Recherche avancée

Sur d’autres sites (3653)

• Google Analytics 4 and GDPR : Everything You Need to Know

  17 mai 2022, par Erin

  Four years have passed since the European General Data Protection Regulation (GDPR, also known as DSGVO in German, and RGPD in French) took effect.

  That’s ample time to get compliant, especially for an organisation as big and innovative as Google. Or is it ? 

  If you are wondering how GDPR affects Google Analytics 4 and what the compliance status is at present, here’s the lowdown. 

  Is Google Analytics 4 GDPR Compliant ?

  No. As of mid-2022, Google Analytics 4 (GA4) isn’t fully GDPR compliant. Despite adding extra privacy-focused features, GA4 still has murky status with the European regulators. After the invalidation of the Privacy Shield framework in 2020, Google is yet to regulate EU-US data protection. At present, the company doesn’t sufficiently protect EU citizens’ and residents’ data against US surveillance laws. This is a direct breach of GDPR.

  Google Analytics and GDPR : a Complex Relationship 

  European regulators have scrutinised Google since GDPR came into effect in 2018.

  While the company took steps to prepare for GDPR provisions, it didn’t fully comply with important regulations around user data storage, transfer and security.

  The relationship between Google and EU regulators got more heated after the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield — a leeway Google used for EU-US data transfers. After 2020, GDPR litigation against Google followed. 

  This post summarises the main milestones in this story and explains the consequences for Google Analytics users. 

  

  2018 : Google Analytics Meets GDPR 

  In 2018, the EU adopted the General Data Protection Regulation (GDPR) — a set of privacy and data security laws, covering all member states. Every business interacting with EU citizens and/or residents had to comply.

  GDPR harmonised data protection laws across member states and put down extra provisions for what constitutes sensitive personal information (or PII). Broadly, PII includes any data about the person’s :

  • Racial or ethnic origin 
  • Employment status 
  • Religious or political beliefs
  • State of health 
  • Genetic or biometric data 
  • Financial records (such as payment method data)
  • Address and phone numbers 

  Businesses were barred from collecting this information without explicit consent (and even with it in some cases). If collected, such sensitive information is also subject to strict requirements on how it should be stored, secured, transferred and used. 

  7 Main GDPR Principles Explained 

  Article 5 of the GDPR lays out seven main GDPR principles for personal data and privacy protection : 

  • Lawfulness, fairness and transparency — data must be obtained legally, collected with consent and in adherence to laws. 
  • Purpose limitation — all personal information must be collected for specified, explicit and legal purposes. 
  • Data minimisation — companies must collect only necessary and adequate data, aligned with the stated purpose. 
  • Accuracy — data accuracy must be ensured at all times. Companies must have mechanisms to erase or correct inaccurate data without delays. 
  • Storage limitation — data must be stored only for as long as the stated purpose suggests. Though there’s no upper time limit on data storage. 
  • Integrity and confidentiality (security) — companies must take measures to ensure secure data storage and prevent unlawful or unauthorised access to it. 
  • Accountability — companies must be able to demonstrate adherence to the above principles. 

  Google claimed to have taken steps to make all of their products GDPR compliant ahead of the deadline. But in practice, this wasn’t always the case.

  In March 2018, a group of publishers admonished Google for not providing them with enough tools for GDPR compliance :

  “[Y]ou refuse to provide publishers with any specific information about how you will collect, share and use the data. Placing the full burden of obtaining new consent on the publisher is untenable without providing the publisher with the specific information needed to provide sufficient transparency or to obtain the requisite specific, granular and informed consent under the GDPR.”

  The proposed Google Analytics GDPR consent form was hard to implement and lacked customisation options. In fact, Google “makes unilateral decisions” on how the collected data is stored and used. 

  Users had no way to learn about or control all intended uses of people’s data — which made compliance with the second clause impossible. 

  Unsurprisingly, Google was among the first companies to face a GDPR lawsuit (together with Facebook). 

  By 2019, French data regulator CNIL, successfully argued that Google wasn’t sufficiently disclosing its data collection across products — and hence in breach of GDPR. After a failed appeal, Google had to pay a €50 million fine and promise to do better. 

