This briefing was held as part of User Vision's 'Breakfast Briefing' series in Feb 2018. It looks at what GDPR means for businesses and for the UX of digital experiences.

1. UX & GDPR
Building Customer Trust With Your Digital Experiences
Stephen Denning
UX Director | User Vision
Andy Harris
Head of IP, Data and Contracts | MBM Commercial
1

2. © User Vision 2018
Plan of action
2
„ Introductions
„ What GDPR really means for business (Andy)
„ What GDPR means for your user experience (Stephen)
„ Q&A

3. What GDPR really means for business

4. What we are covering
1. Update
2. Lawful processing and consent
3. Key actions

5. Where are we now?
Ø GDPR has direct effect: 25 May 2018 is D-Day
Ø Data Protection Bill
Ø Brexit effect

6. The key changes
1. Accountability principle
2. Breach notification and fines
3. Data processors directly liable
4. More rights to individuals
5. Legal basis notification

7. ¡ Concepts largely the same
¡ Increased transparency
¡ Increased accountability

8. What is the first data protection principle?
¡ “personal data shall be processed fairly and
lawfully”

9. What are the conditions for processing?
Category 1: General
1. You have the individual’s consent to the processing
2. Necessary for the performance of a contract (or to enter into a contract)
3. Processing is necessary because of a legal obligation that applies to you
4. Processing is necessary to protect the individual’s vital interests
5. Processing is necessary for administering justice, or for exercising
statutory, governmental, or other public functions
6. Processing is necessary for your legitimate interests (except where
overridden by rights, freedoms or legitimate interests of the individual)

10. What are the conditions for processing?
Category 2: Sensitive
1. You have the individual’s explicit consent to the processing
2. Processing is necessary under employment law
3. Processing is necessary to protect the vital interests of:
§ the individual (where consent cannot reasonably be obtained)
§ another person (where the individual’s consent has been unreasonably
withheld)
4. Processing is carried out by a not-for-profit organisation for defined
purposes (e.g. political purposes) and does not involve disclosing
personal data to a third party, unless the individual consents
5. The individual has deliberately made the information public

11. What are the conditions for processing?
Category 2: Sensitive
6. Processing is necessary in relation to legal proceedings; for obtaining legal
advice; or otherwise for establishing, exercising or defending legal rights
7. Processing is necessary for administering justice, or for exercising statutory
or governmental functions
8. Processing is necessary for the purposes of preventing fraud
9. Processing is necessary for medical purposes, and is undertaken by a health
professional or by someone who is subject to an equivalent duty of
confidentiality
10. Processing is necessary for monitoring equality of opportunity, and is carried
out with appropriate safeguards for the rights of individuals

12. Sensitive personal data consists of information about an
individual’s
¡ race or ethnic origin
¡ political opinions
¡ religious beliefs or other beliefs of a similar nature
¡ trade union membership
¡ physical or mental health or condition
¡ sexual life
¡ criminal history or record

13. § Personal data must be processed fairly and
lawfully
§ Requires at least one condition for processing to
be met from the first category
§ If you are processing sensitive personal data, then
you also need to meet at least one condition for
processing from the second category

14. What is the first data protection principle?
¡ “personal data shall be processed fairly and
lawfully and in a transparent manner”

15. Broadly similar concepts, different
terminology
¡ Condition for processing → Legal basis for
processing
¡ Sensitive personal data → Special categories of
personal data

16. Key change is need to notify individual of
your legal basis for processing
¡ Need to carry out an internal audit
¡ Adopt layered privacy notices
¡ Consider practical implications

17. ¡ consent means any freely given, specific,
informed and unambiguous indication of the
individual’s wishes by which he or she, by a
statement or by a clear affirmative action,
signifies agreement to the processing of personal
data relating to him or her
¡ no definition of explicit consent

18. Need to give genuine choice
¡ Unbundled
¡ Active opt-in
¡ Granular
¡ Informed
¡ Documented
¡ Easy to withdraw
¡ No imbalance in relationship

19. ¡ Consent not always appropriate
¡ Consider other legal bases
¡ Use as last resort

20. § Personal data must be processed fairly, lawfully
and in a transparent manner
§ Requires at least one legal basis to be met from
the first category
§ If you are processing special categories of personal
data, then at least one legal basis from the second
category must also be met
§ Consent may be difficult to validly obtain and
should be used as a last resort

21. 1. Nominate a DP Officer
§ Not essential but helps prove compliance
§ Essential for:
1. public authorities
2. where core activities involve regular and systematic
monitoring on large scale
3. where core activities involve processing of special
categories of data on large scale

22. 2. Carry out a personal data audit
1. Starting point
2. Need to know what personal data you have
and what you are using it for
3. Hard to meet accountability principle
without it

23. 3. Follow the ‘privacy’ guidance
Ø Privacy impact assessments
Ø Privacy by design
Ø Privacy by default

24. 4. Identify legal basis for processing
Ø Needed under DPA 1998
Ø GDPR imposes notification requirement
Ø Likely to be significant non-compliance

25. 5. Check your transfers
Ø If outside of EU then:
v Is there an “adequacy decision” for destination
country?
v Is there use of model clauses?
v With US companies, have they signed up to
Privacy Shield?

