stored on Google servers, Google already went through and made a bunch of changes so that they’re compliant. However, since we use their service we’re still personally responsible for the data we track. The rest of this post will be a walk through a few changes I made on our Google Analytics account to make sure we’re compliant with GDPR as well.
User and event data retention
Upon logging into Google Analytics, I was met with a pop-up asking me about “User and event data retention”. This is one of the new tools Google has added so that the service it provides is GDPR compliant. The default is 26 months and I’m going to leave it there. If I ever need to change it, I can go to Admin>Tracking Info>Data Retention.
Next, I went under Admin>Tracking Info and then combed through that whole section, looking for PII data. PII data is short for Personally Identifiable Information. I had to make sure we weren’t sending names, emails, phone numbers etc in URLs with form submits or destination urls. Any values submitted need to be alpha-numeric only.
Google Tag Manager
Since we use Google Analytics with Google Tag Manager I then had to make sure we weren’t capturing or sending IP addressed out in the open with no protection around it. To do that, I looked at every tag in GTM that used GA and just anonymized the IP.
To do that, you’ll:
- Open the tag and click the pencil to edit
- Check the box where it says “ Enable overriding settings in this tag “
- Once you click that checkbox, you’ll see some new things populate, one of them being a drop down arrow next to the words “More Settings”. Click that.
- Under “More Settings” and go to “Fields to Set”
- Click “Add Field”
- Under “Field Name” type in anonymizeIp and under “Value” put true.
- Hit “Save”
I made a few other changes here and there, but these are the biggest and most simple ones to tackle from a marketing standpoint. In reality, GDPR doesn’t just affect marketing. It affects any area of your business that touches personal data. To make sure we touch all those areas, we have designated teams dispatched to make sure the work they do is compliant.
How have you gotten your business ready for GDPR? Are you ready? If you’re not, you can take solace in the fact that you’re not alone.