Google Analytics: GA4 vs Universal Analytics – What will change?

July 2022

Will GA4 improve compliance?

For any users of Google Analytics, you will have started to see some messaging warning that the Universal Analytics tools will be retired in 2023 and that now is the time to migrate across to Google Analytics 4.

 What is Google Analytics 4 (GA4)? 

GA4 is a new property that helps analyse the performance of your website and app traffic and will replace Universal Google Analytics. It was first released in October 2020 although it’s only now that the campaign to migrate across has started in earnest. 

 Key components include: 

  • Event-based tracking: Universal Analytics is session-based, while GA4 is event–based. In other words, the ability to track events like button clicks, video plays, and more is built in with GA4, while this requires advanced setups in UA. This comes from the premise that page views aren’t the sole important metric.
  • Cross-device tracking: UA was built around desktop web traffic, while GA4 gives businesses visibility into the customer journeys across all of their website and apps.
  • Machine learning: GA4 uses machine learning technology to share insights and make predictions.
  • Privacy-friendly: UA data relies heavily on cookies, GA 4 does not.

Crucially, on July 1, 2023, standard Universal Analytics properties (the previous version of Google analytics) will no longer process data. You’ll be able to see your Universal Analytics reports for a period of time after July 1, 2023. This means that to have a continuous history of activity, it makes sense to move across to the new GA4 platform sooner rather than later. 

What privacy improvements have been made?

GA4 came with a set of new privacy-focused features for ticking GDPR boxes including: 

  • Data deletion mechanism. Users can now request to surgically extract certain data from the Analytics servers via a new interface. 
  • Shorter data retention period. You can now shorten the default retention period to 2 months (instead of 14 months) or add a custom limit.  
  • IP Anonymisation. GA4 doesn’t log or store IP addresses by default. They allocate an anonymous and unique user id to each record
  • First-party data cookies. Google uses first-party cookies which means they’ll still be supported by browsers
  • More data sampling. Google is doing more data sampling using AI to gain more granular analytics insights – this is more privacy friendly and uses models to investigate deeper insights
  • Consent mode. The behaviour of Google tags is managed based on user consent choices. 
  • Collecting PII. Google does not allow the collection of PII in GA4 –  this is considered a violation of Googles terms of service
  • Data sharing with other Google Products. Any linking to Google advertising products requires explicit opt-in consent and a prominent section on the privacy notice 

Is Google now compliant?

Possibly in limited circumstances. If Google anonymises the data by allocating a user id that is never referenced with any other data then we can argue the data is anonymous and therefore not subject to GDPR regulation.

In some instances, this may be the case if you are doing simple tracking and effectively treat your digital platforms as an ivory tower. In most instances, it is not!

If you are advertising and can then link the id to other data, there is the potential to identify individuals and therefore the information becomes personal data and subject to GDPR.

This means that all the usual user consent rules apply and opt-in consent is required to analyse activity.

The major difficulty for Google is that data is exported to the US where it is deemed, by the EU, that Google does not adequately protect EU personal data from US surveillance rules. 

Previously, Google relied on the Privacy Shield framework to ensure that it remained compliant. Since that has been invalidated in 2020, Google has struggled to achieve compliance and has faced a number of fines.          

In particular, Google Analytics does not have a way for:

·       Ensuring data storage within the EU

·       Choosing a preferred regional storage site

·       Notifying users of the location of their data storage and any data transfers outside of the EU

What next?

Ideally, Privacy Shield 2.0 will be introduced soon! Talks have started but they’re unlikely to be swift! The US government has been talking about making its surveillance standards “proportional” to those in place in the EU. This may not be good enough for CJEU. 

In the meantime, implement GA4 as it is more privacy-focused than Google Universal Analytics and hope that US and EU come to an agreement soon. There is a risk in using GA4 and you might want to consider using other solutions.

Managing data transfers from the UK

February 2022

The new International Data Transfer Agreement (IDTA) and Addendum is a sensible evolution of the old SCCs

International Data Transfers – to recap

Whenever UK-based organisations arrange the transfer of personal data to a third country outside the UK, they need to make sure the transfers are lawful, by confirming the data security and rights of individuals remain protected when data leaves the country.

