More and more people are starting to talk about GDPR. But what is it, and what practical implications will it actually have on the design of your products and services? In this post, we will outline a few of the most important things you need to know and give you a couple of tangible examples of dos and don'ts. Hopefully, this will be of some help.

GDPR stands for General Data Protection Regulation and is the result of four years of work by the European Union to bring data protection legislation into line with the new, previously unforeseen ways that data is now being used. The regulation was adopted on April 27, 2016, and becomes enforceable on May 25, 2018, giving organizations two years to get their data protection in order. Now that those two years are coming to an end, more and more organizations are starting to move on this.

However, knowing what we need to do to be in line with the new legislation can be hard to grasp. Therefore I’ve summarized it so that it’s easier to digest and apply to your organization and/or product.

GDPR Blocks

What’s the goal with the GDPR
In a nutshell, the goal is to:
1) Give people more control over their personal data.
2) Give businesses a simpler, cleaner environment in which to operate, making data protection identical throughout the entire market. (This is estimated to save EU businesses a collective €2.3 billion a year)

What types of private data does the GDPR protect?
The GDPR protects any information related to a natural person or ”data subject,” that can be used to directly or indirectly identify the person. This includes information such as:

- Basic identity information such as name, photos, address and ID numbers
- Web data such as location, IP address, cookie data
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation

Who does the GDPR affect?
The GDPR has an impact on all organizations that operate within the EU and who collect data from users as well as pretty much every individual who’s ever online. This means that not only European organizations will have to be in line with the legislation, but any and all organizations that operate here, regardless of where the data is processed.

So what does this mean for my organization?
The GDPR has three main segments. The first one is the legal part of making sure you’re allowed to collect data at all, the second one is the way you store and use your data and the third one is how you design your services to put the user in control.

On the legal side, you need to make sure you collect data in an appropriate way. Companies will have to be much more transparent towards their users. The user has to positively consent to data being collected before you can start doing so. In total there are six ways of getting the user’s permission to collect data on them. The one you’re most likely to be using is consent, and that’s the one I’ve focused on.

Also, ask yourself why you collect information. Do you need all the information you’re collecting to provide your service? If the answer is yes, you’re good. If the answer is no, you’ll need to figure out what data you need and then delete the rest.

You are not required to delete or refresh your existing consents in preparation for the GDPR, but if you are relying on individuals’ consent to process the data, make sure it meets the GDPR standards on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If your purposes or activities evolve beyond what was originally specified, you will, however, need to refresh your consent.

When it comes to storing data, your organization will need to inform the users on what the data is being used for, who has access to it and why it’s being collected. The data subject also has the right to obtain a copy of all data that the data controller has on him or her, free of charge and in a digital format. In addition, the data subject has the right to ”be forgotten” which means that their data controller has to erase the data and cease third party access to it.
When you’re collecting data, make sure you have a data protection plan. If you do, make sure it’s up to date. Under the GDPR, breach notification will become mandatory in all EU member states where a data breach is likely to ”result in risk for the rights and freedoms of the individuals.” This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify customers ”without undue delay” after becoming aware of the breach. It’s not specified which members states they are referring to in the first part of the paragraph, but I imagine it being at least partially dependent on who the individual is as well. Being safe rather than sorry is probably a good approach here. 

Finally, try and make sure you document as much as possible. You will need to be able to demonstrate the user’s consent, so keep records of what the individual has consented to, what they were told when they consented, when they consented, and whether or not they have withdrawn their consent.

Public authorities and employers will need to take particular care to ensure that consent is freely given and may find that sometimes one of the other methods will be better suit their needs. If so, one of the following methods should be considered instead; A contract with the individual, compliance with a legal obligation, vital interests, a public task or legitimate interests. More information on these can be found on page 15-16 >>

How does this affect the UX design of our apps?
On the design side of GDPR, things are a little bit more straightforward. We do, however, have some other things we need to think about when designing our products and services in the post GDPR era. It seems like the changes will mostly affect the onboarding and the settings/account of the service, which means updating our apps and services hopefully won’t be that big a task.

First off, the onboarding will probably be a bit longer than it currently is as we will need to inform the user what the data is being used for and by whom. We also need to gain the user’s positive consent as well as show them how they can withdraw it. Avoid asking for consent as a pre-condition and instead try to do it in a more contextual approach.

When you inform the user about your personal data processing, the information must be concise, transparent, intelligible and easily accessible. If there is room for any doubt on the user’s side, it’s not consent. Therefore make sure that it’s written in plain language, especially if addressed to a child. The information must also be free of charge. This means no technical or legal jargon, no double negatives or other confusing terminology and especially no links to a crazy-long privacy policy.

GDPR RegistrationDon’t just give the user one choice. 

GDPR Registration Choices
Do give the user more control by introducing granular options.

