Understanding Privacy by Design in server-side tracking
Integrating Privacy by Design into tag management systems
- Article
- Technical Web Analytics
In the digital age, organisations increasingly rely on data to drive decision-making and improve user experiences. That’s why data protection and GDPR compliance is more critical than ever. Privacy by Design (PbD) is an essential approach for embedding data privacy into every step of your IT and business practices, especially within tag management systems for web and app tracking.
What is Privacy by Design?
Privacy by Design (PbD) is a methodology that integrates privacy into the lifecycle of IT systems and business practices. It ensures that privacy is considered at every stage, from initial design to final deployment, making privacy a default setting rather than an afterthought.
7 key principles of Privacy by Design for secure data management
- Proactive not reactive: Anticipate risks and prevent privacy impacts before they occur through design choices.
- Privacy as the default: Ensure users get the highest level of privacy protection by default.
- Collection limitation: Collect only the necessary data for which you have consent.This may be based on grounds such as consent, legal obligation or legitimate interest.
- Data minimisation: Collect only data needed for specific purposes.
- Data retention: Do not store data longer than necessary, based on a clear retention policy.
- Privacy embedded into design: Integrating privacy into digital products should be part of the conversation from the start. All decisions should be filtered through a privacy-first perspective.
- Positive-sum, not zero-sum: Ensure that the use of personal data creates value for everyone involved, not just for one side. Utilising personal data should result in a 'win-win' scenario, benefiting both your organisation’s goals and the individuals whose data is being processed.
- Security measures: Implement robust security measures to protect data during extraction, transformation, and loading.This includes encryption, access management, secure data transfer protocols, and regular security audits.
- Transparency: Clearly communicate to users what data is being collected and for what purpose.
- User-centric: Put users in control of their privacy settings.
Duality of tag management
Typically, tag management involves deploying and managing tags (small snippets of code) on websites and apps to collect data. These tags track user behaviour, gather analytics, and facilitate marketing efforts. With the rise of server-side tracking, tag management has expanded beyond just being a client-side script. If you want to learn more about what server-side tracking is and isn’t, make sure to read this article.
Combining client-side and server-side tracking provides the best combination of flexibility, security, and configurability. This dual tracking approach is considered best practice and allows for the most control to ensure the PbD principles are implemented. Setting up server-side tracking doesn’t outright ensure compliance. This article explains best practices overall and debunks myths of privacy on server-side tracking
Integrating Privacy by Design in tag management
When discussing ETL in the context of tag management systems, we refer to:
- Extracting relevant data points and placing them in a data layer.
- Transforming these data points from the source data layer to the desired format.
- Loading data by sending it to various endpoints for utilisation.
Typically, little attention is paid to privacy when adding data to the data layer. Data is often collected through client-side selectors or event tracking, without a clear structure indicating the sensitivity, type, or intended use of the data.
The Tag Management System is the best place to integrate PbD into your ETL process, as it centralises controls and allows for full adaptation to the organisation's choices and preferences. This centralisation ensures that machine or human errors have minimal impact. Each step in the ETL process removes unnecessary data, reducing the possibility of a breach or incident in the future.
Conclusion
By integrating PbD into tag management systems through the ETL process, organisations can ensure robust data privacy and compliance. Combining client-side and server-side tracking provides flexibility, security, and control, while PbD principles embed privacy into every stage of data processing. For a deeper dive into implementing these practices, check out our detailed implementation guide on Privacy by Design in a server-side tracking setup here.
This is an article by Bram Ooms
Bram started as a Technical Web Analyst in 2019, where he focused on data implementations at clients such as Univé, DPG Media, Boels and Vodafone. Through his experiences with the impact of legislation on enabling data flow he developed an interest in data privacy, which he is now actively pursuing within Digital Power.
Receive data insights, use cases and behind-the-scenes peeks once a month?
Sign up for our email list and stay 'up to data':