  2019 : Google Analytics 4 Announcement 

  Throughout 2019, Google rightfully attempted to resolve some of its GDPR shortcomings across all products, Google Universal Analytics (UA) included. 

  They added a more visible consent mechanism for online tracking and provided extra compliance tips for users to follow. In the background, Google also made tech changes to its data processing mechanism to get on the good side of regulations.

  Though Google addressed some of the issues, they missed others. A 2019 independent investigation found that Google real-time-bidding (RTB) ad auctions still used EU citizens’ and residents’ data without consent, thanks to a loophole called “Push Pages”. But they managed to quickly patch this up before the allegations had made it to court. 

  In November 2019, Google released a beta version of the new product version — Google Analytics 4, due to replace Universal Analytics. 

  GA4 came with a set of new privacy-focused features for ticking GDPR boxes such as :

  • Data deletion mechanism. Users can now request to surgically extract certain data from the Analytics servers via a new interface. 
  • Shorter data retention period. You can now shorten the default retention period to 2 months by default (instead of 14 months) or add a custom limit.  
  • IP Anonymisation. GA4 doesn’t log or store IP addresses by default. 

  Google Analytics also updated its data processing terms and made changes to its privacy policy. 

  Though Google made some progress, Google Analytics 4 still has many limitations — and isn’t GDPR compliant. 

  2020 : Privacy Shield Invalidation Ruling 

  As part of the 2018 GDPR preparations, Google named its Irish entity (Google Ireland Limited) as the “data controller” legally responsible for EEA and Swiss users’ information. 

  The company announcement says : 

  

  Initially, Google assumed that this legal change would help them ensure GDPR compliance as “legally speaking” a European entity was set in charge of European data. 

  Practically, however, EEA consumers’ data was still primarily transferred and processed in the US — where most Google data centres are located. Until 2020, such cross-border data transfers were considered legal thanks to the Privacy Shield framework. 

  But in July 2020, The EU Court of Justice ruled that this framework doesn’t provide adequate data protection to digitally transmitted data against US surveillance laws. Hence, companies like Google can no longer use it. The Swiss Federal Data Protection and Information Commissioner (FDPIC) reached the same conclusion in September 2020. 

  The invalidation of the Privacy Shield framework put Google in a tough position.

   Article 14. f of the GDPR explicitly states : 

  “The controller (the company) that intends to carry out a transfer of personal data to a recipient (Analytics solution) in a third country or an international organisation must provide its users with information on the place of processing and storage of its data”.

  Invalidation of the Privacy Shield framework prohibited Google from moving data to the US. At the same time, GDPR provisions mandated that they must disclose proper data location. 

  But Google Analytics (like many other products) had no a mechanism for : 

  • Guaranteeing intra-EU data storage 
  • Selecting a designated regional storage location 
  • Informing users about data storage location or data transfers outside of the EU 

  And these factors made Google Analytics in direct breach of GDPR — a territory, where they remain as of 2022.

  2020-2022 : Google GDPR Breaches and Fines 

  The 2020 ruling opened Google to GDPR lawsuits from country-specific data regulators.

  Google Analytics in particular was under a heavy cease-fire. 

  • Sweden first fined Google for violating GDPR for no not fulfilling its obligations to request data delisting in 2020. 
  • France rejected Google Analytics 4 IP address anonymisation function as a sufficient measure for protecting cross-border data transfers. Even with it, US intelligence services can still access user IPs and other PII. France declared Google Analytics illegal and pressed a €150 million fine. 
  • Austria also found Google Analytics GDPR non-compliant and proclaimed the service as “illegal”. The authority now seeks a fine too. 

  The Dutch Data Protection Authority and  Norwegian Data Protection Authority also found Google Analytics guilty of a GDPR breach and seek to limit Google Analytics usage. 

  New privacy controls in Google Analytics 4 do not resolve the underlying issue — unregulated, non-consensual EU-US data transfer. 

  Google Analytics GDPR non-compliance effectively opens any website tracking or analysing European visitors to legal persecution.

  In fact, this is already happening. noyb, a European privacy-focused NGO, has already filed over 100 lawsuits against European websites using Google Analytics.

