From May next year, the General Data Protection Regulation will go into full effect. You might think that this has not much to do with your UX work, but then you’re wrong. Because the GDPR will have great consequences on how we deal with privacy and personal data, and is also applicable to your work processes.
Clovis Six and Saskia Videler will give you a primer in GDPR and offer you a crystal clear overview on how to implement GDPR in your workflow.
– As a UX researcher Clovis Six often gets confronted with privacy issues in the projects he works on. But as a white knight of privacy, he always saves the day with his knowledge and resourcefulness, whilst protecting the privacy of the user. He feels like it’s his duty to get the privacy conversation going.
– Saskia Videler marries content + UX in her practices as content strategist. Through a thorough understanding of the end-user, she’ll make sure that they will be able to perform their tasks.
European Commision & European Parliament / all companies handling data of European citizens to protect the privacy of European citizens, practices of SV, Quazu going through our data Full effect per May 28th 2018, now in grace period (started May 2016) Set of strict rules, Active & reactive enforcement Fines: 4% annual global revenue or 20mln euro / whichever’s higher Relevance for you: your company could be directly liable or, as an agency, you will lose clients if you don’t comply. There’s no way to run.
Fictitious offline pharmacy chain that recently launched a webshop Dan (eCommerce Manager) Alpha-male type executive Way to the ceiling gained widespread data access Privacy is never a big issue Type of person: nothing to hide & open with his own data Gains access to customer data to… Check on employee health Profile girlfriends of his daughter
The GDPR requires a new way of asking for, handling and storing data. Quazu needs to make it very clear to the customer what theyl use it for. You may not use it for anything else: delivery, giving you specific service (asking for a pathology). Specific (‘for marketing purposes’ isn’t specific enough doesn’t help the customer) Quazu can no longer ask for data you want, only for the data you need to operate the service for your customer You need clear and informed consent of the consumer to acquire, store and handle their data Quazu has to be clear, fair and transparent
You need clear and informed consent of the consumer to acquire, store and handle their data
The customer needs to be able to easily view, edit or delete their data. You can never store their data indefinitely Quazu needs a good and clear flow for users to do this
The data controller is responsible for what happens with the data. You cannot deny responsibility when something goes wrong at a processor (postal service, choose processors wisely. Quazu: Newsletter or postal service
GDPR Task Force Data Protection Officer Risk analysis Data Protection Impact Assessment (DPIA) (even checken) Dataflows inventory
PbDes: taking privacy into account at every step of the process (def & maintenance) PbDef: always opting for the highest privacy settings for the data subject. No pre-ticked opt ins, no automatic publishing of their personal data
Redesign check-out UX agency as contractor
Let’s walk over the project steps and see how privacy can be taken into account.
Privacy by Design
Data Protection Impact Assessment (DPIA) Figure out who the Data Protection Officer (DPO)
Some projects are not worth the risk or investmentneeded to comply with the regulation
What (personal) data is needed? Who needs it and for what purpose? What are the risks handling this data? What are the security measures needed?
All of these usually include some form of personal data.
Non-identifiable user segment representation. So never use real names! Only use first names or last names Pictures (& other personal data) need consent.
Example of excel transfer to controller File copies Backups Anonymisation
Multiple ways of sharing information based on the check-out selection Guest check-out Checkout with account Adaptation depending on other context: Delivery method Payment method Products (like extended warranty)
Controller - processor example
again: controller - processor
Get yourself some GDPR goggles and use them for at least a few seconds on everything you do.
No more 13 page long documents of legal mumbo jumbo
Look at it from perspective of ds Has to be easy to understand
● Ask for consent and data in context.
Be clear, transparent and fair.
● Handle personal data with care.
Allow for viewing, editing and deleting by data subject.
● Know your dataflows!
Risk assessments need to be done regularly.
Make it easy to understand, no legalese allowed!
● GDPR is actually good for UX
It will guide design and content towards transparent, clear communication and trust.
5 key takeaways
The official text of the regulation:
The regulation explained by the European Commission: http://ec.europa.eu/justice/data-
The podcasts we’ve made about GDPR, UX and content:
Privacy by Design guidelines:
Remember to check with privacy experts and legal professionals for your specific situation.