Google Analytics is not alone
It's safe to assume that any nation within the EU would come to the same conclusion about the use of Google Analytics. Even though only Denmark and Austria have made formal announcements on the matter, all EU countries share the same procedure when it comes to judging data compliancy cases.
What’s more, Google Analytics is not the only tool you should worry about.
While data protection agencies across Europe are hyper-focused on Google Analytics as a culprit, there are many more tools that would suffer the same fate.
Any data processor based outside the EU is problematic when it comes to GDPR compliancy. This goes for your analytics tool, your e-mail marketing system, your Customer Data Platform, or any other tool that stores data.
Look through your tech-stack and evaluate the ones that are based in Third countries (most commonly the US). Even if your own organization is located in the EU, any data transferred to the US automatically follows US data protection rules – and overrules the GDPR.
Take your precautions – choose a European provider
Many organizations are already considering a full shift to European systems – and with good reason. In short, if you use a data processor based in a non-EU country, it’s more complicated for you to stay compliant.
While GDPR doesn’t prevent you from choosing a data processor from any location you want, it is your responsibility to ensure that data transfers happen in full accordance with European data protection regulations. If a legal data transfer mechanism doesn’t exist, then it is up to you to make sure other steps are taken to protect the data.
If you choose a data processor based in the EU, you can feel safe knowing that no data will be transferred to third countries in a way that undermines the GDPR.
Look for a data processor with an ISAE 3000 certificate. This is a yearly audit to ensure that the organization lives up to the standard for ethical behavior, quality management, and performance. It is your guarantee that your data is being handled correctly and responsibly – and in 100% compliancy with the GDPR.
What’s the rush?
The Danish Data Protection Agency has set no firm deadline for when organizations need to fix the Google Analytics issue. But there is no reason to wait. The same goes for any other tool that may not be compliant to use.
The immense focus on GDPR is unlikely to fade, and that means it’s only a matter of time before other systems are deemed non-compliant. Take this opportunity to future-proof not only Google Analytics but any tool that may become problematic in the future.
Do you want to discuss how your organization can get the most out of your data – correctly, responsibly, and with the highest level of data security?
Please contact Anders Spicker at firstname.lastname@example.org or at +45 53 67 57 55.
- Google Analytics is not GDPR compliant without taking necessary data privacy measures
- Look through your tech-stack (e-mail marketing systems, CDP, etc.) and make sure any tools based outside the EU have legal data transfer mechanisms in place – or find another provider
- Choose an EU-based provider to make sure no data is transferred to third countries in a way that undermines the GDPR
- Look for the ISAE 3000 certificate when choosing a provider. This is your guarantee that data is being handled correctly and responsibly