This briefing was held as part of User Vision's 'Breakfast Briefing' series in Feb 2018. It looks at what GDPR means for businesses and for the UX of digital experiences.
UX & GDPR - Building Customer Trust with your Digital Experiences
1. UX & GDPR
Building Customer Trust With Your Digital Experiences
Stephen Denning
UX Director | User Vision
Andy Harris
Head of IP, Data and Contracts | MBM Commercial
1
4. What we are covering
1. Update
2. Lawful processing and consent
3. Key actions
5. Where are we now?
Ø GDPR has direct effect: 25 May 2018 is D-Day
Ø Data Protection Bill
Ø Brexit effect
6. The key changes
1. Accountability principle
2. Breach notification and fines
3. Data processors directly liable
4. More rights to individuals
5. Legal basis notification
7. ¡ Concepts largely the same
¡ Increased transparency
¡ Increased accountability
8. What is the first data protection principle?
¡ “personal data shall be processed fairly and
lawfully”
9. What are the conditions for processing?
Category 1: General
1. You have the individual’s consent to the processing
2. Necessary for the performance of a contract (or to enter into a contract)
3. Processing is necessary because of a legal obligation that applies to you
4. Processing is necessary to protect the individual’s vital interests
5. Processing is necessary for administering justice, or for exercising
statutory, governmental, or other public functions
6. Processing is necessary for your legitimate interests (except where
overridden by rights, freedoms or legitimate interests of the individual)
10. What are the conditions for processing?
Category 2: Sensitive
1. You have the individual’s explicit consent to the processing
2. Processing is necessary under employment law
3. Processing is necessary to protect the vital interests of:
§ the individual (where consent cannot reasonably be obtained)
§ another person (where the individual’s consent has been unreasonably
withheld)
4. Processing is carried out by a not-for-profit organisation for defined
purposes (e.g. political purposes) and does not involve disclosing
personal data to a third party, unless the individual consents
5. The individual has deliberately made the information public
11. What are the conditions for processing?
Category 2: Sensitive
6. Processing is necessary in relation to legal proceedings; for obtaining legal
advice; or otherwise for establishing, exercising or defending legal rights
7. Processing is necessary for administering justice, or for exercising statutory
or governmental functions
8. Processing is necessary for the purposes of preventing fraud
9. Processing is necessary for medical purposes, and is undertaken by a health
professional or by someone who is subject to an equivalent duty of
confidentiality
10. Processing is necessary for monitoring equality of opportunity, and is carried
out with appropriate safeguards for the rights of individuals
12. Sensitive personal data consists of information about an
individual’s
¡ race or ethnic origin
¡ political opinions
¡ religious beliefs or other beliefs of a similar nature
¡ trade union membership
¡ physical or mental health or condition
¡ sexual life
¡ criminal history or record
13. § Personal data must be processed fairly and
lawfully
§ Requires at least one condition for processing to
be met from the first category
§ If you are processing sensitive personal data, then
you also need to meet at least one condition for
processing from the second category
14. What is the first data protection principle?
¡ “personal data shall be processed fairly and
lawfully and in a transparent manner”
15. Broadly similar concepts, different
terminology
¡ Condition for processing → Legal basis for
processing
¡ Sensitive personal data → Special categories of
personal data
16. Key change is need to notify individual of
your legal basis for processing
¡ Need to carry out an internal audit
¡ Adopt layered privacy notices
¡ Consider practical implications
17. ¡ consent means any freely given, specific,
informed and unambiguous indication of the
individual’s wishes by which he or she, by a
statement or by a clear affirmative action,
signifies agreement to the processing of personal
data relating to him or her
¡ no definition of explicit consent
18. Need to give genuine choice
¡ Unbundled
¡ Active opt-in
¡ Granular
¡ Informed
¡ Documented
¡ Easy to withdraw
¡ No imbalance in relationship
19. ¡ Consent not always appropriate
¡ Consider other legal bases
¡ Use as last resort
20. § Personal data must be processed fairly, lawfully
and in a transparent manner
§ Requires at least one legal basis to be met from
the first category
§ If you are processing special categories of personal
data, then at least one legal basis from the second
category must also be met
§ Consent may be difficult to validly obtain and
should be used as a last resort
21. 1. Nominate a DP Officer
§ Not essential but helps prove compliance
§ Essential for:
1. public authorities
2. where core activities involve regular and systematic
monitoring on large scale
3. where core activities involve processing of special
categories of data on large scale
22. 2. Carry out a personal data audit
1. Starting point
2. Need to know what personal data you have
and what you are using it for
3. Hard to meet accountability principle
without it
23. 3. Follow the ‘privacy’ guidance
Ø Privacy impact assessments
Ø Privacy by design
Ø Privacy by default
24. 4. Identify legal basis for processing
Ø Needed under DPA 1998
Ø GDPR imposes notification requirement
Ø Likely to be significant non-compliance
25. 5. Check your transfers
Ø If outside of EU then:
v Is there an “adequacy decision” for destination
country?
v Is there use of model clauses?
v With US companies, have they signed up to
Privacy Shield?
26. 6. Keep (and update) clear records
Ø Data audits
Ø Privacy impact assessments
Ø Privacy by design and by default docs
Ø Policies and procedures
Ø Processors
27. Andy Harris, Partner
IP, Data and ContractsTeam
Email: andy.harris@mbmcommercial.co.uk
DD: 0131 226 8208
Mobile: 07930 984446
63. 55 North Castle Street
Edinburgh
EH2 3QA
United Kingdom
Tel: 0131 225 0850@UserVision
www.uservision.co.uk
63
hello@uservision.co.uk
Stephen Denning
UX Director | User Vision
stephen@uservision.co.uk
Andy Harris
Head of IP, Data and Contracts | MBM Commercial
andy.harris@mbmcommercial.co.uk