Speaking of children; If your service is offered directly to users under the age of 16, parental consent is required. If you choose to rely on children’s consent, you will need to implement age-verification measures and make ”reasonable efforts” to verify parental responsibility for those under the relevant age. It’s not specified what ”reasonable efforts ” mean, but it says that they are ”developing further specific guidance on children’s privacy”. You will also need to review and refresh the consent once the data subject is old enough to consent for themselves. In other words, don’t forget to adjust the way you ask for consent to you intended users.

Asking for consent must be done with some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. This is explicitly prohibited by the GDPR, so throw these out the window.

Consent must also be separate from other terms and conditions.You will need to provide simple ways for people to withdraw consent and inform the user how to do it. Withdrawing consent should be as easy as giving it, and users cannot be penalized for doing so. Withdrawing consent is likely to end up in the settings or account management part of the service and should be as easy as a checkbox or a toggle. This is also where the possibility of obtaining or deleting your data is likely to live.

GDPR EssentialsDon’ t bundle T&C and privacy policy also don't use consent as a pre-condition. 

GDPR Essentials 2Do: Just in time information is a good way of avoiding information overload and make sure consent is separate from T&C.

The granular design requirement means we will need to break a few things up to give the users more control over what they consent to. For example: Don’t ask your users if they want to be contacted, instead ask them if they want to be contacted by text message, e-mail, phone or not at all. 

All of this extra information will need to be presented in a way that isn’t unnecessarily disruptive to users. The GDPR suggests layered information or just in time information to avoid this, but anyway is fine as long as it isn’t against the guidelines.
It’s also considered best practice to deliver granular choices to deleting your data as well. The user may want to delete only GPS data but keep everything else. So if possible, try not to go with all or nothing.

GDPR TermsLong privacy policies are a no no 

GDPR Questions
Use layered information or just in time information instead 

What are the benefits of doing this correctly?
By doing this correctly, you should put individuals in control, build customer trust and engagement, and enhance your reputation amongst your users.

What happens if you don’t get it right then? Handling personal data badly can, other than damaging your organization’s reputation, leave you open to substantial fines. The GDPR states that:

”…infringements of the basic principles for processing personal data, including the conditions for consent, are subject to the highest tier of administrative fines. This could mean a fine of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.”
In other words - don’t get it wrong!

As a user, the GDPR is quite a welcome change. It puts my integrity first. For companies, however, this change is a little bit more complicated. Updating your design shouldn’t be that much of a hassle, but changing the way we store and handle data could be a big change that takes a lot of work, especially with all the documentation needed.

Once it’s all in place though, the GDPR should be a positive thing for companies as well since everyone will work with the same standards, which will hopefully also mean less legal work. 

We’ll have to wait and see how this affects the user experience. If it’s done poorly, it could turn into cookies 2.0 with consent requests and privacy information everywhere just to be on the safe side. While consent requests are only potentially annoying the first time you use the service, the first impression is also crucial for making sure people keep using it. Luckily the GDPR also says that the user experience mustn’t be over unnecessarily disruptive to users. On the other hand, what ”unnecessarily disruptive” means isn’t defined, so I fear we will still see many examples of information overload. This will, of course, get better with time as companies and designers get more comfortable with the new guidelines, but If we do our homework now, we should be able to skip that step and hopefully give our users a great experience from day one. The idea is to make the user feel in control without affecting the interaction. That way we won’t risk losing potential users.

As mentioned earlier, this is just a summary of the GDPR, and it mainly focuses on the things I found were the most interesting for us at BBH Stockholm. I strongly suggest everyone who’s affected by this to read more about it since there’s A LOT more information available. More information can be found here >>

GDPR 2018

 Checklist for testing yourself

Asking for consent
- We have checked that consent is the most appropriate lawful basis for processing.
- We have requested consent prominent and separate from our terms and conditions.
- We ask people to positively opt-in.
- We don’t use pre-ticked boxes or any other type of consent by default.
- We use clear, plain language that is easy to understand.
- We specify why we want the data and what we’re going to do with it.
- We give granular options to consent to independent processing operations.
- We have named our organization and any third parties.
- We tell individuals they can withdraw their consent.
- We ensure that the individual can refuse to consent without detriment.
- We don’t make consent a precondition of a service.
- If we offer online services directly to children, we only seek consent if we have age-verification and parental-consent measures in place.

Recording consent
- We keep a record of when and how we got consent from the individual.
- We keep a record of exactly what they were told at the time.

Managing consent
- We regularly review consents to check that the relationship, the processing, and the purposes have not changed.
- We have processes in place to refresh consent at appropriate intervals, including any parental consents.
- We consider using privacy dashboards or other preference-management tools as a matter of good practice.
- We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
- We act on withdrawals of consent as soon as we can.
- We don’t penalize individuals who wish to withdraw consent.