Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Analytics and Privacy


Published on

How to Mitigate Data Risks in the Age of Evolving Privacy Legislation?

Published in: Data & Analytics

Web Analytics and Privacy

  1. 1. Web Analytics and Privacy How to Mitigate Data Risks in the Age of Evolving Privacy Legislation
  2. 2. Web Analytics and Privacy The ubiquity of data is bordering on pervasive, so much that an acute tension is building between technological capabilities and ethical uses of data.
  3. 3. Web Analytics and Privacy If your business is a data processor, you need to follow strict privacy laws in order to avoid fines and protect your stakeholders.
  4. 4. Web Analytics and Privacy Here we will focus specifically on privacy for web analytics: • Evolving Privacy Legislation • Personal Data vs. Personally Identifiable Information (PII) • Risk Classification of Web-Analytics and Related Processes
  5. 5. Web Analytics and Privacy Evolving Privacy Legislation
  6. 6. Web Analytics and Privacy Download free PDF! You can read full discussion of the issue in our comprehensive whitepaper... ...or get an overview by exploring this brief presentation
  7. 7. Web Analytics and Privacy As data flows are rarely limited to a single country, the objective becomes to build flexible and sustainable analytics setups that cover all regions. Evolving Privacy Legislation
  8. 8. Web Analytics and Privacy Legislative misalignments can expose you to some serious monetary penalties: • Fines are typically capped at 500k € in certain countries of the EU • Upcoming General Data Protection Regulation (GDPR) is expected to allow fines up to as much as 2% to 5% of an organization’s global turnover • US class action suits can lead to exposure to loss of much larger amounts Evolving Privacy Legislation
  9. 9. Web Analytics and Privacy Note that GDPR is the strictest privacy law that has ever been introduced. It will have a significant impact on all businesses dealing with customers within the European Union. Evolving Privacy Legislation
  10. 10. Web Analytics and Privacy GDPR will come into force within two years. What are the core issues regarding Web Analytics? Evolving Privacy Legislation
  11. 11. Web Analytics and Privacy Profiling is defined as any form of automated processing of personal data to predict aspects concerning performance at work, economic situation, reliability, behaviour, movements and others. • GDPR concerns all companies processing personal data about EU residents. • The profiling process must be automated • The purpose of the profiling must be to evaluate personal aspects of a natural person • One cannot use an individual’s PII for profiling purposes unless such profiling is in the public interest • Explicit consent is necessary as a new legal basis for data processing • Data subjects must be informed about any profiling activities Evolving Privacy Legislation
  12. 12. Web Analytics and Privacy Where should you start to make sure your organization is compliant with the new law?
  13. 13. Web Analytics and Privacy Guidelines on the Protection of Privacy and Transborder Flows of Personal Data by the OECD have become an internationally accepted set of rules for processing personal information. They will work just fine as a starting point. Evolving Privacy Legislation
  14. 14. Web Analytics and Privacy OECD privacy principles: 1. Collection Limitation: Data collection should occur only with the knowledge and consent of the concerned individual (data subject). 2. Data Quality: One should only collect information which is accurate and relevant to a particular aim. 3. Individual Participation: The concerned individual should know if their information has been collected and must be able to access it if such data exists. 4. Purpose Specification: The intended use for a particular piece of information must be known at the time of collection. 5. Use Limitation: Collected data must not be used for purposes other than those specified at the time of collection. 6. Security Safeguards: Reasonable measures must be taken to protect data from unauthorized use, destruction, modification, or disclosure of personal information. 7. Openness: Individuals should be able to avail themselves of data collection and be able to contact the entity collecting this information. 8. Accountability: The data collector should be held accountable for failing to abide by any of the above rules. A dedicated person must be appointed Evolving Privacy Legislation
  15. 15. Web Analytics and Privacy Remember that these outlined principles are acceptable as the core of your web-analytics privacy practices, but in many cases they may not be enough. Evolving Privacy Legislation
  16. 16. Web Analytics and Privacy Personal Data vs. Personally Identifiable Information (PII)
  17. 17. Web Analytics and Privacy Personal Data vs. Personally Identifiable Information (PII) Knowing the legal redline related to data types is crucial for minimizing the risk of breaches or violations. PII is a US-based concept, while Europe refers to Personal Data.
  18. 18. Web Analytics and Privacy PII data can be linked to a particular individual, whereas Personal Data can relate to someone without identification. Personal Data vs. Personally Identifiable Information (PII)
  19. 19. Web Analytics and Privacy E-mail address, name or phone number constitute PII, and the use of this data to capture an individual’s behaviour may be considered an abuse under privacy regulations. Personal Data vs. Personally Identifiable Information (PII)
  20. 20. Web Analytics and Privacy Personal Data vs. Personally Identifiable Information (PII) Aurélie Pols Taking into consideration the broad and vague definition of sensitive data, as enshrined in the European regulations, it is more practical to set up processes to detect PII following the US-based legislation. The recommended practice is therefore to use the US PII lists as a starting point to define escalation procedures and supplement such lists with context-related European practices. Mind Your Privacy
  21. 21. Web Analytics and Privacy Risk Classification of Web-Analytics and Related Processes
  22. 22. Web Analytics and Privacy How can you be sure your company is fulfilling all of its data-related obligations? What methods can help you assign such responsibilities? Risk Classification of Web-Analytics and Related Processes
  23. 23. Web Analytics and Privacy The scope of obligations for companies will depend upon the type of data they collect, process, and share. Risk Classification of Web-Analytics and Related Processes
  24. 24. Web Analytics and Privacy Responsible Who is/will be doing this task? Who is assigned to work on this task? Accountable Whose head will roll it this goes wrong? Who has authority to make a decision? Consulted Who con tell me more about this task? Are any stakeholders already identified? Informed Whose work depends on this task? Who has to be kept updated about the progress? Risk Classification of Web-Analytics and Related Processes One popular example of a responsibility-assignment method is the the RACI model, which stands for Responsible, Accountable, Consulted, and Informed.
  25. 25. Web Analytics and Privacy Another method useful in certain contexts, particularly the privacy aspects of data uses, is the Privacy Impact Assessment (PIA). It typically consists of workflow-based questionnaires used by companies to identify and contain risks from the beginning. Risk Classification of Web-Analytics and Related Processes
  26. 26. Web Analytics and Privacy Fluid privacy regulations, changing terms and conditions, excessive authority of legal counsel, and misunderstanding of legislation may indeed cause some companies to come to an analytical halt. Risk Classification of Web-Analytics and Related Processes
  27. 27. Web Analytics and Privacy Taking that into account, responsibility could be divided into three main areas associated with the RACI model we mentioned above. When relating this to customer relationship, data-risk classification could be seen as follows... Risk Classification of Web-Analytics and Related Processes
  28. 28. Web Analytics and Privacy Classification Description Allocation Green Carry-on, no issues here Full responsibility stays within analytics, no further consultations needed Orange Bring in an outside counsel to be on the safe date Analytics remain responsible; consult with provacy Red This is cutting edge, involves personal data and/or sensitive information and/or separate legal entitles Privacy is informed and signs off or suggests risk-mitigation solutions (saying NO is not an answer, as next time they won’t be informed) Risk Classification of Web-Analytics and Related Processes
  29. 29. Web Analytics and Privacy Or in other words, the above classification looks something like: • Green: An individual comes to a digital property and leaves a data trail. • Orange: A company wants to take a look at which individuals come back and what their technical environment is like; e.g. using cookies. • Red: A company wants to stitch digital touch-points together. Risk Classification of Web-Analytics and Related Processes
  30. 30. Web Analytics and Privacy Aurélie Pols The trick is to understand when Green, Orange, and Red protocols are best applied to optimize data-privacy management. Remember, context remains of essence to assure privacy rights are respected. Mind Your Privacy Risk Classification of Web-Analytics and Related Processes
  31. 31. Web Analytics and Privacy Download! If you want to learn more about mitigating data risks, read our free whitepaper written by renowned European privacy expert Aurélie Pols:
  32. 32. Thank You @piwikPRO /PiwikPro /piwik-pro