The EU’s General Data Protection Regulation is an unprecedented new data-protection law that imposes compliance with stricter privacy rules, giving individuals greater control over their personal data.
Even without context, you’ve likely witnessed its effects in the form of a barrage of emails with updated privacy policies and consent requests that were sent to you in the weeks leading up to the GDPR’s enforcement on May 25.
Emails like these were typically marked spam or promptly sent to the trash folder, but as individuals began to recognize the volatility of their online data protection, they were particularly helpful for data subjects to understand how to exercise their privacy rights.
As technology adapts to meet new privacy regulations, user-experience designers will play an important role in modernizing digital products and contributing to the adoption of current and future regulations.
One critical aspect of a UX designer’s responsibility is to understand and adapt to the new standards, ensuring that product workflows follow best practices to protect users’ privacy. With this in mind, UX designers should begin by prioritizing one of the GDPR’s core principles: Consent.
The GDPR defines consent as: “Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Here are a few examples illustrating how capturing consent within a user’s experience can be adjusted to comply with GDPR requirements.
• Consent must be explicit, not implied. In this example, the user must explicitly click on a checkbox stating that they agree to the terms and conditions, and then click on a second checkbox stating that they agree to receive marketing newsletters.
• Privacy by default. Following GDPR principles, organizations may never default to a state in which consent is pre-assumed. The default state should be the most private state, and the burden of acquiring privacy should fall on the business, not the user.
• Users should be informed. Users must be clearly informed of their rights as data subjects and should have the ability to revoke consent to access and/or process their personal data. Information presented to the user should be in an easy-to-understand, natural language, and options to revoke it should never be hidden or made deliberately obscure.
• Granular permissions. Privacy controls for users should be laser-focused and specific, giving the user the ability to fine-tune what types of data they consent to making available. Data should never be bundled together in a way that punishes the user by making a service unusable because the subject did not consent to a certain type of nonessential data processing.
• Context should be clear. The user should be made aware of the implications of consenting to the collection of each type of data, along with why the data is needed, how the data is used, and who it will be shared with. The user should never be expected to make a decision on whether or not to consent to the use of personal data without knowing the context of why they’re doing so.
Organizations that invest in compelling user experiences to respectfully obtain consent from data subjects will see a distinct competitive advantage in the wake of GDPR.
Consent mechanisms that are easy to read and understand will eventually become the norm, but the sooner companies can implement a better user experience, the better.
Gareth Botha is a user-experience designer at Atlanta-based Evident.