Data Protection

On 25 May 2018, the General Data Protection Regulation (GDPR) became applicable in the European Union. The European Commission proposed the new law, and the European Parliament and the Council of the European Union jointly adopted it two years earlier, on 14 April 2016. The new regulation replaced the 1995 Data Protection Directive. Its main objective was to harmonise data protection laws across all EU member states, protect European citizens, and give them more control over their personal data, especially in the digital age.

GDPR has changed the way both private and public organisations handle data by introducing a set of strict rules and guidelines for the collection, processing and retention of personal data. Organisations are required to consider privacy when designing new systems and processes, document data processing activities and be able to demonstrate that all data is processed lawfully and transparently. Non-compliance can result in significant penalties. For serious breaches, the fine can be up to €20 million or 4% of annual global turnover. These violations include unlawful data processing, lack of a lawful basis for data transfers, or violations of data subjects’ rights.

The penalties are real and rigorously enforced. Total GDPR fines reached approximately €5.88 billion by January 2025. The record penalty to date is €1.2 billion, imposed on Meta in 2023 for inadequate security measures when transferring data of European users to the United States.

This highlights the critical importance of GDPR compliance for any organisation that processes personal data, regardless of its location.

Data Protection in Web Analytics

Under the GDPR, personal data refers to information that allows you to identify a specific person. For example, a first name and a surname, although associated with personal information, usually will not be sufficient on their own. However, if you add details such as an address or a workplace, you may have sufficient information to identify an individual.

personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Web analytics tools collect a range of personal data as defined by the GDPR:

Online identifiers such as cookies and unique user IDs.
IP addresses.
Device and browser information.
Location data.
User behaviour data such as session duration, browsing history, and other user interactions.
Traffic source data.

With these data sets, it is possible to directly or indirectly identify an individual. Consequently, their collection, processing, and storage are subject to GDPR requirements.

Data Storage and Data Processing

Identify the types of personal data collected, the sources, and storage locations (e.g. internal servers, cloud services).
Establish data retention rules which clearly indicate for how long the data will be stored.
Document data flows to understand how data is processed, transferred, and shared with third parties.

Legal Basis for Processing

Determine and document the legal grounds for processing users’ data under Article 6 of the GDPR. For web analytics, the basis is usually Article 6(1)(a):

the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
You can only track users after they have given valid consent. Use a cookie consent banner that clearly explains data collection purposes (e.g. analytics, heatmaps) and allows users to opt in or out of each category separately.

Privacy Policy

Update your privacy policy to reflect web analytics activities. It should include:

The analytics tools used.
Types of data collected.
Purpose of data collection.
Legal basis for processing.
Data retention periods.
Data subject rights and opt-out instructions.
Links to third-party analytics providers’ privacy policies.

Anonymisation and Data Minimisation

Anonymise personal data whenever possible (e.g. enable IP anonymisation, suppress personal information input in session recordings and heatmaps).
Only collect data that is absolutely necessary for your purpose.

Third-Party Processor Compliance

Identify all third-party services involved in data processing (e.g. analytics providers).
Ensure Data Processing Agreements (DPAs) are in place, specifying each party’s responsibilities and data protection measures.
Verify that third parties comply with GDPR requirements, especially if data is transferred outside the EU.

Organisational Measures

Issue written authorisations for employees involved in data processing.
Conduct regular training sessions to educate staff on data protection principles and practices.
Develop and document data breach notification and containment procedures to respond promptly to incidents.

Audits and Reviews

Perform regular audits of data processing activities, policies, and third-party agreements to ensure ongoing compliance.
Review policies and practices at least once a year.

Data subject rights

GDPR provides a number of rights for data subjects. These rights must be respected by all organisations:

The right to be informed.
The right of access.
The right to rectification.
The right to erasure.
The right to restrict processing.
The right to data portability.
The right to object.
Rights in relation to automated decision-making, including profiling.

Summary

Achieving GDPR compliance is an ongoing responsibility. When incorporating web analytics tools, organisations must identify only the data strictly necessary for their objectives, avoid excessive data collection, and implement anonymisation wherever possible. These measures won’t affect the effectiveness of your analytics but will help protect users’ privacy and mitigate the risk of serious penalties.