  2022 : Privacy Shield 2.0. Negotiations

  Google isn’t the only US company affected by the Privacy Shield framework invalidation. The ruling puts thousands of digital companies at risk of non-compliance.

  To settle the matter, US and EU authorities started “peace talks” in spring 2022.

  European Commission President Ursula von der Leyen said that they are working with the Biden administration on the new agreement that will “enable predictable and trustworthy data flows between the EU and US, safeguarding the privacy and civil liberties.” 

  However, it’s just the beginning of a lengthy negotiation process. The matter is far from being settled and contentious issues remain as we discussed on Twitter (come say hi !).

  

  For one, the US isn’t eager to modify its surveillance laws and is mostly willing to make them “proportional” to those in place in the EU. These modifications may still not satisfy CJEU — which has the power to block the agreement vetting or invalidate it once again. 

  While these matters are getting hashed out, Google Analytics users, collecting data about EU citizens and/or residents, remain on slippery grounds. As long as they use GA4, they can be subject to GDPR-related lawsuits. 

  To Sum It Up 

  • Google Analytics 4 and Google Universal Analytics are not GDPR compliant because of Privacy Shield invalidation in 2020. 
  • French and Austrian data watchdogs named Google Analytics operations “illegal”. Swedish, Dutch and Norwegian authorities also claim it’s in breach of GDPR. 
  • Any website using GA for collecting data about European citizens and/or residents can be taken to court for GDPR violations (which is already happening). 
  • Privacy Shield 2.0 Framework discussions to regulate EU-US data transfers have only begun and may take years. Even if accepted, the new framework(s) may once again be invalidated by local data regulators as has already happened in the past. 

  Time to Get a GDPR Compliant Google Analytics Alternative 

  Retaining 100% data ownership is the optimal path to GDPR compliance.

  By selecting a transparent web analytics solution that offers 100% data ownership, you can rest assured that no “behind the scenes” data collection, processing or transfers take place. 

  Unlike Google Analytics 4, Matomo offers all of the features you need to be GDPR compliant : 

  • Full data anonymisation 
  • Single-purpose data usage 
  • Easy consent and an opt-out mechanism 
  • First-party cookies usage by default 
  • Simple access to collect data 
  • Fast data removals 
  • EU-based data storage for Matomo Cloud (or storage in the country of your choice with Matomo On-Premise)

  Learn about your audiences in a privacy-centred way and protect your business against unnecessary legal exposure. 

  Start your 21-day free trial (no credit card required) to see how fully GDPR-compliant website analytics works ! 

  21 day free trial. No credit card required.

  Your email address
  

  Your website address
  

  Your Analytics subdomain will be .matomo.cloud (change)

  Choose your analytics subdomain
  

  .matomo.cloud

  I hereby accept the terms and conditions and the data processing agreeement (DPA).

  
  Your information will be used to create an account on our cloud service. For more information please consult our privacy policy.
  
  

  » Start improving your websites now

  

• Web Analytics : The Quick Start Guide

  25 janvier 2024, par Erin

  You’ve spent ages carefully designing your website, crafting copy to encourage as many users as possible to purchase your product. 

  But they aren’t. And you don’t know why. 

  The good news is you don’t have to remain in the dark. Collecting and analysing web analytics lets you understand how your users behave on your site and why they aren’t converting. 

  But before you can do that, you need to know what those metrics and KPIs mean. That’s why this article is taking things back to basics. Below, we’ll show you which metrics to track, what they mean and how to choose the best web analytics platform. 

  What is web analytics ?

  Web analytics is the process of collecting, analysing and reporting website data to understand how users behave on your website. Web analytics platforms like Matomo collect this data by adding a code line to every site page. 

  Why is it important to track web analytics ?

  There are plenty of reasons you should start tracking web analytics, including the following :

  

  Analyse user behaviour

  Being able to analyse user behaviour is the most important reason to track website analytics. After all, you can’t improve your website’s conversion rate if you don’t know what users do on your site.

  A web analytics platform can show you how users move around your site, the links they click on and the forms they fill in. 