Since the famous “Schrems II” ruling by the European Court of Justice in 2020, this activity has been thrown into disarray. To remind you, this is the ruling which invalidated the EU-US Privacy Shield and raised concerns about the use of EU Standard Contractual Clauses (SCCs) to protect the data. 

Soon after, the European Commission set to work to update the EU SCCs. These were drafted and enacted fairly swiftly taking effect on 27th June 2021. 

What are the new EU SCCs?

The new EU SCCs were expanded to introduce more flexible scenarios: 

  • SCCs are now modular meaning that they can accommodate different scenarios, where you can pick the parts which relate to your particular situation.
  • The SCCs cover four different transfer scenarios, including processors:
    • Controller to controller
    • Controller to processor
    • Processor to controller
    • Processor to processor
  • More than two parties can accede to the SCCs, meaning additional controllers and processors can be added through the lifetime of the contract. This potentially reduces the administrative burden.

How did this affect the UK? 

On 28th June the UK’s adequacy decision was adopted.  On September 27th 2021, the prior version of the SCCs expired. 

In our webinar last year, it was obvious that everyone was confused. The situation caused by the “Schrems” ruling was compounded by the fact that Brexit had been completed. This meant we could no longer apply the SCCs approved in Europe. The UK needed its own SCCs, but they did not exist. 

The ICO consultation

From August to October 2021, the ICO conducted a consultation to understand how a UK version of these rules should be enacted. Since we had been granted an adequacy agreement by the EU, we all hoped it would be possible to mirror the SCCs arrangements in UK law thus re-instating the means by which we can lawfully export data to places such as the US. 

Anecdotally the resounding view was not to mess with the principles enshrined in the EU SCCs as it would simply add complexity to an already complex situation.

The ICO conclusion

In January, the ICO published the International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses. To the layperson, the EU’s standards have been adopted. 

What’s included in the Agreement and Addendum? 

    1. The International Data Transfer Agreement (IDTA) replaces the old EU SCCs which were relied upon to provide the appropriate safeguards required under the UK GDPR for international data transfers from the UK. There are differences to the new EU SCCs – it is a single all-encompassing agreement that incorporates all the scenarios identified in EU SCCs. One can omit sections and there is no requirement for it to be signed. This is most useful for those creating new data transfer agreements.
    2. The UK Addendum is a far simpler document. It is an addendum to the EU SCCs where references to EU laws are replaced by references to UK laws. It allows businesses to use the EU SCCs for international data transfers from the EU but also from the UK. These are useful for those already using the EU SCCs who want a simple addendum to update the legal context. 

When does this come into force?

The IDTA was laid before Parliament on 2nd February 2022. It comes into force on 21st March if there are no objections. To all intents and purposes, it’s in force now. The Information Commissioner Office (ICO) has stated the IDTA and UK Addendum:

“are immediately of use to organisations transferring personal data outside of the UK, subject to the caveat that they come into force on 21 March 2022 and are awaiting Parliamentary approval“.

What does this all mean?

In practice, UK businesses can breathe a sigh of relief and get on with their lives. There is clarity at last. Existing agreements need to be updated with the UK Addendum and new ones can be put in place with the International Data Transfer Agreement. There will be an administrative burden, but businesses now know what they need to do.  Good sense has prevailed. 

 

UK International Data Transfers - what next?

August 2021

Whenever UK-based organisations arrange the transfer of personal data to a third country outside the UK, they need to make sure the transfers are lawful, by confirming the data security and rights of individuals remain protected when data leaves the country.

The concept is fairly straightforward, however the practicalities have become rather complex in recent times.

You’d be forgiven for finding the whole topic of international transfers confusing. And that’s bad for business – we need real clarity on the requirements to keep data flowing between the UK and other countries.

Especially and as the UK begins to emerge from the massive economic (not to mention health & social) impacts of Coronavirus.

The complexity around data transfers comes from a few factors. First there’s impact of Brexit on data flows and the recent EC-UK Adequacy Decision.

