Category : GDPR
Do you need to process customer data in-house to be truly data secure?
Many brands with large customer bases are facing a similar question when it comes to storing data—is it time to bring all data processing in-house? Whether this is prompted by a data security audit, a data breach, or a desire to be more agile with data analysis, it's an important question that thankfully doesn't have a complicated answer. In this article, I’ll explore whether you should outsource or insource customer data processing for your brand. Quick side note—for Littledata’s direct-to-consumer (DTC) brands, customer data is usually first-party data captured as part of the ecommerce checkout process, including post-purchase interactions with the customers and web browsing information such as IP addresses. Why you need first-party data to be secure First-party customer data is data the customer shares with you directly through the server connecting them to your website. By its very nature, first-party data is created by a contract—and more importantly, a bond of trust—between your brand and the end customer. Accidentally leaking that data is brand-damaging: 46% of organizations surveyed by Forbes suffered reputational damage after a data breach. In addition, GDPR and similar regulations impose large fines (up to 4% of global revenue) for data breaches—specifically, lax processes leading to a data breach. You might also be concerned about commercial espionage—how valuable could your customer purchase history be in the hands of a competitor or a fraudster? Or maybe your company has been burned by third-party data processors in the past whose security standards did not meet your own. Taking these concerns together, you may be thinking the only way to be truly data secure is to process and store first-party customer data on your own infrastructure. But there are downsides to this. Do you want to own your own data infrastructure? By data infrastructure, I don’t mean owning bare-metal servers that sit in the broom cupboard behind your office. I’ll assume you are comfortable with the concept of hosting data in a public or private cloud environment. However, even maintaining that cloud computing infrastructure brings costs and risks. Your company will be responsible for software patches, updates to use the latest API versions, monitoring for suspicious activity, and handling outages. Data engineering is complex, and great data engineers are in short supply. So, I suggest you are better off licensing a secure data pipeline than building it all yourself. Does your company control the data end-to-end? Frankly, processing company data in-house may be missing the point if you do not control the data processing end-to-end. Many of Littledata’s customers have made a deliberate choice by working with Shopify or BigCommerce to leave purchase and transaction processing to a cloud provider—signing data processing agreements (see DPAs for Shopify and BigCommerce) to store customer data on US cloud servers. Many brands also make a choice to share customer data with Google (pseudo-anonymized) or with Facebook (not anonymized) to improve their customer acquisition and Return on Advertising Spend (ROAS). In effect, these brands are outsourcing the data processing that happens between the ecommerce cloud and the marketing cloud to Littledata. Trying to do this processing in-house makes little sense when the start and end of the data processing chain are third parties. Does EU customer data need to stay in the EU to be secure? You may have read about regional courts in France and Austria ruling against sending EU customer data to Google Analytics—or indeed sending data to any US server. I think these rulings are extreme and will eventually be struck down. There is no practical or legal reason why data processing on servers within the EU is somehow more GDPR compliant than hosting on the cloud in the US. That said, data nationalism as a trend is here to stay, so there may be a future need to keep EU data siloed. All cloud computing networks have EU servers, and tools like Segment make it possible to split EU customer data processing onto EU servers. The limitation is that right now, none of our other partners (especially Shopify, Google, and Facebook) have the same ability to process in the EU. This makes regionalizing only one part of the data processing chain pointless. Is outsourced data GDPR compliant? Yes, you can subcontract data processing to a third party. But to be GDPR compliant, your data processors need to enable the right to rectification, the right to erasure, and the right to restrict processing. All the main partners that Littledata works with (Shopify, Google Analytics, Facebook Ads, etc.) have API endpoints by which your customer can request their data to be updated or erased, and this request can be passed on to the downstream processors. If the customer requests to restrict processing (e.g. opting out of advertising retargeting using a cookie consent banner) your company needs to also pass along that choice to the downstream processors. Littledata’s tracking script makes that easy to do via integration with Shopify’s consent management, and plugins for OneTrust and TrustArc. Can you control outsourced data processing? Yes. Doing so is just a matter of working with a processing partner that a) is transparent on how they process the data, b) follows good practices in data security, and c) provides Service Level Agreements (SLAs) for the processing. At Littledata, we are clear about how we process customer data (and exactly what data points are stored where), have a public data security policy, and provide tight processing SLAs for Plus customers. [tip]Learn more about how Littledata protects your data while giving you 100% accurate analytics by booking a demo with one of our experts.[/tip] Conclusion I believe you can outsource data processing and still be truly data secure. In fact, I believe trying to bring data fully in-house is costly and pointless for most cloud ecommerce brands. Pick trusted partners to ensure your customer data processing is both super reliable and super secure, and get on with scaling your business!