  Improve site experience

  Web analytics is a fantastic way to identify issues and find areas where your site could improve. You could look at your site’s exit pages, for example, and see why so many users leave your site when viewing one of these pages and what you can do to fix it.

  It can also teach you about your user’s preferences so you can improve the user experience in the future. Maybe they always click a certain type of button or prefer one page’s design over another. Whatever the case, you can use the data to make your site more user-friendly and increase conversions.

  Boost marketing efforts

  Web analytics is one of the best ways to understand your marketing efforts and learn how to improve them.

  A good platform can collect valuable data about your marketing campaigns, including :

  • Where users came from
  • What actions these users take on your site
  • Which traffic sources create the most conversions

  This information can help you decide which marketing campaigns send the best users to your site and generate the highest ROI. 

  Make informed decisions

  Ultimately, web analytics simplifies decision-making for your website and marketing efforts by relying on concrete data instead of guesswork.

  Rather than wonder why users aren’t adding products to their shopping cart or signing up for your newsletter, you can analyse how they behave and use that information to hypothesise how you can improve conversions. Web analytics will even give you the data to confirm whether you were right or wrong. 

  What are the key metrics you should track ?

  Getting your head around web analytics means knowing the most important metrics to track. Below are seven key metrics and how to track them using Matomo. 

  Traffic

  Traffic is the number of people visiting your website over a period of time. It is the lifeblood of your website since the more visits your site receives, the more revenue it stands to generate.

  However, simply having a high volume of visitors does not guarantee substantial revenue. To maximise your success, focus on attracting your ideal customers and generating quality traffic from those who are most likely to engage with your offerings.

  Ideally, you should be seeing an upward trend in traffic over time though. The longer your website has been published and the more quality and targeted content you create, the more traffic you should receive. 

  Matomo offers multiple ways to check your website’s traffic :

  • Visits log report
  • Real-time visitor map
  • Visits in real-time report

  The visits log report in Matomo is perfect if you want a granular view of your visitors.

  

  It shows you each user session and get a detailed picture of each user, including :

  • Their geographic location
  • The number of actions they took
  • How they found your site
  • The length of time they stayed
  • Their device type
  • What browser they are using
  • The keyword they used to find your site

  Traffic sources

  Traffic sources show how users access your website. They can enter via a range of traffic sources, including search engines, email and direct visits, for instance.

  Matomo has five default traffic source types :

  • Search engine – visitors from search platforms (like Google, Bing, etc.)
  • Direct traffic – individuals who directly type your website’s URL into their browser or have it bookmarked, bypassing search engines or external links
  • Websites – visits from other external sites
  • Campaigns – traffic resulting from specific marketing initiatives (like a newsletter or ad campaign, for instance)
  • Social networks  – visitors who access your website through various social media platforms (such as Facebook, LinkedIn, Instagram. etc.)

  But each of these can be broken into more granular sources. Take organic traffic from search engines, for example :

  

  Matomo tracks visits from each search engine, showing you how many visits you had in total, how many actions those visitors took, and the average amount of time those visitors spent on your site. 

  You can even integrate Google, Bing and Yahoo search consoles to monitor keyword performance and enhance your search engine optimisation efforts.

  Pageviews

  Whenever a browser loads a page, your web analytics tool records a pageview. This term, pageview, represents the count of unique times a page on your website is loaded.

  You can track pageviews in Matomo by opening the Pages tab in the Behaviour section of the main navigation. 

  

  You can quickly see your site’s most visited pages in this report in Matomo. 

  Be careful of deriving too much meaning from pageviews. Just because a page has lots of views, doesn’t necessarily mean it’s quality or valuable. There are a couple of reasons for this. First, the page might be confusing, so users have to keep revisiting it to understand the content. Second, it could be the default page most visitors land on when they enter your site, like the homepage. 

  While pageviews offer insights, it’s important to dig deeper into user behaviour and other metrics to truly gauge a page’s importance and impact.

  Average time on page

  Time on page is the amount of time users spend on the page on average. You can see average time on page in Matomo’s page analytics report.

  A low time on page score isn’t necessarily a bad thing. Users will naturally spend less time on gateway pages and checkout pages. A short time spent on checkout pages, especially if users are successfully completing their transactions, indicates that the checkout process is easy and seamless.

  Conversely, a longer time on blog posts is a positive indicator. It suggests that readers are genuinely engaged with the content.

  Try Matomo for Free

  Get the web insights you need, without compromising data accuracy.

  Start for free

  No credit card required

  Returning visitors

  Returning visitors measures the number of people who visit your site more than once. It can be expressed as a number or a percentage. 

  While some analytics tools only show returning visitors as a percentage, Matomo lets you learn more about each of them in the Visitor profile report. 

  

  This report offers a full summary of a user’s previous actions, including :

  • How many times they’ve visited your site
  • The pages they viewed on each visit
  • Where they visited from
  • The devices they used
  • How quickly pages loaded

  When people keep coming back to a website, it’s usually a positive sign and means they like the service, content or products. But, it depends on the type of website. If it’s the kind of site where people make one-off purchases, the focus might not be on getting visitors to return. For a site like this, a high number of returning visitors could indicate that the website is confusing or difficult to use. 

  It’s all about the context – different websites have different goals, and it’s important to keep this in mind when analysing your site.

  Conversions

  A conversion is when a user takes a desired action on your website. This could be :

  • Making a purchase
  • Subscribing to your newsletter
  • Signing up for a webinar

  You can track virtually any action as a conversion in Matomo by setting goals and analysing the goals report.

  

  As you can see in the screenshot above, Matomo shows your conversions plotted over time. You can also see your conversion rate to get a complete picture and assign a value to each conversion to calculate how much revenue each conversion generates. 

  Bounce rate

  A visitor bounces when they leave your website without taking an action or visiting another page. 

  Typically, you want bounce rate to be low because it means people are engaged with your site and more likely to convert. However, in some cases, a high bounce rate isn’t necessarily bad. It might mean that visitors found what they needed on the first page and didn’t feel the need to look further. 

  The impact of bounce rate depends on your website’s purpose and goals.

  You can view your website’s bounce rate using Matomo’s page analytics report — the same report that shows pageviews.

  Try Matomo for Free

  Get the web insights you need, without compromising data accuracy.

  Start for free

  No credit card required

  Web analytics best practices

  You should follow several best practices to get the most from website analytics data. 

  Choose metrics that align with your goals

  Only some metrics your analytics platform tracks will be relevant to your business. So don’t waste time analysing all of them.

  Instead, focus on the ones that matter most to your business. A marketer for an e-commerce store, for example, might focus on conversion-related metrics like conversion rate and total number of transactions. They might also want to look at campaign-related metrics, like traffic sources and bounce rates, so they can optimise paid ad campaigns accordingly. 

  A marketer looking to improve their site’s SEO, on the other hand, will want to track SEO web analytics like bounce rate and broken links.

  Add context to your data

  Don’t take your data at face value. There could be dozens of factors that impact how visitors access and use your site — many of which are outside your control. 

  For example, you may think an update to your site has sent your conversions crashing when, in reality, a Google algorithm update has negatively impacted your search traffic.

  Adding annotations within Matomo can provide invaluable context to your data. These annotations can be used to highlight specific events, changes or external factors that might influence your website metrics.

  

  By documenting significant occurrences, such as website updates, marketing campaigns or algorithm changes, you create a timeline that helps explain fluctuations in your data.

  Go further with advanced web analytics features

  It’s clear that a web analytics platform is a necessary tool to understand your website’s performance.

  However, if you want greater confidence in decision-making, quicker insights and better use of budget and resources, you need an advanced solution with behavioural analytics features like heatmaps, A/B testing and session recordings. 

  Most web analytics solutions don’t offer these advanced features, but Matomo does, so we’ll be showcasing Matomo’s behavioural analytics features.

  Now, if you don’t have a Matomo account, you can try it free for 21-days to see if it’s the right tool for you.

  

  A heatmap, like the example above, makes it easy to discover where your users pay attention, which part of your site they have problems with, and how they convert. It adds a layer of qualitative data to the facts offered by your web analytics tool.

  Similarly, session recordings will offer you real-time playbacks of user interactions, helping you understand their navigation patterns, identify pain points and gain insights into the user experience.

  Then you can run experiments bu using A/B testing to compare different versions of your website or specific elements, allowing you to make informed decisions based on actual user preferences and behaviour. For instance, you can compare different headlines, images, page layouts or call-to-action buttons to see which resonates better with your audience. 

  Together, these advanced features will give you the confidence to optimise your website, improve user satisfaction and make data-driven decisions that positively impact your business.

  Try Matomo for Free

  Get the web insights you need, without compromising data accuracy.

  Start for free

  No credit card required

  How to choose a web analytics tool

  A web analytics tool is the best way to track the above metrics. Choose the best one for your company by following the steps below. 

  Look for the right features

  Most popular web analytics platforms, like Google Analytics, will offer the same core features like tracking website traffic, monitoring conversions and generating reports. 

  But it’s the added features that set great tools apart. Do you need specific tools to measure the performance of your e-commerce store, for example ? What about paid ad performance, A/B testing or form analytics ?

  By understanding exactly what you need from an analytics platform, you can make an informed choice. 

  Think about data accuracy

  Data accuracy is one of the biggest issues with analytics tools. Many users block cookies or opt out of tracking, making it difficult to get a clear picture of user behaviour — and meaning that you have to think about how your user data will be collected with your chosen platform.

  Google Analytics, for instance, uses data sampling to make assumptions about traffic levels rather than relying on accurate data. This can lead to inaccurate reports and false conclusions. 

  It’s why Matomo doesn’t use data sampling and provides 100% accurate data. 

  Understand how you’ll deal with data privacy

  Data privacy is another big concern for analytics users. Several major analytics platforms aren’t compatible with regional data privacy laws like GDPR, which can impact your ability to collect data in these regions. 

  It’s why many companies trust privacy-focused analytics tools that abide by regulations without impacting your ability to collect data. Matomo is a market leader in this respect and is one of the few web analytics tools that the Centre for Data Privacy Protection in France has said is exempt from tracking consent requirements.

  Many government agencies across Europe, Asia, Africa and North America, including organisations like the United Nations and European Commission, rely on Matomo for web analytics.

  Conclusion

  Web analytics is a powerful tool that helps you better understand your users, improve your site’s performance and boost your marketing efforts. 

  If you want a platform that offers advanced features, 100% accurate data and protects your users’ privacy, then look no further than Matomo. 

  Try Matomo free for 21 days, no credit card required. 

  Try Matomo for Free

  21 day free trial. No credit card required.

  
  

  Your email address
  

  Your website address
  

  Your Analytics subdomain will be .matomo.cloud (change)

• Understanding Data Processing Agreements and How They Affect GDPR Compliance

  9 octobre 2023, par Erin — GDPR

  The General Data Protection Regulation (GDPR) impacts international organisations that conduct business or handle personal data in the European Union (EU), and they must know how to stay compliant.

  One way of ensuring GDPR compliance is through implementing a data processing agreement (DPA). Most businesses overlook DPAs when considering ways of maintaining user data security. So, what exactly is a DPA’s role in ensuring GDPR compliance ?

  In this article, we’ll discuss DPAs, their advantages, which data protection laws require them and the clauses that make up a DPA. We’ll also discuss the consequences of non-compliance and how you can maintain GDPR compliance using Matomo.

  What is a data processing agreement ?

  A data processing agreement, data protection agreement or data processing addendum is a contractual agreement between a data controller (a company) and a data processor (a third-party service provider.) It defines each party’s rights and obligations regarding data protection.

  A DPA also defines the responsibilities of the controller and the processor and sets out the terms they’ll use for data processing. For instance, when MHP/Team SI sought the services of Matomo (a data processor) to get reliable and compliant web analytics, a DPA helped to outline their responsibilities and liabilities.

  A DPA is one of the basic requirements for GDPR compliance. The GDPR is an EU regulation concerning personal data protection and security. The GDPR is binding on any company that actively collects data from EU residents or citizens, regardless of their location.

  As a business, you need to know what goes into a DPA to identify possible liabilities that may arise if you don’t comply with European data protection laws. For example, having a recurrent security incident can lead to data breaches as you process customer personal data.

