From May next year, the General Data Protection Regulation will go into full effect. You might think that this has not much to do with your UX work, but then you’re wrong. Because the GDPR will have great consequences on how we deal with privacy and personal data, and is also applicable to your work processes.
Clovis Six and Saskia Videler will give you a primer in GDPR and offer you a crystal clear overview on how to implement GDPR in your workflow.
– As a UX researcher Clovis Six often gets confronted with privacy issues in the projects he works on. But as a white knight of privacy, he always saves the day with his knowledge and resourcefulness, whilst protecting the privacy of the user. He feels like it’s his duty to get the privacy conversation going.
– Saskia Videler marries content + UX in her practices as content strategist. Through a thorough understanding of the end-user, she’ll make sure that they will be able to perform their tasks.
32. ● Ask for consent and data in context.
Be clear, transparent and fair.
● Handle personal data with care.
Allow for viewing, editing and deleting by data subject.
● Know your dataflows!
Risk assessments need to be done regularly.
● Fix your privacy policy.
Make it easy to understand, no legalese allowed!
● GDPR is actually good for UX
It will guide design and content towards transparent, clear communication and trust.
5 key takeaways
33. More info
The official text of the regulation:
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
The regulation explained by the European Commission: http://ec.europa.eu/justice/data-
protection/index_en.htm
The podcasts we’ve made about GDPR, UX and content:
https://www.efficientlyeffective.fm
Privacy by Design guidelines:
https://www.enisa.europa.eu/topics/data-protection/privacy-by-design?tab=publications
Remember to check with privacy experts and legal professionals for your specific situation.
European Commision & European Parliament / all companies handling data of European citizens
to protect the privacy of European citizens, practices of SV, Quazu going through our data
Full effect per May 28th 2018, now in grace period (started May 2016)
Set of strict rules, Active & reactive enforcement
Fines: 4% annual global revenue or 20mln euro / whichever’s higher
Relevance for you: your company could be directly liable or, as an agency, you will lose clients if you don’t comply. There’s no way to run.
Fictitious offline pharmacy chain that recently launched a webshop
Dan (eCommerce Manager)
Alpha-male type executive
Way to the ceiling gained widespread data access
Privacy is never a big issue
Type of person: nothing to hide & open with his own data
Gains access to customer data to…
Check on employee health
Profile girlfriends of his daughter
The GDPR requires a new way of asking for, handling and storing data.
Quazu needs to make it very clear to the customer what theyl use it for. You may not use it for anything else: delivery, giving you specific service (asking for a pathology). Specific (‘for marketing purposes’ isn’t specific enough doesn’t help the customer)
Quazu can no longer ask for data you want, only for the data you need to operate the service for your customer
You need clear and informed consent of the consumer to acquire, store and handle their data
Quazu has to be clear, fair and transparent
You need clear and informed consent of the consumer to acquire, store and handle their data
The customer needs to be able to easily view, edit or delete their data. You can never store their data indefinitely
Quazu needs a good and clear flow for users to do this
The data controller is responsible for what happens with the data. You cannot deny responsibility when something goes wrong at a processor (postal service, choose processors wisely.
Quazu: Newsletter or postal service
GDPR Task Force
Data Protection Officer
Risk analysis
Data Protection Impact Assessment (DPIA) (even checken)
Dataflows inventory
PbDes: taking privacy into account at every step of the process (def & maintenance)
PbDef: always opting for the highest privacy settings for the data subject. No pre-ticked opt ins, no automatic publishing of their personal data
Redesign check-out
UX agency as contractor
Let’s walk over the project steps and see how privacy can be taken into account.
Privacy by Design
Data Protection Impact Assessment (DPIA)
Figure out who the Data Protection Officer (DPO)
Some projects are not worth the risk or investmentneeded to comply with the regulation
What (personal) data is needed?
Who needs it and for what purpose?
What are the risks handling this data?
What are the security measures needed?
First requirements:
Security features
Data subject rights enablers
Removal of personal data (ex: removal account)
Ability to edit data
Necessary transparency
Privacy policy
Contextual information around personal data
Consent
Surveys
Eye/mouse tracking
Profiling
Usability studies
Interviews
...
All of these usually include some form of personal data.
At end of survey
No major effect on drop-off
Don’t forget: Make privacy policy dummy-proof
Non-identifiable user segment representation.
So never use real names!
Only use first names or last names
Pictures (& other personal data) need consent.
Example of excel transfer to controller
File copies
Backups
Anonymisation
Multiple ways of sharing information based on the check-out selection
Guest check-out
Checkout with account
Adaptation depending on other context:
Delivery method
Payment method
Products (like extended warranty)
Controller - processor example
again: controller - processor
Get yourself some GDPR goggles and use them for at least a few seconds on everything you do.
No more 13 page long documents of legal mumbo jumbo
Look at it from perspective of ds
Has to be easy to understand