Google Analytics process means that both you and Google are sharing data. Google is supplying us with data in the form of reports therefore it’s a data processor for your business.
Google Analytics can hold PII, some forms of these are:
Check that URIs do not contain PII. For example, form fills can post the form fields into a URL:
These will then show in your analytics account as pages. To remove these, use the exclude query parameter tool found in the views. You will need to do this for every view you have.
Anonymization of IP addresses
Under the GDPR, an IP address is considered PII. Even though the IP address (by default) is never exposed in reporting, Google does use it to provide geo-location data.
To be safe, we recommend turning on the IP Anonymization feature in Google Analytics.
This is done via tag manager or by adding a line to the Analytics code. Your developers should be able to do this for you.
The result of this change is that Google will anonymize the IP address as soon as technically feasible by removing the last octet of the IP address (replacing it with a 0). This is complete before data storage.
The impact of using IP Anonymization is geographic reporting accuracy is reduced so your demographics reports will be less accurate.
One thing to be aware of when using Anonymizing IP is because the last three digits are removed before data arrives in analytics, your internal traffic filters may no longer work because the filter can no longer match the IPs. This will result in internal traffic being logged in your analytics reporting views.
To re-exclude your internal traffic, adjust your internal IP filter to match the first three octets of your IPs only. For example:
If your IP is 192.168.123.123 you would use exclude IP that begins with 192.168.123.
Note: Because this is a broader exclusion, this could also exclude some people outside your organisation.
More info from google here: https://support.google.com/analytics/answer/2763052?hl=en&ref_topic=2919631
Additional Info for User ID & Transaction IDs (not mandatory)
User ID This should be an alphanumeric database identifier. This should never be plain-text such as email, username or other PII.
Transaction IDs Although this is not a PII data source, it can lead to the identification of an individual when combined with other data sources. This ID should always be an alphanumeric database identifier to help reduce this risk.