Disclaimer: this blog post has been written by digital analysts, not lawyers. The purpose of this article is to explain you in details how we filled in the information asset register for Matomo. This work comes from our interpretation of the UK privacy commission resources (ICO). It cannot be considered as professional legal advice. So as GDPR, this information is subject to change.
The information asset register is for us one of the most important parts of the GDPR implementation process. It consists of an inventory of all information systems you are using to process personal data, exactly like a ledger for an accountant. Note that small and medium-sized organizations could be exempted.
Filling out this register can be a time-consuming activity. Therefore, we decided to show you a real case sample which we did for Matomo Analytics :) You or your Data Protection Officer (DPO) will then face less difficulty filling it in.
How did we fill in our information asset register?
Well, we did not start from scratch.
In fact, several privacy commissions are providing templates for the information asset register:
- Belgium official template in French / Belgium official template in Dutch
- French template
- Irish template
We decided to go for the one of ICO (UK). The ICO template is very exhaustive and helped us prepare the other steps required by GDPR.
It is composed of 30 questions.
Note that within the template provided by ICO, a spreadsheet example is provided:
Let’s see in details the different values we inserted for Matomo Analytics.
1 – Business function
It relates to the department which is using Matomo within your organization. For us it is mainly the Marketing department which is using it.
2 – Purpose of processing
Here the question is as follows, “Why are you using Matomo?”. In our case, “To analyze the behavior of our visitors on our websites in order to improve the user experience.”.
3 – Name of the service*
This column is not included within the official document of ICO, but we found it confusing not to see the name of the different services we are using, that’s why we added a column just for that. The value we are adding into this column is Matomo Analytics.
4 – Name and contact details of joint controller (if applicable)
Ok… so what is a joint controller? It is when two organizations are jointly determining the purposes and means of processing. Here is the official example from the European Commission:
In most of the cases you will be on your own. That’s why we are writing in this cell “Not Applicable” (N/A).
5 – Categories of individuals
ICO is giving a clear understanding of the values which are expected here: employees, successful candidates, unsuccessful candidates, existing customers. In our case we are using Matomo for our “website visitors” but we could also have inserted: employees if we were using Matomo on our intranet, or customers for our cloud infrastructure…
6 – Categories of personal data
ICO examples are Disability details, Contact details, Purchase history, Lifestyle information; but we prefer describing in detail the categories of data which are processed. That’s why we went for first party cookies, order ID (Matomo shop).
Is order ID a personal data?
« The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people. » Source: ICO.
To us, an order ID is personal data as it is an online identifier which can indirectly identify a person.
Note that even if it is not asked we could also include non personal data that Matomo is processing by default.
7 – Categories of recipients
It means to whom the personal data will be disclosed. In our case we have two recipients, the Matomo team members and our hosting provider (also called data processor under GDPR). So basically here in some cases you may have only one recipient if you are hosting Matomo on your own server, possibly two if you have a subcontractor.
8 – Link to contract with processor
When working with a data processor, this company needs to make you sign a contract called the data processing agreement. This document defines the responsibilities and liabilities of each party involved. So in your case there is a high chance that the data processor will be your hosting platform; note that in some cases it can also be an agency or a cloud provider.
If you are an InnoCraft cloud customer, see the InnoCraft Cloud Data Processing Agreement.
Once signed, you simply need to indicate within the cell where you can access a copy of it.
9 – Names of third countries or international organizations that the personal data is transferred too (if applicable)
Third countries mean any country outside of the EU. In our case, as the data is transferred to France, we marked this field as N/A.
Note that we are hosting data in France, but you are free to host the data wherever you want when you use the self-hosted Matomo Analytics.
10 – Safeguards for exceptional transfers of personal data to third countries or international organizations (if applicable)
If your data is transferred to a third country, you need to indicate that they have a proper safeguard. The easiest case we found so far is when the data is transferred to the United States. In this exceptional case, you need to show at minimum that the company to which the data is transferred to, is registered to the privacy shield.
11 – Retention schedule (if possible)
In this field, you need to write for how long the data will be recorded. Principle 5 of GDPR requires you to retain personal data no longer than is necessary for the purpose you obtained it for. In our case, we are following the recommendation of the French privacy commission, CNIL, which in a former guide indicates a retention period of 13 months for Matomo.
12 – General description of technical and organizational security measures (if possible)
Of course, we strongly recommend you to adopt security measures in order to secure your Matomo installation. Security is a huge topic. Here are the different points we identified so far in order to secure a Matomo installation. Security is also going beyond, that’s why we also recommend you to follow for example this training about security.
13 – Article 6 lawful basis for processing personal data
In this field, you need to indicate what is the lawful basis for processing personal data with Matomo. To us, the GDPR text is not 100% clear about which lawful basis may fit for Matomo. At the time of writing, we would say that the lawful basis is “legitimate interest” under Article 6(1)(f).
As ICO mentions it:
« It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. »
In our case we can justify that as an analytics provider, people expect our analytics solution to be installed on our website with all our features.
Note that you could also use the “Consent” lawful basis. It really depends on your use of Matomo.
14 – Article 9 basis for processing special category data
Under GDPR, special category data refers to race, ethnic origin, politics, religion, trade union membership, genetics, biometrics data, health, sex life, sexual orientation (non exhaustive list).
We are not processing special category data on Matomo websites and that’s why we inserted N/A in this cell, but it may be different for you. For example in large organizations, you may have trade union membership pages on your intranet, so it is somehow processing data and need to be indicated then.
15 – Legitimate interests for the processing (if applicable)
Why are we processing personal data? Well in our specific Matomo situation, we are processing personal data through our analytics platform because we are an analytics provider.
16 – Link to record of legitimate interests assessment (if applicable)
Here you need to indicate all the reasons which guide you through the choice of going for the legitimate interest lawful basis.
17 – Rights available to individuals
You need to indicate, according to the lawful basis you choose, what are the different rights that the data subject can exercise.
18 – Existence of automated decision-making, including profiling (if applicable)
Automated decision-making and profiling refers to:
“Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”
As we do not have such features, this field is taking the following value N/A.
19 – The source of the personal data (if applicable)
The source is the data subject; through their browser, he or she is firing the Matomo tracking code.
20 – Link to record of consent
If you are using the lawful basis “consent”, then you will need to link to the database or resource where you record the consent of your users.
21 – Location of personal data
In our case, this is where the hosting provider of the Matomo server is located. We could then see precisely in which country the data is hosted. If you are using the InnoCraft Analytics Cloud, the location of the data is in Paris/France.
22 – Data Protection Impact Assessment required?
23 – Data Protection Impact Assessment progress
Answer according to the previous point. In our case it is still N/A.
24 – Link to Data Protection Impact Assessment
CNIL is providing a great software which is open source in order to conduct DPIA. You can easily link to it or to the json file it will generate.
25 – Has a personal data breach occurred?
Well as far as we know the answer is no. But if one day it happened, well of course we would answer yes.
26 – Link to record of personal data breach
As a data breach requests a special procedure, this is where you will link it to your documentation.
27 and after – Special Category or Criminal Conviction and Offence data
At Matomo, we are not dealing with Special Category or Criminal Conviction and Offence data; we cannot give you a proper example to answer those remaining questions.
This is the end of our blog post, if you would like to see how we filled in the information asset register for Matomo analytics on matomo.org, have a look at our information asset register template.
We really hope you enjoyed reading this blog post, feel free to write to us any ideas you would like to read about regarding GDPR.