Written by Gareth Botha, UX Designer at Evident
The EU's General Data Protection Regulation, or GDPR, is an
unprecedented new data protection law that imposes compliance with stricter
privacy rules, giving individuals greater control over their personal data.
Even without context, you've likely witnessed its effects in the
form of a barrage of emails with updated privacy policies and consent requests
that were sent to you in the weeks leading up to the GDPR's enforcement on May
25, 2018.
Emails like these were typically marked spam or promptly sent to
the trash folder, but as individuals began to recognize the volatility of their
online data protection, they were particularly helpful for data subjects to
understand how to exercise their privacy rights.
As technology adapts to meet new privacy regulations like the
GDPR, user experience designers will play an important role in modernizing
digital products and contributing to the adoption of current and future
regulations.
One critical aspect of a UX designer's responsibility is to
understand and adapt to the new standards, ensuring that product workflows
follow best practices to protect users' privacy. With this in mind, UX
designers should begin by prioritizing one of the GDPR's core principles:
Consent.
The GDPR defines consent as:
"Any freely given, specific, informed, and unambiguous indication
of the data subject's wishes by which he or she, by a statement or by a clear
affirmative action, signifies agreement to the processing of personal data
relating to him or her."
Here are a few examples illustrating how capturing consent within
a user's experience can be adjusted to comply with GDPR requirements.
Consent must be explicit, not implied
In this example, the user must explicitly click on a checkbox
stating that they agree to the terms and conditions, and then click on a second
checkbox stating that they agree to receive marketing newsletters. These are
two separate and unrelated consent fields, and can not be bundled into a single
record. If a user gives consent for one service, an organization can never
assume implied consent for a related service.
Privacy by Default
Following GDPR principles, organizations may never default to a
state in which consent is pre-assumed. The default state should be the most
private state, and the burden of acquiring privacy should fall on the business,
not the user. In this example, the user is signing up for a webinar, which is
completely unrelated to receiving an email newsletter. The default setting in
this case should be the most private state, in other words, the "Add me to the
newsletter" checkbox must default to being de-selected so that the user must
explicitly consent to it, rather than uncheck it to request privacy.
Users should be informed
Users must be clearly informed of their rights as data subjects,
and should have the ability to revoke consent to access and/or process their
personal data. In fact, consent should be just as easy for the user to revoke
as it is to grant it. Information presented to the user should be in an
easy-to-understand, natural language, and options to revoke it should never be
hidden or made deliberately obscure or difficult to find. Content like privacy
policies should be layered for usability, allowing users to make informed
decisions on the use of their data.
Granular permissions
Privacy controls for users should be laser-focused and specific,
giving the user the ability to fine-tune what types of data they consent to
making available. Data should never be bundled together in a way that punishes
the user by making a service unusable because the subject did not consent to a
certain type of non-essential data processing.
Context should be clear
The user should be made aware of the implications of consenting to
the collection of each type of data, along with why the data is needed, how the
data is used, and who it will be shared with. The user should never be expected
to make a decision on whether or not to consent to the use of personal data
without knowing the context of why they're doing so.
Organizations that invest in compelling user experiences to
respectfully obtain consent from data subjects will see a distinct competitive
advantage in the wake of GDPR.
Consent mechanisms that are easy to read and understand will
eventually become the norm, but the sooner companies can implement a better
user experience, the better. GDPR early adopters that leverage good user
experience design to capture consent will find it easier to build long-term
trust with their constituents.
Consent is just one aspect of GDPR where UX designers can provide
support to help businesses adhere to the new data protection regulation. Stay
tuned for more insight as we unpack additional ways that UX can support
compliance.
##
About the Author
Gareth
Botha - A seasoned UX designer with more than a decade of experience,
Gareth Botha is skilled in user adoption and ease-of-use. As Lead User
Interface and User Experience Designer at Evident, his number one priority is creating optimal digital experiences
for customers.