But we must also consider the fallout from the now famous “Schrems II” ruling by the European Court of Justice. That’s the one which invalidated the EU-US Privacy Shield and raised concerns about the use of EU Standard Contractual Clauses (SCCs) to protect the data – resulting in recently updated SCCs being published by the European Commission, to take account of the ruling.

But what does this all mean for the UK?

  • Can UK businesses use European SCCs post-Brexit?
  • Do we need UK SCCs?

A public consultation on UK data transfers

The Information Commissioner’s Office (ICO) has announced a public consultation on its draft International Data Transfer Agreement (known as IDTA) and accompanying guidance. (Update: this consultation has since closed).

The IDTA is a model contract which UK organisations would be able to use when transferring data to other countries. In particular, when transferring data to countries which do not benefit from an EC adequacy decision.

In this situation, most organisations would normally look to use SCCs to ensure the transfers are lawful. However, EU SCCs don’t directly apply to the UK post Brexit and the ICO’s proposed replacement for the UK is the IDTA.

The ICO tells us this new agreement takes into account the binding judgment of the European Court of Justice from the Schrems II Ruling.

What’s in the consultation?

There are three key sections to the consultation:

  • Proposal and plans for the ICO to update its guidance on international transfers
  • Transfer risk assessments – including a new risk-assessment tool
  • The International Data Transfer Agreement.

The ICO is also proposing the use of a template Addendum to the EU SCCs, allowing organisations to adapt those SCCs to work in the context of UK transfers.

The UK Regulator has provided proposals and options which it would like us to consider and comment on.

On announcing the consultation Steve Wood, the ICO’s Executive Director of Regulatory Strategy said:

“The modern world involves increasing flows of personal data about citizens to deliver goods and services. Ensuring data is well-protected when transferred outside of the UK will be vital in maintaining people’s trust in the system. Our new IDTA is developed to ensure such protections are in place.

“We understand that international transfers can be complex, especially for smaller businesses. Our new guidance has been designed to be accessible and to ensure they support all organisations, from SMEs without the benefit of large legal budgets to multi-national companies. The agreements will help organisations to continue to trade freely while ensuring the correct protections are in place before transferring people’s data.”.

 

What next for international data transfers?

Listen in as our expert panel explores how to tackle international data transfers. We set the scene, share some helpful tips and discuss what actions to take.

Host Robert Bond, Legal Counsel at Bristows LLP was joined by Julia Porter, Partner at Data Protection Network Associates, Joseph Byrne, Privacy Solutions Engineer at OneTrust and Yasmeen Rahman, Group DPO at Informa Group.

Where next with international data transfers?

April 2021

In July 2020, the Court of Justice of the European Union (CJEU) declared the EU-US Privacy Shield invalid. This was on account of the invasive US surveillance programmes in place, which meant the transfer of personal data on the basis of Privacy Shield Decision was declared illegal.

At the same time the Court stipulated stricter requirements for the transfer of personal data based on Standard Contractual clauses (SCCs).

It stated both Controllers and Processors must ensure the data subject is granted a level of protection equivalent to that guaranteed by the GDPR and the EU Charter of Fundamental Rights. If this wasn’t possible the transfer of personal data should cease.

This came as quite a shock to many organisations. In particular anyone who was using software as a service (SaaS), technology solutions had a big problem.

Many of these suppliers are US based and the entreaties from Max Schrems and co to buy from EU didn’t really cut much ice. Where were the European equivalents of the most successful SaaS suppliers? Nowhere to be found!

What are SCCs?

The ICO definition is pretty snappy:

SCCs are standard sets of contractual terms and conditions which the sender and the receiver of the personal data both sign up to. They include contractual obligations which help to protect personal data when it leaves the EEA and the protection of GDPR.

These need to be used when you are exporting data to any third country – such as USA. You do not need to use them if a country has an adequacy agreement with EU.

What to do after the ruling?

The initial advice was to ensure that anyone who was relying on Privacy Shield should be prepared to sign SCCs. However, signing SCCs isn’t entirely plain sailing.  The court didn’t automatically rule they were invalid but, instead, ruled their use needed to be assessed on a case-by-case basis and it might be necessary to put in place “supplementary measures” to protect the data subject.

What do “supplementary measures” look like?

The main challenge with the US, where the federal government has significant power, was the fear of government surveillance.

Can data be further encrypted? Can data be stored in EU data centres and kept separate from the US data centres? Are these measures sufficient?

The CNIL in France seemed to think so when they ruled that a Covid vaccination booking site (Doctolib) based in France could host its service with the US company Amazon Web Services (AWS) in Luxembourg.

AWS were deemed to have introduced sufficient “supplementary measures” to protect personal data by creating a data silo in Europe which is separate from their service in US.

The new SCCs – what do they look like?

Soon after the court ruling, the EU published their draft version of the updated SCCs which had been in the pipeline for some time.

This was a happy co-incidence although it’s likely these were rushed out once the CJEU judgement was passed down.

The old SCCs were out of date and inflexible with no provision for Processors so everyone welcomed the fact  more useful SCCs were on their way.

What are the differences?

  • The SCCs are now modular meaning that they can accommodate a number of different scenarios, where you can pick the pieces that relates to your particular situation.
  • The SCCs cover four different transfer scenarios and including processor scenarios:
    • Controller to controller
    • Controller to processor
    • Processor to controller
    • Processor to processor
  • More than two parties can accede to the SCCs, meaning additional controllers and processors can be added through the lifetime of the contract. This potentially reduces the administrative burden.

Once adopted the new SCCs need to be phased in within 12 months. For large organisations with many contracts, this may be difficult to complete on time.

What about “supplementary measures”?

At the heart of the Schrems II decision was the opinion that the US surveillance regime had excessive powers to access data and therefore presented a risk for data subjects. It was suggested companies need to consider the introduction of “supplementary measures” to protect data subjects:

  • The definition of supplementary measures is covered in guidance provided by European Data Protection Board meaning you have to read those recommendations as well as the SCCs themselves.
  • The draft SCCs include the need for the data exporter and the data subject to be notified if a legally binding request has been made to access personal data.
  • The draft SCCs suggests a risk-based assessment of whether such data requests have been made in the past and the likelihood of them happening in the future. This does contradict the EDPB which does not believe any subjective assessment of risk should be included.

The bottom line is any data exporter should consider what additional security arrangements should be made when considering transferring data to a third country and that determining those arrangements will, to a large extent, depend on the data protection regime in the recipient country.

How does Brexit affect all of this?

Any country with an adequacy agreement in place with EU does not need to worry about SCCs. The fact the UK has been issued with a draft EU decision is extremely promising news and if adopted means any contract with an EU company does not need to be subject to the inclusion of SCCs.

However there remains the challenge of updating all SCCs for any transfers outside EU (notably US) within the 12-month period once the SCCs been adopted. (And UK based companies are of course still subject to international transfer rules under UK GDPR).

What could you do now?

Until the new SCCs and the UK adequacy decision are finalised, companies are in a state of limbo. Having said that, there is plenty that can be done to reduce the risk:

  • Make sure you’ve mapped all the possible data transfers from UK to EU and other third countries
  • Evaluate which data is exported and ask yourself whether it needs to be exported
  • Consider which contracts already have SCCs in place and where they will they need to be updated
  • Ensure your contract due diligence is in place with a detailed questionnaire for potential suppliers
  • Pay particular attention to which jurisdiction data will be stored in and consider the level of risk – has your supplier created data silos
  • Review whether it’s possible to introduce supplementary measures to protect data. For instance encrypting data to protect it from surveillance
  • Investigate whether there are credible alternatives to US technology partners in EU

 

Need some advice about handling your businesses international transfers, or any other data protection matter? Get in touch – Contact Us 

European Commission publishes draft UK adequacy decision

February 2021

The European Commission has published a draft adequacy decision, under EU GDPR, which paves the way for the continued free flow of personal data from the European Economic Area and the UK.

However, before the decision is adopted, we need to await an opinion from the European Data Protection Board (EDPB) and a green light from a committee of EU Member States representatives.  There are still hurdles to overcome.

The draft decision states the Commission would continue to monitor relevant developments in the UK and invites the UK to inform the Commission of any material change to UK law which impacts on the legal framework of the decision.

(The EC has also published another draft decision for personal data related to law enforcement).

Why does adequacy matter?

This draft decision is significant as, outside the European Union, the UK becomes what’s termed a ‘third country’.

In the absence of an adequacy decision, in order for EU-UK data transfers to be conducted lawfully, additional measures would be required.

Where no adequacy decision exists, controllers and processors need to consider the following when transferring data from the EEA to a third country (like the UK):

  • Appropriate safeguards – for example, making sure rather onerous Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) are in place between the parties, or
  • Exceptions for specific situations – for example, where an individual has given their explicit consent, or where the transfer is necessary to enter into or fulfil a contract with the individual.
  • A Union or State international agreement – which UK does not have with the EU.

Is adequacy in any doubt?

The Commission grants adequacy to countries which are assessed to have equivalent data protection laws to those in the EU. Some may be wondering why there are any worries the UK wouldn’t be granted adequacy. After all the UK implemented GDPR into UK law; now UK GDPR.

There have been some well-founded concerns UK surveillance law might throw a spanner in the works.

This fear was heightened last Autumn when the Court of Justice of the EU (CJEU) found UK law permitting intelligence agencies to collect bulk communications data was incompatible with EU law.

This draft decision under EU GDPR however appears to accept data protection law is essentially equivalent, but we are not out of the woods yet. 

Adequacy would bring a big sigh of relief!

The UK’s inclusion in the list of countries who’ve been granted adequacy, such as Israel, Argentina, New Zealand and Japan would be widely welcomed.

Robert Bond, Senior Counsel at Bristows;

“The adequacy decision will be a relief to so many organisations whether in the UK or the EU, and will ensure free flows of personal data between the EU and UK. It will be kept under review and will mean that the UK cannot diverge too far from the EU GDPR and related law such as E-Privacy.”

Thoughts echoed by Matthew Kay, Head of Data Privacy at Survitec;

“An adequacy ruling for the UK will be a welcome decision to many organisations worldwide. This will see data transported in a safe and secure manner increasing confidence and trust in the UK’s handling of personal data.”

Commenting on both draft decisions made on Friday 19 February, Information Commissioner, Elizabeth Denham said;

“The draft adequacy decisions are an important milestone in securing the continued frictionless data transfers from the EU to the UK. Today’s announcement gets us a step closer to having a clear picture for organisations processing personal data from the EU and I welcome the progress that has been made.”

What about transfers from the UK?

The rules regarding transfers from the UK to other countries broadly mirror the EU GDPR rules. So, you need to consider a) adequacy b) additional safeguards c) specific exceptions.

The UK has already declared data can freely flow from the UK to the EEA.

The UK Government now has the power to make its own adequacy decision in relation to other countries and these will be know as ‘adequacy regulations’. It has also said this will cover all adequacy decisions made by the European Commission (valid as at 31 December 2020).

What do we mean by data transfers?

In broad terms an international data transfer would occur where personal data is;

  • sent from an EEA country (or UK) to a another country
  • made accessible to a receiver outside the EEA (or UK)
  • is shared within the same corporate group outside the EEA (or UK)
  • is loaded onto a service which is available or may be accessed from outside the EEA (or UK) 

It doesn’t apply to sending personal data to someone employed by your company. Equally personal data that might be electronically routed through another country, but if it’s not accessed there, is not considered to be a restricted transfer.

Are existing EU Standard Contractual Clauses valid?

The ICO has confirmed the continued use of any EU SCCs (valid as at 31 December 2020) will be permitted for both existing restricted transfers or for new ones.

The EU has drafted revised SCCs, which address the big issue of government access to data. Revision of the SCCs was urgently needed after the Schrems II ruling by the Court of Justice of the EU in July 2020.

It’s proposed there will be a 12-month transition period to allow organisations to update contracts to adopt the revised SCCs. No small task for big organisations with multiple contracts to update!

But where does this leave UK controllers and processors? Will the UK adopt or accept these new SCCs? Hopefully we will get some clarity on this from the ICO soon.

