Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Web Analytics and Privacy
1. Web Analytics and Privacy
How to Mitigate Data Risks in the Age
of Evolving Privacy Legislation
2. Web Analytics and Privacy
The ubiquity of data is bordering
on pervasive, so much that an
acute tension is building between
technological capabilities and
ethical uses of data.
3. Web Analytics and Privacy
If your business is a data
processor, you need to follow
strict privacy laws in order to
avoid fines and protect your
stakeholders.
4. Web Analytics and Privacy
Here we will focus specifically
on privacy for web analytics:
• Evolving Privacy Legislation
• Personal Data vs. Personally Identifiable
Information (PII)
• Risk Classification of Web-Analytics and
Related Processes
6. Web Analytics and Privacy
Download free PDF!
You can read full discussion of
the issue in our comprehensive
whitepaper...
...or get an overview by exploring this brief presentation
7. Web Analytics and Privacy
As data flows are rarely limited
to a single country, the
objective becomes to build
flexible and sustainable
analytics setups that cover all
regions.
Evolving Privacy Legislation
8. Web Analytics and Privacy
Legislative misalignments can expose
you to some serious monetary penalties:
• Fines are typically capped at 500k € in certain
countries of the EU
• Upcoming General Data Protection Regulation
(GDPR) is expected to allow fines up to as much as
2% to 5% of an organization’s global turnover
• US class action suits can lead to exposure to loss of
much larger amounts
Evolving Privacy Legislation
9. Web Analytics and Privacy
Note that GDPR is the
strictest privacy law that has
ever been introduced. It will
have a significant impact on
all businesses dealing with
customers within the
European Union.
Evolving Privacy Legislation
10. Web Analytics and Privacy
GDPR will come into force
within two years. What are
the core issues regarding
Web Analytics?
Evolving Privacy Legislation
11. Web Analytics and Privacy
Profiling is defined as any form of automated processing of
personal data to predict aspects concerning performance at
work, economic situation, reliability, behaviour, movements
and others.
• GDPR concerns all companies processing personal data about EU
residents.
• The profiling process must be automated
• The purpose of the profiling must be to evaluate personal aspects of a
natural person
• One cannot use an individual’s PII for profiling purposes unless such
profiling is in the public interest
• Explicit consent is necessary as a new legal basis for data processing
• Data subjects must be informed about any profiling activities
Evolving Privacy Legislation
12. Web Analytics and Privacy
Where should you start to
make sure your organization is
compliant with the new law?
13. Web Analytics and Privacy
Guidelines on the Protection
of Privacy and Transborder
Flows of Personal Data by the
OECD have become an
internationally accepted set of
rules for processing personal
information. They will work
just fine as a starting point.
Evolving Privacy Legislation
14. Web Analytics and Privacy
OECD privacy principles:
1. Collection Limitation: Data collection should occur only with the knowledge and consent of the
concerned individual (data subject).
2. Data Quality: One should only collect information which is accurate and relevant to a particular
aim.
3. Individual Participation: The concerned individual should know if their information has been
collected and must be able to access it if such data exists.
4. Purpose Specification: The intended use for a particular piece of information must be known at
the time of collection.
5. Use Limitation: Collected data must not be used for purposes other than those specified at the
time of collection.
6. Security Safeguards: Reasonable measures must be taken to protect data from unauthorized use,
destruction, modification, or disclosure of personal information.
7. Openness: Individuals should be able to avail themselves of data collection and be able to
contact the entity collecting this information.
8. Accountability: The data collector should be held accountable for failing to abide by any of the
above rules. A dedicated person must be appointed
Evolving Privacy Legislation
15. Web Analytics and Privacy
Remember that these outlined
principles are acceptable as
the core of your web-analytics
privacy practices, but in many
cases they may not be enough.
Evolving Privacy Legislation
16. Web Analytics and Privacy
Personal Data vs. Personally Identifiable
Information (PII)
17. Web Analytics and Privacy
Personal Data vs. Personally Identifiable Information (PII)
Knowing the legal redline related to data
types is crucial for minimizing the risk of
breaches or violations.
