GDPR Countdown: Compliance Checks for PII


The General Data Protection Regulation (GDPR) became law in May 2018. It requires that organizations comply with various data privacy and security rules, not all of which are straightforward to implement and set in stone. How far is your extensive set of web properties from full compliance?

The GDPR impacts any organization that provides services or goods to European Union residents, even if the organization itself is not based in the EU. Failure to comply with GDPR regulations may result in severe penalties, including fines of 20 million euros or 4 percent of the organization's annual revenue (whichever is greater). 

One of the key aspects covered by GDPR is the personal data your organization might be collecting about your customers. This includes data collected by clickstream analytics solutions and it may come in many forms, such as email addresses, telephone numbers, IPs, names, Social Security Numbers, etc.

Analytics vendors such as Adobe Analytics and Google Analytics have recommended not sending PII data to their data centers for quite some time now, but the reality is that such data often gets inadvertently collected.

Some of the common places where PII data gets collected include account create forms, sign in flows, and shopping cart confirmation pages.

There are software packages that promise to validate whether the data you collect is PII compliant, but many times such vendors are not equipped to easily handle some of these common user flows. Often times, such spider-based solutions would either need significant amount of customizations in the form of code that you'd need to write before they can automate the detection of PII, and in some cases creating such scenarios might even be out of reach. 

QA2L was built specifically for such complex interactions and for the days of the modern web. You won't need to write custom code or install cumbersome plugins to automate user flows such as purchasing a product or creating an account. Our browser-like interface allows you to create the steps of your flows in a manner very similar to the way you normally navigate websites. As you go through each step of your flow, we'll detect the tags that are getting sent to your various MarTech vendors and we'll allow you to verify these tags against any user-specified rules, including rules that detect PII types of information. 

Let's illustrate that with the following example:

1. Using QA2L's Design Flow interface, we'll navigate to an Account Create Page and fill out the Account Create form without any coding:


2. On the next page once the account has been created we'll enable PII checks for data that we send to Google Analytics to make sure we are not collecting various PII Information including: IP Addresses, Email Addresses, Zip Codes, 10-digit Phone Numbers, Social Security Numbers. Note the use of the [any param] macro which allows us to search for PII information across any query parameter that gets sent to GA.



For this step, in addition to checking specific dt, ec, ea parameters, we have enabled various Regular Expressions to perform the PII checks together with the "must not match" operator.

The RegEx syntax is provided as a starting point and the exact syntax can be further modified depending on the specific needs.

RegEx for IP Addresses:
/\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/

RegEx for Email Address:
/^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$/

RegEx for Zip Codes :
/^[0-9]{5}(?:-[0-9]{4})?$/

RegEx for 10-digit Phone Numbers:
/^(\+\d{1,2}\s)?\(?\d{3}\)?[\s.-]\d{3}[\s.-]\d{4}$/

RegEx for Social Security Numbers:
/^(?!(000|666|9))\d{3}-(?!00)\d{2}-(?!0000)\d{4}$/

3. QA2L gives you the flexibility to create your own custom RegEX for any parameter you'd like to check. But we also offer several prebuilt PII components that you can enable at the click of a button:



4. Once the flow has been created and the rules enabled, QA2L allows you to save your task and schedule it. The set of steps you specified will now run on a schedule that you have specified and will be validated by the custom rules that you have built.

PII checks can be implemented at scale using QA2L's fully automated Scan features. Unlike Flows, Scan tasks can autonomously go through all of the pages on your site (including pages that require authentication) searching for traces of PII information in the data collected by any of your MarTech vendors.

Print Email