We hotly await the final decision! 

 

Data protection team over-stretched? Find out how we can support you with our no-nonsense, practical and flexible Privacy Manager Service or just contact us and we can arrange a convenient time for a chat. 

Brexit: Do you need an EU Representative?

December 2020

Amongst the current whirlwind of Brexit-related stuff – international data transfers, adequacy decisions and possible UK data regime divergence – it would be easy to overlook the GDPR requirements regarding appointing an EU representative.

As of 1st January 2021 organisations in the UK, like others based outside the European Economic Area (EEA), may fall under this obligation. Conversely, organisations based outside the UK may fall under a requirement to have a UK representative.

Do you need an EU representative?

If you’re based in the UK and;

  • offer goods and services to individuals in the EEA
    or
  • monitor individual’s behaviour

And

  • you don’t have a branch, office or establishment in an EEA state

You’ll need to appoint an EU Representative.

What constitutes ‘Offering Goods and Services’?

The European Data Protection Board (EDPB) guidelines on GDPR territorial scope provides helpful pointers on whether you would be considered as ‘offering goods and services’ to EU citizens.

Just because your website might be accessible to EU citizens isn’t enough to warrant the necessity of having an EU Representative. It needs to be ‘apparent or envisaged’ your products and services are being offered to individuals in one or more EU member states.

Let’s take a look at what that means. Does your organisation;

  • describe products and services in the language of an EU member state?
  • offer prices in Euros?
  • actively run marketing and advertising campaigns targeting an EU country audience?
  • mention dedicated contact details to be reached from an EU country?
  • use any top-level domain names, such as .de or .eu?
  • describe travel instructions from one or more EU member state to where your service is provided?
  • mention clients/customers based in one or more EU states?
  • offer to deliver goods to EU member states?

Answering ‘Yes’ to one or more of the above means it’s likely you fall under the requirements of GDPR Article 27 to appoint an EU Rep.

You will not need to appoint a representative if you are;

  • a public authority
    or
  • your processing is only occasional, is of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data.

For example, here at the DPN we don’t need to appoint an EU Representative. Our website is clearly accessible to EU citizens, people can sign up for our newsletter or webinars from anywhere in the world, and we may do some consultancy work for an EU-based company. However, we are a small business and our answer to all the above questions is NO.

However, if you are actively targeting marketing or advertising campaigns at EU citizens, you are likely to fall under the requirement.

What does an EU Representative do?

You’ve established you need an EU Representative? You need to know what their responsibilities are before finding a company to provide this service.

Your EU representative has the following core responsibilities:

  • co-operating with the EU supervisory authorities on your behalf
  • facilitating communications between EU citizens and your organisation
  • being accessible to individuals in all relevant member states (i.e. clearly mentioned in your privacy notice as the contact for EU citizens)
  • supporting you to manage your Record of Processing Activities (RoPA) in accordance with Article 30 of the GDPR.

A number of professional services have sprung up offering to be representatives, with Ireland proving a particularly popular location, not least because there are no language issues for UK companies.

However, you should be mindful you need to pick a relevant country, if your clients/customers are primarily Italian, your representative should be based in Italy.

What about UK Representatives?

Under UK GDPR (which will sit alongside an amended version of the UK DPA 2018) there will also be an obligation on organisations based outside the UK to appoint a UK representative if they have no office, branch, establishment in the UK and they;

  • offer good and services to UK citizens
    or
  • monitor the behaviour of UK citizens

Again, if your processing of UK citizen’s data is occasional, is of low risk to the data protection rights of individuals, and does not involve the large-scale use of special category or criminal offence data, the requirement for a UK Rep will not apply.

Finally, if you haven’t done so already any UK organisation needs to update their policies and privacy notices to reflect that the UK will be outside the EU. You may also need to just double check any DPIAs and other assessments regarding international data transfers.

Also see the ICO’s Guidance on EU Representatives

 

Evaluating the management of privacy choices

November 2020

The challenge for multi-nationals when addressing privacy choices

Across international operations, different stakeholders and personal data and communication privacy laws around the world, multinational organizations are increasingly challenged with addressing choice.