PII is a US-based concept, while Europe refers to
Personal Data.
18. Web Analytics and Privacy
PII data can be linked to a
particular individual, whereas
Personal Data can relate to
someone without
identification.
Personal Data vs. Personally Identifiable Information (PII)
19. Web Analytics and Privacy
E-mail address, name or phone
number constitute PII, and the
use of this data to capture an
individual’s behaviour may be
considered an abuse under
privacy regulations.
Personal Data vs. Personally Identifiable Information (PII)
20. Web Analytics and Privacy
Personal Data vs. Personally Identifiable Information (PII)
Aurélie Pols
Taking into consideration the broad and vague definition of
sensitive data, as enshrined in the European regulations, it is more
practical to set up processes to detect PII following the US-based
legislation. The recommended practice is therefore to use the US
PII lists as a starting point to define escalation procedures and
supplement such lists with context-related European practices.
Mind Your Privacy
21. Web Analytics and Privacy
Risk Classification of Web-Analytics and
Related Processes
22. Web Analytics and Privacy
How can you be sure your
company is fulfilling all of its
data-related obligations?
What methods can help you
assign such responsibilities?
Risk Classification of Web-Analytics and Related Processes
23. Web Analytics and Privacy
The scope of obligations for
companies will depend upon
the type of data they collect,
process, and share.
Risk Classification of Web-Analytics and Related Processes
24. Web Analytics and Privacy
Responsible Who is/will be doing this task?
Who is assigned to work on this task?
Accountable Whose head will roll it this goes wrong?
Who has authority to make a decision?
Consulted Who con tell me more about this task?
Are any stakeholders already identified?
Informed Whose work depends on this task?
Who has to be kept updated about the progress?
Risk Classification of Web-Analytics and Related Processes
One popular example of a responsibility-assignment method
is the the RACI model, which stands for Responsible,
Accountable, Consulted, and Informed.
25. Web Analytics and Privacy
Another method useful in certain contexts,
particularly the privacy aspects of data uses, is
the Privacy Impact Assessment (PIA). It typically
consists of workflow-based questionnaires used
by companies to identify and contain risks from
the beginning.
Risk Classification of Web-Analytics and Related Processes
26. Web Analytics and Privacy
Fluid privacy regulations, changing terms and
conditions, excessive authority of legal counsel,
and misunderstanding of legislation may indeed
cause some companies to come to an analytical
halt.
Risk Classification of Web-Analytics and Related Processes
27. Web Analytics and Privacy
Taking that into account, responsibility could be
divided into three main areas associated with
the RACI model we mentioned above. When
relating this to customer relationship, data-risk
classification could be seen as follows...
Risk Classification of Web-Analytics and Related Processes
28. Web Analytics and Privacy
Classification Description Allocation
Green Carry-on, no issues here
Full responsibility stays within analytics, no
further consultations needed
Orange
Bring in an outside counsel to be on
the safe date
Analytics remain responsible; consult with
provacy
Red
This is cutting edge, involves
personal data and/or sensitive
information and/or separate legal
entitles
Privacy is informed and signs off or
suggests risk-mitigation solutions (saying
NO is not an answer, as next time they
won’t be informed)
Risk Classification of Web-Analytics and Related Processes
29. Web Analytics and Privacy
Or in other words, the above classification
looks something like:
• Green: An individual comes to a digital property and
leaves a data trail.
• Orange: A company wants to take a look at which
individuals come back and what their technical
environment is like; e.g. using cookies.
• Red: A company wants to stitch digital touch-points
together.
Risk Classification of Web-Analytics and Related Processes
30. Web Analytics and Privacy
Aurélie Pols
The trick is to understand when Green, Orange, and
Red protocols are best applied to optimize data-privacy
management. Remember, context remains of essence
to assure privacy rights are respected.
Mind Your Privacy
Risk Classification of Web-Analytics and Related Processes
31. Web Analytics and Privacy
Download!
If you want to learn more
about mitigating data risks,
read our free whitepaper
written by renowned
European privacy expert
Aurélie Pols: