GDPR & how it impacts your UX / content work
•Download as PPTX, PDF•
4 likes•2,563 views
From May next year, the General Data Protection Regulation will go into full effect. You might think that this has not much to do with your UX work, but then you’re wrong. Because the GDPR will have great consequences on how we deal with privacy and personal data, and is also applicable to your work processes. Clovis Six and Saskia Videler will give you a primer in GDPR and offer you a crystal clear overview on how to implement GDPR in your workflow. – As a UX researcher Clovis Six often gets confronted with privacy issues in the projects he works on. But as a white knight of privacy, he always saves the day with his knowledge and resourcefulness, whilst protecting the privacy of the user. He feels like it’s his duty to get the privacy conversation going. – Saskia Videler marries content + UX in her practices as content strategist. Through a thorough understanding of the end-user, she’ll make sure that they will be able to perform their tasks.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to GDPR & how it impacts your UX / content work
Similar to GDPR & how it impacts your UX / content work (20)
Recently uploaded
Recently uploaded (20)
GDPR & how it impacts your UX / content work
- 1. (This presentation may save you +20mln euros!)
- 2. Hello! We’re Clovis Six & Saskia Videler
- 3. What we’re going to talk about… GDPR, UX and content
- 4. GDPR: General Data Protection Regulation Deadline: May 28, 2018
- 5. Quazu case
- 6. Asking for personal information
- 7. Be clear about your goals
- 8. Allow for viewing, editing and deletion of data Ps: check out roeckoe.be for a cool case about this!
- 9. Data controller is always responsible (and liable in case of breaches or neglect) controller processor
- 10. GDPR Task Force Feat. DPO
- 11. Privacy by design Feat. Privacy by default
- 17. Assess your research setup
- 20. Fix your user representation
- 21. “Can we get the raw data?”
- 22. Design with privacy in mind
- 23. Account
- 24. Check-out > Account Privacy Policy
- 27. Get yourself some GDPR glasses and look at everything you do for a few seconds through those glasses.
- 28. How to fix your privacy policy
- 29. How to fix your privacy policy Clear, unambiguous language. No jargon or legalese. Example from Age.co.uk
- 30. How to fix your privacy policy Use icons to communicate the privacy policy Icon set from Aza Raskin at Mozilla
- 31. How to fix your privacy policy
- 32. ● Ask for consent and data in context. Be clear, transparent and fair. ● Handle personal data with care. Allow for viewing, editing and deleting by data subject. ● Know your dataflows! Risk assessments need to be done regularly. ● Fix your privacy policy. Make it easy to understand, no legalese allowed! ● GDPR is actually good for UX It will guide design and content towards transparent, clear communication and trust. 5 key takeaways
- 33. More info The official text of the regulation: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679 The regulation explained by the European Commission: http://ec.europa.eu/justice/data- protection/index_en.htm The podcasts we’ve made about GDPR, UX and content: https://www.efficientlyeffective.fm Privacy by Design guidelines: https://www.enisa.europa.eu/topics/data-protection/privacy-by-design?tab=publications Remember to check with privacy experts and legal professionals for your specific situation.
Editor's Notes
- European Commision & European Parliament / all companies handling data of European citizens to protect the privacy of European citizens, practices of SV, Quazu going through our data Full effect per May 28th 2018, now in grace period (started May 2016) Set of strict rules, Active & reactive enforcement Fines: 4% annual global revenue or 20mln euro / whichever’s higher Relevance for you: your company could be directly liable or, as an agency, you will lose clients if you don’t comply. There’s no way to run.
- Fictitious offline pharmacy chain that recently launched a webshop Dan (eCommerce Manager) Alpha-male type executive Way to the ceiling gained widespread data access Privacy is never a big issue Type of person: nothing to hide & open with his own data Gains access to customer data to… Check on employee health Profile girlfriends of his daughter
- The GDPR requires a new way of asking for, handling and storing data. Quazu needs to make it very clear to the customer what theyl use it for. You may not use it for anything else: delivery, giving you specific service (asking for a pathology). Specific (‘for marketing purposes’ isn’t specific enough doesn’t help the customer) Quazu can no longer ask for data you want, only for the data you need to operate the service for your customer You need clear and informed consent of the consumer to acquire, store and handle their data Quazu has to be clear, fair and transparent
- You need clear and informed consent of the consumer to acquire, store and handle their data
- The customer needs to be able to easily view, edit or delete their data. You can never store their data indefinitely Quazu needs a good and clear flow for users to do this
- The data controller is responsible for what happens with the data. You cannot deny responsibility when something goes wrong at a processor (postal service, choose processors wisely. Quazu: Newsletter or postal service
- GDPR Task Force Data Protection Officer Risk analysis Data Protection Impact Assessment (DPIA) (even checken) Dataflows inventory
- PbDes: taking privacy into account at every step of the process (def & maintenance) PbDef: always opting for the highest privacy settings for the data subject. No pre-ticked opt ins, no automatic publishing of their personal data
- Redesign check-out UX agency as contractor Let’s walk over the project steps and see how privacy can be taken into account. Privacy by Design
- Data Protection Impact Assessment (DPIA) Figure out who the Data Protection Officer (DPO) Some projects are not worth the risk or investment needed to comply with the regulation What (personal) data is needed? Who needs it and for what purpose? What are the risks handling this data? What are the security measures needed? First requirements: Security features Data subject rights enablers Removal of personal data (ex: removal account) Ability to edit data Necessary transparency Privacy policy Contextual information around personal data Consent
- Surveys Eye/mouse tracking Profiling Usability studies Interviews ... All of these usually include some form of personal data.
- At end of survey No major effect on drop-off Don’t forget: Make privacy policy dummy-proof
- Non-identifiable user segment representation. So never use real names! Only use first names or last names Pictures (& other personal data) need consent.
- Example of excel transfer to controller File copies Backups Anonymisation
- Multiple ways of sharing information based on the check-out selection Guest check-out Checkout with account Adaptation depending on other context: Delivery method Payment method Products (like extended warranty)
- Controller - processor example
- again: controller - processor
- Get yourself some GDPR goggles and use them for at least a few seconds on everything you do.
- No more 13 page long documents of legal mumbo jumbo
- Look at it from perspective of ds Has to be easy to understand