This is especially true now that some privacy laws require organizations publish information on their website about the number of choices they receive, if they denied or complied with the choices and the average amount of time needed to fully address the choices specified.

From incorporating flags or building out existing systems, standing up ticketing systems to facilitate internal choice requests and enterprise-class preference centers, organizations have more solutions available today than ever before.

Yet, what is good for one organization might not be the right solution for another. In our experience, the right solution is effective, lean and nimble.

The following offers insight into how an organization might gather the information about their choice management efforts needed to prepare for change, address inefficiency or evaluate different strategies and solutions.

What choice means, how it applies and who is responsible

At the heart of the matter, “choice” is central tenant of privacy, marketing and communication laws all over the world. Organizations must understand what choice means in relation to their business; especially across internal stakeholders, processing activities, systems and business partners.

Choice may be relevant to whether an organization can process personal data lawfully or use it in support of a specific business purpose.

For example, some processing activities require the organization to establish a legal basis before processing can begin; which may be dependent upon offering and capturing “valid” choices.

Choice can also apply to how personal data is processed; such as whether an organization can leverage automated decision making or profiling techniques; or even if personal data can be transmitted or made accessible to an internal stakeholder located in another country.

Choice may relate to addressing mandatory privacy rights; such as data access, portability or deletion requests. Choice can even apply in the context of communicating with individuals in support of relational, transactional and marketing needs and objectives and across the organization’s different communication channels.

To fully appreciate the impact of choice, organizations must first catalog the applicable choices and the stakeholders responsible for addressing choice.

Organizations can often rely upon existing information to facilitate these review efforts; such as lists of processing activities, processing dataflows, and personal data inventories often maintained by privacy departments.

Additionally, getting a list of systems from IT, and a list of business partners from accounting can also help speed up and qualify the scope of the choice review.

It is also useful to build a coalition of relevant stakeholders from research and development, marketing, operations and legal to help fully inform or qualify the “choice” within the organization.

Understanding the impact of choice

With the list discrete choices defined, work with the relevant stakeholders to define or validate the impact of fully addressing each choice.

Start by having each responsible stakeholder help define the flow of the choice from expression to completion. Be sure to include all systems, other stakeholders and business partners relevant to the choice as it progresses along the dataflow.

Additionally, take note to define where choice is addressed using automated or manual procedures. After completely mapping out the dataflow, take the time needed to define or affirm the total labor (or cost) and duration required to fully address each choice.

Consider the following tips when working through this exercise.

  • Choices expressing an objection to the processing of personal data for legitimate interest or direct marketing purposes typically override the organization’s ability to lawfully process such data.
  • Choices related to preventing automated decision making, profiling and “do not sell” may need to be addressed a deletion choice to the extent the organization has no meaningful way honoring the choice as specified.
  • Choices can be addressed as a flag in a customer database, create a record in a suppression file or require the summary deletion of the personal data involved.
  • The impact of choice relates to what the choice expressed represents, and the total effort and time required to fully address choice.
  • Automated choice processes, such as automatically updating a flag or creating a suppression record, are most often associated with communication choices.
  • Processing choices typically have a greater impact; requiring more time, resources and systems to help the organization authenticate identity, compile data from across different source, prepare and delivering copies of information.
  • Time and duration measurements should begin when the choice is first expressed and end when all requisite actions are complete across all the relevant processing activities, stakeholders and systems.

Benefits

Cataloging and affirming the management of choice across the enterprise helps organizations in several ways. First, this exercise helps the organization focus upon the complexity and risk profile associated with addressing choice.

This exercise can also be used to document and affirmatively demonstrate the organization is reasonably managing compliance obligations.

By completing this exercise, organizations are better able to identify inefficiency associated with where choice management efforts might be duplicated, risks are present or where additional focus may be required to address identified risks.

Additionally, we strongly advise organizations complete this exercise in advance of making any fundamental change to their choice management efforts; especially related to implementing choice management solutions.

The resulting insight can be easily be translated into RFPs, used to create development requirements and evaluate how closely third-party solutions align to the organization’s needs.