Today, it is essential to properly configure your analytics solution to comply with the GDPR and the ePrivacy Directive, which together regulate the conditions of use of personal data and trackers on your various digital devices. If you fail to make your analytics solution compliant, you could face inspections by the authorities, restrictions on your data or even administrative and financial penalties. So, if you haven’t already done so, it’s time to get up to speed. Are you an AT Internet customer or about to become one? In this article, we present a step-by-step tutorial to guide you in making your Analytics Suite compliant.
Important: if necessary, please do not hesitate to contact AT Internet’s support team, who will be able to help you with all your Privacy issues.
How does the compliance of your Analytics Suite work?
This compliance, which aims to help you choose a configuration that is as close as possible to your needs, whether they are business or legal (GDPR), takes place in 4 stages:
- Signature of a Data Processing Agreement (DPA), gathering the obligations and responsibilities of your data processing
- Configuration of the retention period for your analytics data
- Setting up the opt-out on all your digital platforms
- Customised choice of your consent management scenario
Step 1: Sign a Data Processing Agreement (DPA)
Firstly, AT Internet makes each data controller sign a Data Processing Agreement (or more commonly called a DPA). This is a personal data processing agreement, a central document that defines the obligations and responsibilities of each party.
This formality complies with Article 28 of the GDPR which states:
“Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”
What does the AT Internet DPA contain?
The DPA we submit to our customers contains various information such as:
- the types and categories of data collected, as well as the data subjects
- the nature, purposes and duration of the processing, as well as the conditions of its lawfulness
- a contact point to discuss privacy, security and the GDPR
- the responsibilities between you and us
- the location of data storage
Good to know: At AT Internet, we call an “organisation” a set of sites and users of our solution representing the functional structure of your company. If several of your legal entities are grouped together within the same “AT Internet organisation”, then the processing agreement applies to the entire organisation. Indeed, an organisation can only benefit from a single DPA.
How do I apply for a DPA with AT Internet?
Nothing could be easier. Send us an e-mail with the following subject and message:
Subject: Request for DPA
Message: Could you send us a DPA for my organisation?
You can also contact our support department directly at: [email protected].
Once you have received the DPA, please send it to your legal department for validation and return it to us signed at [email protected] to start the compliance procedure. Of course, we will then return the document to you countersigned.
Please note: within the framework of a digital analytics project carried out with us, you may have to work with other parties such as A/B testing tools, agencies, integrators, etc. For all of these parties, check whether the GDPR applies to any processing. If necessary, also set up a DPA with these companies.
Step 2: Set up the retention period for your analytics data
This step in the process of making your Analytics Suite compliant complies with Article 5 of the GDPR, which states that personal data must be “kept in a way which allows data subjects to be identified for no longer than is necessary for the purposes for which they are processed”.
In other words, you need to determine a retention period for your analytics data based on the purposes exposed to the users of your various digital media.
How do you define a limited retention period for your data?
To comply with a limited retention period, you have two options:
- Contact us via the Support Centre, through your administrator (“Help” button at the bottom right)
- Send us your request on a headed document by email to [email protected]
Important: If you have already signed a DPA, then the data retention period is already indicated within the document.
This means that your personal data is automatically deleted over a sliding period defined by you (e.g. 13, 25, 37 months or more) and over all the sites of the same organisation.
What is the impact on your data?
With Analytics Suite, the deletion applies to all analytics data, which is considered personal data by default. Once the data deletion has been configured, no data will be accessible in Analytics Suite beyond the X months.
Step 3: Set up the opt-out on all your digital platforms
The opt-out is a means of opposition and a fundamental right for the Internet user (see article 21 of the GDPR), which can be found on all your digital media (site, mobile application). It refers to a user’s choice not to be tracked and is reflected at AT Internet by anonymous data collection.
At AT Internet we rely on properties and cookies dedicated to visitor identification and user identification. If you use our tags, you must also use our opt-out tagging methods.
Good to know: the hits collected in the opt-out mode are anonymised and used for the privacy analysis available in our Explorer tool. However, you can also prevent this from happening by using a specific tag.
See here for more information on how to configure the tags.
Step 4: Choose your consent management scenario to suit your needs
To manage consent on your digital platforms, there are several scenarios you can choose from:
- Opt-out by default
- No-consent by default
Opt-out by default
In this scenario, consent is requested. By default, visitors are excluded from general traffic, anonymised and only visible in the privacy analysis under the category “opt-out”. After consent (“opt-in”), all data can be transmitted.
Visitor identification cookies are deposited on the first page of the visit with an “opt-out” value. Once consent is received, the cookie value will change to a unique value corresponding to the visitor’s identification.
“No-consent” by default
With this method, consent is requested. Without consent, visitors are excluded from general traffic, anonymised and only visible in the privacy analysis under the “no-consent” category.
Once consent is obtained, all data can be transmitted. The cookie(s) are deposited with a unique value corresponding to the identification of the visitor.
To find out about other methods of managing consent, see our documentation.
