A Designer’s Guide to GDPR
Disclaimer: Nobody who contributed to this overview of GDPR or the accompanying checklist is a lawyer. This does not constitute as legal advice. This is by no means an exhaustive list. Please consult a legal professional for specific questions.
Recall the Great Privacy Update of 2018: Your inbox was flooded with emails from apps and websites you didn’t even remember having an account with, and maybe for the first time in history, privacy policies became a meme. This momentous occasion was spurred by the enactment of the General Data Protection Regulation (better known as GDPR), the European Union’s landmark regulation on data privacy.
Finalized and announced in 2016, GDPR went into effect May 25, 2018, forcing many companies to adjust how they store and transfer data, how they ask users for consent, and what information they disclose to users. And GDPR doesn’t mess around: violators are slapped with hefty fines: €20M or 4% of the company’s worldwide annual revenue, whichever is higher.
I’m going to say that again: If you violate GDPR, you will be fined a minimum of €20M.
Now that I have your attention, let’s start with this handy quiz the BBC put together to gauge your familiarity with GDPR and identify gaps. The quiz certainly doesn’t cover everything, but it should give you an idea about any blind spots you may have.
Who does GDPR apply to
A discussion about GDPR would be incomplete without covering exactly who and what it applies to. There’s a misconception that because the World Wide Web is accessible to everyone everywhere, all companies need to comply with GDPR. Thankfully that isn’t true, but it might apply to more situations than you think.
Forbes does most of the work for us in clarifying who GDPR applies to:
To quickly summarize: Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply.
The second point is that a financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organization just collects “personal data” — EU-speak for what we in the U.S. call personally identifiable information (PII) — as part of a marketing survey, then the data would have to be protected GDPR-style.
In case you’re still scratching your head, here are the basics:
- If you have any brick & mortar locations in the EU, you’re liable
- If you’ve translated your website into the native language of any EU nations, you should probably be GDPR compliant
- If you maintain a separate EU domain (e.g. .de, .eu), telephone number, or accept the currency of one of the Member States, you should probably be GDPR compliant
- If you collect survey data that includes any PII (full name, birth date, email, credit card number, etc), you’re liable
One point of clarification, however, is that GDPR does not apply to any EU citizens living or vacationing abroad. If an EU citizen uses your product or service while on a trip in the USA, you’re not liable. Ultimately, this makes sense: an EU regulation should only apply to companies and individuals in the EU. Many companies decided to be compliant just in case, though, as it’s better to update your policy than get slammed with multi-billion-dollar lawsuits.
Also, being GDPR compliant can make for a better overall experience and enforces some user-friendly design decisions, so you may want to consider being GDPR compliant anyway.
How to be GDPR compliant
GDPR compliance can be broken down in many ways, two of which we’ll cover here. For a fuller picture, check out our “GDPR Do’s and Don’ts” checklist that provides a list of action items, features to offer, and design practices that are no longer permitted. In this article, we’ll focus on Consent and Data Rights.
What exactly are the types of consent? There isn’t a clear definition here, but you’re better off erring on the side of caution. Consenting to your T&C doesn’t necessarily include consenting to receive email. You can no longer ask for access to data you don’t absolutely need for your service to function (e.g., no asking for contacts unless you need their contacts), and you need to ask for these permissions in the context of what the user is doing (e.g., don’t bombard them with requests upon first signing up; ask for specific information when they first access that part of the app).
GDPR has clauses around what they consider “data rights” as well, such as the Right to be Informed, the Right to be Forgotten, and the requirement of having a Data Protection Officer. The DPO is essentially a new role at your company (who must report directly to senior management) and is responsible for ensuring you’re GDPR compliant. This person can have other functions and can be external to the company as well, but that direct line of communication to decision-makers is essential.
The “Right to be Forgotten” is a requirement that’s caused a lot of trouble for companies with existing legacy data. Essentially, any user (current or previous) at any time has the right to request companies completely erase all of their data. While fairly simple to support from a design standpoint, this can be a significant challenge for engineering, especially if your data isn’t currently structured to allow for that erasure. It’s not really an issue for websites, which usually have a fairly simple data structure, but if you’re building an application, your data model needs to account for this.
Why GDPR makes a better product
While it might seem like a lot of hoops to jump through, GDPR regulations actually make for a better experience for your users, and adhering to them ultimately produces a superior product. Constraints are fundamental to design, after all.
GDPR enforces some of Nielsen’s Heuristics. By providing increased transparency about how data is stored, processed, and used, as well as greater ease opting in and out of certain permissions, you increase “user control and freedom”. Having well-designed, clearly-worded terms, conditions, and privacy policies help your product “speak the user’s language”. Improved permissions and controls also help users prevent, diagnose, and recover from errors as well.
And GDPR is all about context. By providing just-in-time consent, you establish a clear association between the information you’re asking for and why. We’ve all seen (and abandoned) apps that hit you with a flurry of permissions requests on your first sign-up. By asking for location permission when a user first accesses the map feature of your application, not only are you compliant, but you’re helping the user understand why you need it.
GDPR is also about control. There’s no reason to hide the exit (or anything, really) from users. If someone wants to get off of your service/platform, they will. The harder you make it for them, the less likely they are to ever return or recommend your service. This peak-end rule can be a powerful tool in your design arsenal and should be taken seriously.
There’s certainly no shortage of resources around GDPR and compliance, so don’t stop here. Our checklist tries to be as actionable and direct as possible, but it’s certainly not exhaustive. And we’re always happy to start a conversation about helping you on the journey to compliance.
- UX Design and GDPR: Everything You Need to Know
- GDPR: 10 examples of best practice UX for obtaining marketing consent
- Six agreeable examples of GDPR ready opt-in forms
- IAPP’s UX Guide to Getting Consent
- Best GDPR Website Consent Examples
- How will GDPR affect UX design?
- GDPR & User Experience
- The Impact of GDPR on User Experience (video)
- Transparency of machine-learning algorithms is a double-edged sword
- The User Experience Challenge of GDPR
- 3 things to keep in mind before you design for GDPR
- GDPR & how it impacts your UX / content work
- Guide to the General Data Protection Regulation (GDPR)