The arrival of GDPR is set to affect the way that personal data is stored and used, and is designed to make internet services to re-evaluate the way they store data.

Google Analytics is one of the most powerful tools in our SEO toolkit. A far cry from its first introduction, Google Analytics tools are now some of the most advanced of their kind. This is why we’re not surprised that GA is already prepared for the upcoming changes required by GDPR. 

How much data is too much?

The way that data from Analytics is being handled and exported to a variety of other programs and dashboards, like Google Data Studio, means that businesses are gathering more data than required. Ultimately, many brands use GA for reporting, and the storing of this unneeded data presents an issue in the event of a data breach.  

In line with GDPR coming into effect on May 25th, Google Analytics is bringing out Data Retention controls to help solve this issue. These are designed to provide users with “the ability to set the amount of time before user-level and event-level data stored by Google Analytics is automatically deleted from Analytics’ servers.” In other words, Google Analytics is providing users with the opportunity to preset how long GA retains data for before it is automatically deleted. The options currently stand at:

– 14 months
– 26 months
– 38 months
– 50 months
– Do not automatically expire

If you apply changes to the retention period, this means that any data outside of the retention period is then deleted during the next monthly iteration. In the event that the retention period is modified, Google Analytics has a 24 hour period during which you can make amends back to your previous retention setting, following which your data will remain unaffected.

You also have the option to specify around new activity; meaning you can reset the retention period of a user identifier according to every new event from that user. So if the data retention period was set to 14 months, but a user starts a new session monthly, then the user’s identifier is refreshed each month – and as a result won’t meet the 14-month expiry. However, if the user then doesn’t start a new session before the retention period finishes, that user’s data will be deleted. You can also opt to turn this off.

So, do these changes help me?

By introducing these Data Retention controls, you can reduce the risk of your business being liable if a data breach should occur. By ensuring that the data you collect is periodically deleted over time, you can also decrease the risk of data being leaked – after all, you can’t have your data breached if you’re not storing it to begin with.

The choices that are made in terms of the time period, before data gets automatically deleted, are said to impact user-level and event-level data connected with identification aspects used in GA. This includes cookies, advertising identifiers like DoubleClick cookies, and user IDs.

We asked one of our Search Account Managers, Sam Caesar, how he felt about the latest feature, and how it affects brands complying with GDPR regulations.“This is definitely a good start on the road to compliance, but there are further steps that can be taken to ensure the ‘belt and braces’ approach will keep you out of hot water,” he explained. “For example, making sure that you’re not even collecting personally identifiable information in the first place! This can be done by anonymising the data using Google Tag Manager (read more here)”

To learn more about how data retention works, check out this Analytics help page. For more information on GDPR and its regulations, and how they can actually help your business, visit us at our first GIANTtalks of the year “GDPR… It’s a good thing”. Don’t miss out on your free ticket!