Web analytics GDPR compliance steps

These days everyone is talking about GDPR. The sure thing is it brings a lot of changes, for every organization processing personal data. It will also have a tremendous impact on web analytics. The market is still evolving. It’s still not clear which steps a web analytics data controller and / or data processor will need to take, to ensure compliance with the new regulation and still gather meaningful data. Web analytics GDPR compliance, needs changes both from the organization’s staff and also from every service used by the organization and  acting as a data processor. In my last article on this topic, I tried to breakdown the changes brought by GDPR for web analytics. This time I will focus on a few steps and goals I believe are important to get on the right track, to ensure web analytics GDPR compliance by May 2018.


I presented all of the steps below, in Thessaloniki’s Digital analytics meetup in November. Take a look at my presentation to get a clear understanding of the changes required for compliance when working with web analytics tools and the current status of the tools available in the market (and the support they offer in this direction). I’ve also included a few workarounds / hacks / ideas, that I believe can help SMBs ensure compliance with a relatively low cost.

Web analytics GDPR compliance highlights

Below is a summary of the most important steps an organization can take to ensure web analytics GDPR compliance:
  • Complete an audit of all the personal data collected and minimize personal data collection to the minimum. This will minimize the overhead you add to your processes.
  • Get consent when you process personal data and keep track of consent replies in your web analytics platform to help you during data analysis.
  • Sign a DPA (Data processing Agreements) with every data processor (third party vendor) to ensure compliance of every party receiving data from your end.
  • Monitor data access and restrict access to the ones who actually need it.
  • Use a DPO (Data Protection Officer) only if you really need it (usually required for companies employing more than 200 people), otherwise appoint someone from your team to keep track. Make sure that whoever keeps track is not directly involved with the data processing.
  • Educate employees to make sure they are aware of the changes.
  • Pseudonymize personal data information to increase security, in case of breach and remove any personal data you don’t need (e.g. IP addresses, email addresses etc.). It’s very easy to capture personal data without even knowing, take a look at this article to workaround this common problem.


Did you find these tips useful? Do you have any other tips to share? I would be really happy to hear which steps are followed by other web analytics teams to comply with the upcoming changes.

Written By

Panagiotis (pronounced Panayotis) is a passionate G(r)eek with experience in digital analytics projects and website implementation. Fan of clear and effective processes, automation of tasks and problem-solving technical hacks. Hands-on experience with projects ranging from small to enterprise-level companies, starting from the communication with the customers and ending with the transformation of business requirements to the final deliverable.