Stay 100% GDPR compliant: Choose an EU-based data processor

Oct 13, 2022 | ,

Circle
Laura Bjerre Schwalbe

By Laura Bjerre Schwalbe

}

Reading Time: 2 minutes

It’s barely news at this point.

The Danish Data Protection Agency has ruled that the use of Google Analytics does not comply with the GDPR. At least not without taking necessary data protection measures.

This means that all Danish Google Analytics users should either:

  • Semi-anonymize their data using a proxy (server-side tracking)
  • Find a different analytics tool that is compliant

This problem caused quite a panic a few weeks ago, as thousands of organizations started their efforts to secure compliancy. After all, an estimated 8 out of 10 organizations use Google Analytics today.

But while this dilemma is solvable, it’s only a symptom of a larger issue.

Google Analytics is not alone

It's safe to assume that any nation within the EU would come to the same conclusion about the use of Google Analytics. Even though only Denmark and Austria have made formal announcements on the matter, all EU countries share the same procedure when it comes to judging data compliancy cases.

What’s more, Google Analytics is not the only tool you should worry about.

While data protection agencies across Europe are hyper-focused on Google Analytics as a culprit, there are many more tools that would suffer the same fate.

Any data processor based outside the EU is problematic when it comes to GDPR compliancy. This goes for your analytics tool, your e-mail marketing system, your Customer Data Platform, or any other tool that stores data.

Look through your tech-stack and evaluate the ones that are based in Third countries (most commonly the US). Even if your own organization is located in the EU, any data transferred to the US automatically follows US data protection rules – and overrules the GDPR.

Take your precautions – choose a European provider

Many organizations are already considering a full shift to European systems – and with good reason. In short, if you use a data processor based in a non-EU country, it’s more complicated for you to stay compliant.

While GDPR doesn’t prevent you from choosing a data processor from any location you want, it is your responsibility to ensure that data transfers happen in full accordance with European data protection regulations. If a legal data transfer mechanism doesn’t exist, then it is up to you to make sure other steps are taken to protect the data.

If you choose a data processor based in the EU, you can feel safe knowing that no data will be transferred to third countries in a way that undermines the GDPR.

Look for a data processor with an ISAE 3000 certificate. This is a yearly audit to ensure that the organization lives up to the standard for ethical behavior, quality management, and performance. It is your guarantee that your data is being handled correctly and responsibly – and in 100% compliancy with the GDPR.

Raptor Services is ISAE 3000 certified – read more about our data security measures here

What’s the rush?

The Danish Data Protection Agency has set no firm deadline for when organizations need to fix the Google Analytics issue. But there is no reason to wait. The same goes for any other tool that may not be compliant to use.

The immense focus on GDPR is unlikely to fade, and that means it’s only a matter of time before other systems are deemed non-compliant. Take this opportunity to future-proof not only Google Analytics but any tool that may become problematic in the future.

Do you want to discuss how your organization can get the most out of your data – correctly, responsibly, and with the highest level of data security?

Please contact Anders Spicker at asr@raptor.dk or at +45 53 67 57 55.

Key take-aways

  • Google Analytics is not GDPR compliant without taking necessary data privacy measures
  • Look through your tech-stack (e-mail marketing systems, CDP, etc.) and make sure any tools based outside the EU have legal data transfer mechanisms in place – or find another provider
  • Choose an EU-based provider to make sure no data is transferred to third countries in a way that undermines the GDPR
  • Look for the ISAE 3000 certificate when choosing a provider. This is your guarantee that data is being handled correctly and responsibly

Let us show you what you can achieve with premium personalization

Ellipse white
Post

A Raptor expert can share more about the product and answer any questions you have.