station10
Typewriter-blog.png

Blogs

our views and our knowledge in analytics and other releveant topics


our blogs


A Practical Approach to Reviewing Data Capture

 
GDPR ok.png

As of today (27th February) there are only 87 days to go until the General Data Protection Regulations (or more simply known as GDPR) are enforced. If you are yet to start inventorying your digital properties, I suggest this swiftly moves nearer the top of your to-do list! With this said, there is still time to ensure you are on the road to compliance.

If you still haven’t set wheels in motion, I’ve written this how-to guide which will hopefully answer some questions about how to go about carrying out this type of assessment, or alternatively act as a checklist if you’ve already begun/finished your checks.

Key changes under the GDPR and how they differ from previous legislation can be found on the official EU GDPR website, with additional guidance on the ICO’s helpful website; so instead of reiterating the legalities they’ve written perfectly well, it seems more fitting that as a Data Analyst I chat about the data capture itself.

* For the purpose of the rest of this guide, any mention of the term marketing tags covers both first and third party tags.

There are different levels of data anonymity: anonymous, pseudonymous and personally identifiable. To be GDPR compliant, any data that cookies and marketing tags collect on your site must not contain personally identifiable information (PII). Pseudonymous data is that of which records information that is related to you as an individual, but unless combined with other data (not in the public domain) is not directly identifiable. An example would be visitor IDs generated by analytics and performance tools, used to track session activity and store website preferences. In short, if you can verify you aren’t collecting PII data you’re already minimising your chances of data and privacy breaches come May.

 

There are a number of methods to investigate what data is being captured on your digital properties, all of which are perfectly suitable. What I would stress though is whichever of the below methods you use, make sure you check every page on your site as it is likely cookies and marketing tags will differ across pages and also may be dependent on what actions are taken on your site - for example, which choices are made in a particular user journey.

Look in the cookie log in your browser settings:

(Using Chrome as an example..)

  1. In the Chrome menu in top right corner of the browser select Settings
  2. Scroll down and select Advanced > Content Settings > Cookies > See all cookies and site data
  3. Firstly I would recommend clearing all cookies – this way you know that any cookies picked up are definitely from the page you are investigating
  4. Open a new tab in the browser and go to the web page you want to investigate
  5. Return to the other tab and refresh the page; a list of cookies (if any) will appear
  6. Now it’s a case of clicking on each cookie to see where it was set, what data is being captured and when the cookie expires.

As best practice, I would document this so that you have a record of the above mentioned information, which will be a useful point of reference when it comes to verifying that any non-pseudonymous PII cookies have been removed successfully.

  1. Repeat steps 3-6 as needed (I realise this is starting to sound like a recipe, apologies).

NB - This method doesn’t account for checking marketing tags.

Install a free browser extension:

(Using the Chrome extension EditThisCookie as an example.)

Option 1: On the web page you want to investigate, open the Chrome console (F12). In the top menu of this console, select EditThisCookie; a list of all cookies found on that page will appear with the details for each including whether they’re first or third party. This is a lot easier than the above method as it saves you clicking into each cookie individually.  However, unfortunately this list does not update with every page load/action taken, so you have to close and reopen the console to retrieve an updated list.

Option 2: Alternatively, in the Chrome toolbar you should be able to see a cookie icon. Clicking this after each page load/action will give you an updated list of cookies that you can click on further to find out specific details. I know this sounds much like the browser settings method however the added benefit of using this option is that there is an export button at the top of this drop-down menu, which is a time saver when it comes to documentation.

Similar tools are available for inspecting marketing tags, but may have a limit to the number of pages you can scan for free.

Use a third party tag auditing tool:

As mentioned before, all listed methods of investigating data capture are perfectly acceptable, however the previous two approaches aren’t really ideal for organisations with a larger digital estate. Imagine you have over 3,000 web pages with some cookies and marketing tags journey dependent!  Firstly carrying out these checks for all of these scenarios is a huge task in itself, let alone if you find personally identifiable data being captured meaning cookies and or tags need to be removed. If you then wanted to verify these had been removed successfully or re-scan your site(s), the above approaches simply aren’t maintainable.

That’s where sophisticated tools such as Observe Point or Evidon come into play. Having used Observe Point myself, if asked the benefits of this approach vs other Chrome tools, the following phrases would come to mind: scalable, manageable, replicable, quicker, less laborious and consistent. Obviously, these advantages come at a cost, but the gain is significant.

 

Regardless of how prepared you are at this moment in time, our recommendation is that in 87 days time you should be able to agree to all of the below statements:

  • I know what data is being collected by all cookies and marketing tags on my site
  • All cookies and marketing tags on my site are GDPR compliant
  • Any non-compliant cookies and marketing tags have been removed from my site
  • We have a plan in place to continually review the compliance status of cookies and marketing tags
  • My cookie policy is up to date
  • My site gives users the option to opt-out where applicable

If you need any help ticking the boxes or want to understand more, do get in touch and see how Station10 can help.