Build a website that your marketing and legal teams will both love
Is your Shopify cookie banner GDPR compliant?
How to stop Google Tag Manager being hacked
Google Analytics Data Retention policy - which reports does it limit?
From 25th May 2018 Google allowed you to automatically wipe user-level data from the reporting from before a cut-off date, to better comply with GDPR. We made the change for Littledata's account to wipe user-level data after 26 months, and this is what we found when reporting before February 2016. Reports you can still view before the user data removal Audience metrics Pageviews ✓ Sessions ✓ Users X Bounce rate ✓ Audience dimensions Demographics X OS / Browser X Location X User Type X Behaviour Pageviews ✓ Custom events X
How Littledata helps Shopify stores comply with GDPR
When the GDPR regulation comes into effect later this month, it will impact all websites trading with EU citizens. That means any ecommerce site with customers in Europe! Is your Shopify store ready to comply? We recently updated our Shopify app (since release 7.8) to help Shopify stores which use Google Analytics comply with GDPR. In addition to automatic fixes to help your store comply, we include recommendations for how to update your site content (such as Terms and Conditions), and how to deal with the new 'two year rule'. If you're running a Shopify store, the time to act is now. Automatic fixes with our Shopify app The first two steps are done automatically when you install our GDPR-ready Shopify app. If you're already using Littledata's Shopify app, these two fixes can be applied when you upgrade to our latest tracking script (version 3.2). Here's what they address. 1. Anonymise customer IP addresses The IP address of your website visitor is considered personal information under GDPR, and to remove any risk that this is sent to Google’s servers in the USA, our script scrambles the last few digits of the IP address. Google already promises not to store the IP address, so this step is an extra level of safety. This slightly reduces the accuracy of tracking which city your visitor came from -- but we believe that this is a small price to pay for ensuring anonymity. 2. Filter personal emails and ZIP/postcodes from pageviews Many sites accidentally send personal data in the page URLs or titles tracked by Google Analytics. For example, apps with their own checkout often send the user email as a URL parameter like ‘/firstname.lastname@example.org’. Our script now filters that personal data out at source, so the page path you’ll see in Google Analytics is ‘/url?email=REMOVED’. Additional manual steps There are two additional manual steps to ensure that Google Analytics for your Shopify store is GDPR-compliant. 3. Update your terms and conditions You need to update your website T&Cs to ensure users are aware of the Google Analytics Advertising Features that our Shopify app activates and Google uses to identify user demographics, such as gender and interests. We are not lawyers, but we suggest using something similar to these sentences to describe what data is collected, how you (and we) use the data, and how how users can opt out: Our site uses Google Analytics Advertising Features to deduce your gender, age group and interests based on other types of websites you have visited. We use this in aggregate to understand which demographics engage with areas of our website. You can opt out with Google's browser add-on. 4. Remove user-specific information after 2 years You should also change the data retention period for your Google Analytics web property, so that Google removes all user-specific information from their database after 2 years. To make this change, logging to your GA account and go to the Settings cog, and then Property > Tracking info > Data Retention. Use the 'data retention' drop-down menu to select to keep user data for 26 months, and mark 'reset on new activity' to ON. This means that after 26 months, if the user has not come back to your website, any user cookie will be deleted. We think this sensible to comply with the Right to Erasure without making any practical limits to your analysis. [subscribe] Right to Erasure feature coming soon! We're also working on a feature to help websites comply with the Right to Erasure or Right to be Forgotten. Here's a summary of that aspect of the regulation, from the summary of key changes at EUGDPR.org. Right to be Forgotten Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subject's withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests. Littledata's Right to Erasure feature will ensure that when you delete a customer from your Shopify admin interface, any references to that customer are deleted from Google Analytics. This won’t affect aggregate reporting, such as number of web sessions or transactions. When do GDPR regulations take effect? The official enforcement date for General Data Protection Regulation (GDPR) is 25 May 2018. At that time any organisations in non-compliance may face heavy fines. In short, we recommend implementing the fixes above ASAP for your Shopify store. All you need is Google Analytics account and our Shopify app. And do check our blog regularly for updates. This is the best place to hear about new Littledata features relating to GDPR, as well as news and analysis about how the regulations affect different types of online businesses, including ecommerce websites, subscription businesses, and membership-based sites such as large charities and nonprofits. Looking for additional support? Contact us about GDPR consulting for analytics setup.