26. 6. Keep (and update) clear records
Ø Data audits
Ø Privacy impact assessments
Ø Privacy by design and by default docs
Ø Policies and procedures
Ø Processors

27. Andy Harris, Partner
IP, Data and ContractsTeam
Email: andy.harris@mbmcommercial.co.uk
DD: 0131 226 8208
Mobile: 07930 984446

28. © User Vision 2018 28
What GDPR means for
your User Experience

29. © User Vision 2018 29
64% of companies surveyed concede that
inaccurate data is currently undermining their ability
to provide an excellent customer experience.
81% report difficulties in achieving
a single customer view.
(March 2017)

30. © User Vision 2018 30
72% of companies said that data quality
issues had affected trust and perception by
their customers, who are increasingly aware
of the value of their data and their vulnerability
if it’s not handled appropriately
(March 2017)

31. © User Vision 2018 31
68% of people are happy to provide personal
information online to companies as long as
they get what they want
(2015)

32. © User Vision 2018
Four phases of cognizant computing
Gartner, Future of Smart Devices, 2013
1. Sync Me
Store copies of my digital assets and keep in sync
2. See Me
Know where I’ve been online and in the real-world.
Understand my mood and context to better align services
3. Know Me
Understand what I want and need and proactively present
it to me
4. Be Me
Act on my behalf based on learned and explicit rules
32

33. © User Vision 2018 33
Use of data is
what
differentiatesAmazon from
Argos

34. © User Vision 2018 34
Credible
UsefulDesirable
Valuable
FindableUsable
Accessible
The User
Experience
(noun)
We want todeliver positiveexperiences forour users/
customers

35. © User Vision 2018 35
Usability
User
Experience
(UX)
Customer
Experience
(CX)
Useful Engaging
Value
Trust
Consistency
Relevance
Effectiveness,
Efficiency,
Satisfaction
Individual Task
All touchpoints over time
Individual Touchpoint
The User
Experience
(noun)
The digital
experiences we
deliver impact
trust and overall
customer
relationships

36. © User Vision 2018 36
The spirit of
GDPR marries
well with good
UX principles

37. © User Vision 2018 37
Dr. Ann Cavokian - Executive Director of the Privacy and Big Data Institute at Ryerson University
Privacy should
be baked in to
the design - not
an afterthought

38. © User Vision 2018
4 UX considerations for GDPR
1. Be clear & contextual (about why you are collecting)
2. Practice minimalism (ask for as little as possible)
3. Be straightforward (with your privacy policy)
4. Offer control (over data collected)
38

39. © User Vision 2018
1. Be clear & contextual
Don’t hide privacy information
Highlight how specific data will be used
Present explanation at the right time
= Builds trust
39Credit: Tristar pictures

40. © User Vision 2018 40
Don’t hide!

41. © User Vision 2018 41

42. © User Vision 2018 42

43. © User Vision 2018 43

44. © User Vision 2018 44
Just in timenotifications
Credit: ico.org.uk

45. © User Vision 2018 45
Just in timenotifications

46. © User Vision 2018
2. Practice minimalism
46Credit: Unbounce.com

47. © User Vision 2018 47

48. © User Vision 2018 48

49. © User Vision 2018
3. Be straightforward
GDPR says that privacy notices should be:
„ Written and presented in a clear, concise manner
„ Transparent, intelligible and easy to access
„ Free of charge
And they need to convey:
„ What information is being collected?
„ Who is collecting it?
„ How is it collected?
„ Why is it being collected?
„ How will it be used?
„ Who will it be shared with?
„ What will be the effect of this on the
individuals concerned?
„ Is the intended use likely to cause
individuals to object or complain?
49

50. © User Vision 2018 50

51. © User Vision 2018 51

52. © User Vision 2018
Benefit
statement
52

53. © User Vision 2018 53

54. © User Vision 2018 54
On-brand
video
explanations

55. © User Vision 2018 55
Layered
privacy
notice

56. © User Vision 2018
4. Offer control
During collection
„ Informed consent
„ Explicit consent
„ Clear choice
„ Opt-in
After collection
„ Granular
„ Clear
„ Prominent
„ Easily edited/withdrawn
56

57. © User Vision 2018 57
Don’t
merge
agreements
Don’t
change
polarity!

58. © User Vision 2018 58
Unbundledconsent

59. © User Vision 2018 59
Granularconsent

60. © User Vision 2018 60
Privacy
dashboard

61. © User Vision 2018 61
Privacy
dashboard

62. © User Vision 2018
Summary
62
Consumers understand that data can be used for good (as well as evil)
How companies handle data affects trust
The priorities of GDPR marry nicely with delivering a positive UX
We should build in Privacy by Design
4 UX considerations:
1. Be clear & contextual (about why you are collecting)
2. Practice minimalism (ask for as little as possible)
3. Be straightforward (with your privacy policy)
4. Offer control (over data collected)

63. 55 North Castle Street
Edinburgh
EH2 3QA
United Kingdom
Tel: 0131 225 0850@UserVision
www.uservision.co.uk
63
hello@uservision.co.uk
Stephen Denning
UX Director | User Vision
stephen@uservision.co.uk
Andy Harris
Head of IP, Data and Contracts | MBM Commercial
andy.harris@mbmcommercial.co.uk