At a Glance

On May 25th 2018, the General Data Protection Regulation came into effect. This regulation has many implications on the the way business capture, store & use user data.

My responsibility was to adopt the UX best practices to be compliant as per the new GDPR changes.

 

my ROLE

Researcher

Service Designer

UX & UI Designer

 

TEAM

Project Manager + Solution Architect + Developer + me ( Product Designer )

stakeholders

CEO + MD + Operations Director + Head of Marketing

 

DURATION

3 Months 


What is GDPR?

The GDPR will completely revolutionise how we think about data protection, especially where privacy is concerned. Granted, privacy is more the preserve of the legal department or the engineering department, but it is also the concern of the user experience (UX) designer. Good UX practice means making privacy policies accessible, and this is what the GDPR now makes legally binding.

Requirement

Review the existing customer data flow and identify the touchpoints where GDPR will need to be adopted. Design digital and enterprise UX which will be GDPR compliant.

Challenge

Any digital user-facing system that collects personal data will have to be thoroughly redesigned to prominently display “clear and concise” consent requests (and equally, the ability to withdraw consent), often with the use of “layered” consent notices. These can hardly be slapped on to existing interfaces and will require rethinking core elements of UX design.


Research

STEP 1 : BUSINESS WIDE DATA FLOW AUDIT (Service Design Blueprint)

It is important to take stock of the current data and privacy processes by conducting a comprehensive data audit. Look at what data you collect, where and how you collect it, how you store it and above all how you use it. With this simple and pragmatic approach, an organisation can quickly gain a high level of personal data flows. The map helped to provide the basis for dialogue that needed to take place between GDPR project team and multiple stakeholders inside and outside of the organisation including Business, HR, Legal, Procurement, IT, Security, Compliance (to name a few) in order to understand how compliant we are against the GDPR by conducting a gap and risk assessment.

Based on this service design blueprint we were then able to identify what is the basis for processing the personal data. It not only helped us identify where we are storing it but also gave us an insight of different channels through which we receive and send data.

 

STEP 2 : MAPPING USER JOURNEY AND TOUCH POINTS

User experience is not only about making an interaction more usable and accessible, but also about enhancing the overall user experience across the entire user journey. With a UX design approach, anything a user interacts with is tested and tailored through various iterations to create a better experience overall. 

In order to understand customer touch points we mapped out all the digital journeys from different channels where we captured personal data.

GDPR option 1@3x.png

If the GDPR states that we need to make our consent forms and privacy notices clearer, that means bringing them closer to the user, making them easier to read, and more enjoyable to interact with. What it means is that privacy, data protection and UX are now tied at the hip.

 

STEP 3 : IDENTIFYING GAPS IN THE JOURNEY TO MAKE IT GDPR COMPLIANT

The GDPR states that you need to acquire informed and explicit consent from your users before you can collect, store and use their personal data. Accomplishing that while maintaining a great and seamless user experience is a balancing act.

You need to bring the most relevant points of the privacy notice to the user – under GDPR. It must be clear and prominent. When your users are inputting their information and agreeing to your terms, they need to see the relevant part of the privacy policy right there, right then.

 

Once we identified the touch points where we were capturing personal data, we mapped the journey where we needed to incorporate GDPR consent.


Managing User Expectations


Designing for Informed Consent

maketing consent@3x.png

A privacy notice traditionally informs users what an organisation will do with their information. These notices are usually comprehensive in both detail and length and they are written in lawyerly speak, which is why we don’t read them. But they cover important points, including what information an organisation will collect, how they’ll do it, who they’ll share it with and how they’ll use it. That certainly covers a lot of bases, but it’s not great for the user, who may end up agreeing to things they never would have done if the information had been made clearer.

This is where the GDPR aims to improve matters. It states that companies must provide clear and accessible information regarding its personal data processing methods. Privacy notices must now be:

  • Written and presented in a clear, concise manner
  • Free of charge
  • Transparent, intelligible and easy to acces

Ultimately, improving our standards in these areas is going to lead to a better customer experience and make it more likely that they’ll use our services again.

We were eager to make sure we were GDPR compliant while maintaining a phenomenal user experience. How we presented our quote forms were of particular importance, especially when it came to marketing. To handle it, we looked into the best ways to present privacy information, and altered our internal data policies to ensure our audience’s experience was the best it could be.


Designing with Privacy in Mind