GDPR compliance for ecommerce businesses
Ecommerce companies typically store lots of personally identifiable information (PII), so how can you make compliance easier without compromising analysis? With the deadline for GDPR compliance looming, I wanted to expand on my previous article on GDPR and Google Analytics to focus on ecommerce. Firstly, who does this apply to? GDPR is European Union legislation that applies to any company trading in Europe: so if you sell online and deliver to European Union member countries, the regulations apply to you. It's essential that you understand how your online business is collecting and storing PII. Splitting PII from anonymous data points Your goal should be to maintain two separate data stores: one that contains customer details, from where you can look up what a specific customer bought, and one that contains anonymous data points, from where you can see performance and trends. The data store for the customer details will typically be your ecommerce back-end and/or CRM (see below). This will include name, email, address, purchase history, etc. It will link those with a customer number and orders numbers. If a customer wants the right of access all the relevant details should be in this store. We use Google Analytics as the anonymous data store (although you may have a different ecommerce analytics platform). There you can store data which only refers to the customer record. These are called pseudo-anonymous data points under GDPR: they are only identifiable to a customer if you can link the customer number or order number back to your ecommerce back-end. Pseudo-anonymous data points you can safely send to Google Analytics include: Order number / transaction ID Order value / transaction amount Tax & shipping Product names and quantities Customer number Hashed email address (possibly a more flexible to link back to the customer record) If a customer exercises their right to removal, removing them from the ecommerce back-end will be sufficient. You do not also have to remove them from your Google Analytics, since the order number and customer number now have nothing to refer to. You do still need due process to ensure access to Google Analytics is limited, as in extreme circumstances a combination of dimensions such as products, country / city and browser, could identify the customer. [subscribe] Isn’t it simpler to just have one store? Every extra data store you maintain increases the risk of data breaches and complexity of compliance – so why not just analyse a single customer data store? I can think of three reasons not to do so: Marketing agencies (and other third parties) need access to the ecommerce conversion data, but not the underlying customer data Removing a customer’s order history on request would impact your historic revenue and purchase volumes – not desirable Your CRM / ecommerce platform is not built for large scale analysis: it may lack the tools, speed and integrations needed to get meaningful insights Beware of accidental transfers There are a few danger areas where you may inadvertently be sending PII data to Google Analytics: Customer emails captured in a signup event A customised product name – e.g. ‘engraving for Edward Upton’ Address or name captured in a custom dimension Our PII audit check is a quick, free way to make sure that’s not happening. Multiple stores of customer details GDPR compliance becomes difficult when your customer record is fragmented across multiple data stores. For example, you may have product and order information in your ecommerce database, with further customer contact details in a CRM. The simplest advice is to set up automatic two-way integrations between the data stores, so updating the CRM updates the ecommerce platform and visa-versa. Removing customer records from one system should remove them from the other. If that’s not possible, then you need clear processes to update both systems when customer details change, so you can comply with the right to rectification. Conclusion GDPR compliance need not require changing analytics tools or databases, just a clear process for separating out personally identifiable information – and training for the staff involved in handing that data. I hope this brief overview has been helpful. For further advice on how your ecommerce systems comply, please contact us for a free consultation. Littledata has experience with every major analytics platform and a wide range of custom setups. However, as a number of global companies are concurrently prepping for compliance, we highly recommend that you get in touch sooner rather than later!
Is Google Analytics compliant with GDPR?
Subscribe to Littledata news
Insights from the experts in ecommerce analytics
Try the top-rated Google Analytics app for Shopify stores
Get a 30-day free trial of Littledata for Google Analytics or Segment