  The average data breach cost for 2023 is $4.45 million. This amount includes regulatory fines, containment costs and business losses. As such, a DPA can help you assess the organisational security measures of your data processing methods and define the protocol for reporting a data breach.

  Why is a DPA essential for your business ?

  If your company processes personal data from your customers, such as contact details, you need a DPA to ensure compliance with data security laws like GDPR. You’ll also need a DPA to hire a third party to process your data, e.g., through web analytics or cloud storage.

  But what are the benefits of having a DPA in place ?

  

  A key benefit of signing a DPA is it outlines business terms with a third-party data processor and guarantees compliance with the relevant data privacy laws. A DPA also helps to create an accountability framework between you and your data processor by establishing contractual obligations.

  Additionally, a DPA helps to minimise the risk of unauthorised access to sensitive data. A DPA defines organisational measures that help protect the rights of individuals and safeguard personal data against unauthorised disclosure. Overall, before choosing a data processor, having a DPA ensures that they are capable, compliant and qualified.

  More than 120 countries have already adopted some form of international data protection laws to protect their citizens and their data better. Hence, knowing which laws require a DPA and how you can better ensure compliance is important.

  Which data protection laws require a DPA ?

  Regulatory bodies enact data protection laws to grant consumers greater control over their data and how businesses use it. These laws ensure transparency in data processing and compliance for businesses.

  

  The following are some of the relevant data privacy laws that require you to have a DPA :

  • UK GDPR
  • Brazil LGPD
  • EU GDPR
  • Dubai PDPA
  • Colorado CPA
  • California CCPA/CPRA
  • Virginia VCDPA
  • Connecticut DPA
  • South African POPIA
  • Thailand PDPA

  Companies that don’t adhere to these data protection obligations usually face liabilities such as fines and penalties. With a DPA, you can set clear expectations regarding data processing between you and your customers.

  Review and update any DPAs with third-party processors to ensure compliance with GDPR and the laws we mentioned above. Additionally, confirm that all the relevant clauses are present for compliance with relevant data privacy laws. 

  So, what key data processing clauses should you have in your DPA ? Let’s take a closer look in the next section.

  Key clauses in a data processing agreement

  GDPR provides some general recommendations for what you should state in a DPA.

  

  Here are the elements you should include :

  Data processing specifications

  Your DPA should address the specific business purposes for data processing, the duration of processing and the categories of data under processing. It should also clearly state the party responsible for maintaining GDPR compliance and who the data subjects are, including their location and nationality.

  Your DPA should also address the data processor and controller’s responsibilities concerning data deletion and contract termination.

  Role of processor

  Your DPA should clearly state what your data processor is responsible for and liable for. Some key responsibilities include record keeping, reporting breaches and maintaining data security.

  Other roles of your data processor include providing you with audit opportunities and cooperating with data protection authorities during inquiries. If you decide to end your contract, the data processor is responsible for deleting or returning data, depending on your agreement.

  Role of controller

  Your DPA should inform the responsibilities of the data controller, which typically include issuing processing instructions to the data processor and directing them on how to handle data processing.

  Your DPA should let you define the lawful data processes the data processor should follow and how you’ll uphold the data protection rights of individuals’ sensitive data.

  Organisational and technical specifications

  Your DPA should define specifications such as how third-party processors encrypt, access and test personal data. It should also include specifications on how the data processor and controller will maintain ongoing data security through various factors such as :

  • State of the technology : Do ‌third-party processors have reliable technology, and can they ensure data security within their systems ?
  • Costs of implementation : Does the data controller’s budget allow them to seek third-party services from industry-leading providers who can guarantee a certain level of security ?
  • Variances in users’ personal freedom : Are there privacy policies and opt-out forms for users to express how they want companies to use their sensitive data ?

  Moreover, your DPA should define how you and your data processor will ensure the confidentiality, availability and integrity of data processing services and systems.

  What are the penalties for DPA GDPR non-compliance ?

  Regulators use GDPR’s stiff fines to encourage data controllers and third-party processors to follow‌ best data security practices. One way of maintaining compliance is through drafting up a DPA with your data processor.

  The DPA should clearly outline the necessary legal requirements and include all the relevant clauses mentioned above. Understand what goes into this agreement since data protection authorities can hold your business accountable for a breach — even if a processor’s error caused it.

  Data protection authorities can issue penalties now that the GDPR is in place. For example, according to Article 83 of the GDPR, penalties for data or privacy breaches or non-compliance can amount to up to €20 million or 4% of your annual revenue.

  There are two tiers of fines : tier one and tier two. Violations related to data processors typically attract fines on the tier-one level. Tier one fines can cost your business €10 million or 2% of your company’s global revenue.

  Tier-two fines result from infringement of the right to forget and the right to privacy of your consumer. Tier-two fines can cost your business up to €20 million or 4% of your company’s global revenue.

  GDPR fines make non-compliance an expensive mistake for businesses of all sizes. As such, signing a DPA with any party that acts as a data processor for your business can help you remain GDPR-compliant.

  How a DPA can help your business remain GDPR compliant

  A DPA can help your business define and adhere to lawful data processes.

  

  So, in what other ways can a DPA help you to remain compliant with GDPR ? Let’s take a look !

  1. Assess data processor’s compliance

  Having a DPA helps ensure that the data processor you are working with is GDPR-compliant. You should check if they have a DPA and confirm the processor’s terms of service and legal basis.

  For example, if you want an alternative to Google Analytics that’s GDPR compliant, then you can opt for Matomo. Matomo features a DPA, which you can agree to when you sign up for web analytics services or later.

  2. Establish lawful data processes

  A DPA can also help you review your data processes to ensure they’re GDPR compliant. For example, by defining lawful data processes, you better understand personally identifiable information (PII) and how it relates to data privacy.

  Further, you can allow users to opt out of sharing their data. As such, Matomo can help you to enable Do Not Track preferences on your website.

  

  With this feature, users are given the option to opt in or out of tracking via a toggle in their respective browsers.

  Indeed, establishing lawful data processes helps you define the specific business purposes for collecting and processing personal data. By doing so, you get to notify your users why you need their data and get their consent to process it by including a GDPR-compliant privacy policy on your website.

  3. Anonymise your data

  Global privacy laws like GDPR and ePrivacy mandate companies to display cookie banners or seek consent before tracking visitors’ data. You can either include a cookie consent banner on your site or stop tracking cookies to follow the applicable regulations.

  Further, you can enable cookie-less tracking or easily let users opt out. For example, you can use Matomo without a cookie consent banner, exempting it from many countries’ privacy rules.

  Additionally, through a DPA, you can define organisational measures that define how you’ll anonymise all your users’ data. Matomo can help you anonymise IP addresses, and we recommend that you at least anonymise the last two bytes.

  

  As one of the few web analytics tools you can use to collect data without tracking consent, Matomo also has the French Data Protection Authority (CNIL) approval.

  4. Assess the processor’s bandwidth

  Having a DPA can help you implement data retention policies that show clear retention periods. Such policies are useful when ending a contract with a third-party service provider and determining how they should handle your data.

  A DPA also helps you ensure the processor has the necessary technology to store personal data securely. You can conduct an audit to understand possible vulnerabilities and your data processor’s technological capacity.

  5. Obtain legal counsel

  When drafting a DPA, it’s important to get a consultation on what is needed to ensure complete compliance. Obtaining legal counsel points you in the right direction so you don’t make any mistakes that may lead to non-compliance.

  Conclusion

  Businesses that process users’ data are subject to several DPA contract requirements under GDPR. One of the most important is having DPAs with every third-party provider that helps them perform data processing.

  It’s important to stay updated on GDPR requirements for compliance. As such, Matomo can help you maintain lawful data processes. Matomo gives you complete control over your data and complies with GDPR requirements.

  To get started with Matomo, you can sign up for a 21-day free trial. No credit card required.

  Disclaimer

  We are not lawyers and don’t claim to be. The information provided here is to help give an introduction to GDPR. We encourage every business and website to take data privacy seriously and discuss these issues with your lawyer if you have any concerns.