3 things to keep in mind before you design for GDPR
GDPR. The four letters that have been making your finance, legal, engineering, product teams and you (the designer) sweaty for the past couple weeks.
These little letters stand for “General Data Protection Regulation” and it’s a new law in the European Union aimed at protecting the personal information of residents in the EU.
It’s set to go live May 25th, 2018 and because it’s brand new, there’s no precedent for how products can provide a 100% compliant GDPR solution to their customers.
There’s a fair bit of uncertainty and for a law where fines can rise up to $20million Euros, it can seem like a pretty nerve-wracking problem to design for.
But Don’t Panic. And don’t overthink it. Yes it’s a BFD but at the end of the day it’s an opt-in form.
At Drift, we needed to create a toolkit so our customers could be GDPR compliant. This included creating a consent message so they could ask their own customers for consent under GDPR.
Here are 3 big rocks I started with when designing for GDPR in our product.
1. Understand two main pillars of GDPR: Consent and PII
These pillars go hand in hand, and to get a solid background of what I was designing for I started with learning about consent.
Consent under GDPR means that the user needs to explicitly agree to their data being saved to your system.
Understanding this will help you design an interaction that allows users to properly give GDPR approved consent.
So what does this mean?
- You can’t have a pre-checked element that states the user agrees to the terms.
- You can’t get away with adding text that implies automatic consent to another action not connected to consent. For example, a “buy now” button with subcopy that says: “by opting-in, I agree to receive marketing emails”. In this scenario the user is taking an action to buy something — not opt in to terms.
- The user must explicitly click a button to accept your terms, or they must check a box that opts-in to your terms.
After I understood consent under GDPR, I moved on to PII.
PII (personally identifiable information) is any information that can be used to specify an individual.
This is the heart of what is being protected under GDPR.
Knowing what constitutes as PII will help you determine where in your product you need to prompt for consent.
It’s a pretty broad category, and tech has made it even broader. I erred on the side of caution at Drift and made it so a visitor would have to opt-in before we saved any communication from them.
After I got a solid GDPR background, I went ahead and started designing from paper to pixels. That was a mistake — I should’ve understood my company’s position on GDPR first.
When designing anything legal, it’s extremely important to understand your company’s position on the matter.
It’ll help you know what approach you should be taking in the product and what language you can use.
Learn from me and do this sooner rather than later.
The mistake I made was trying to be too prescriptive in the product. I initially designed an experience to help educate our users about GDPR to let them know which options they should pick. However I quickly found out that was no bueno.
I learned that we, Drift, aren’t in any position to make recommendations at all. We’re giving our customers the mechanism they can use, but we can’t say what to do with it — this would be giving legal advice which is not in our feature set or my job description.
And so, I opted to create a more flexible solution to give our customers the tools they need.
I learned that it’s best to err on the side of caution, and stay in close communication with your legal team.
3. Allow for flexibility
Let’s face it — all businesses are different.
It’s important that you provide flexible tools to your customers so they can create the optimal experience for their own customers.
These are the three options I wanted to give our customers more control over:
Audience aka “who will this be shown to?”
- The need to display a consent form differs under GDPR depending on where your customers do business. Two different audiences your customers should be able to display the form to are: Everyone (all website visitors) and only people in the European Union.
Multiple Languages
- This blog post is in English, but it might not be the primary language spoken in the country you reside in. Because your customers can support more than one language, they should be able to display their terms in multiple languages. This lets them give the best experience to their own customers, in a language they can understand.
Hyperlinks
- This one’s easy to overlook. We’re all used to the “click here to read our privacy policy” convention. It’s important that you give your customers a way to follow conventional patterns. Give them a way to link out to their own policy — that way their consent message can be simple and easy to digest, and the link can handle the messy details.
So let’s recap…
1. Consent and Personally Identifiable Information under GDPR.
Understanding what it means to give consent under GDPR will help you give the right tools to your customers to prompt for consent. Understanding what needs to be protected will inform you when to do so.
2. Know your company’s stance on GDPR.
I did this too late and overcomplicated the flow by designing an experience that went against our company’s position. Save some time and dig into this early.
3. Give your customers a flexible solution.
Not all businesses are the same and so it’s important that you design with flexibility in mind. Your customers should be able to use your toolkit to create an optimal experience for their own customers — taking in to account different audiences, multiple languages, and hyperlinks.
This is in no way a definitive list of what you need to do to be GDPR compliant in your product. And this doesn’t constitute as legal advice — let’s leave that to the legal professionals 🙂
There are so many small things that need to be accounted for, but these are the big rocks that I started with. I hope these 3 takeaways are useful and serve as a starting point when you’re tasked with the challenge of designing for GDPR 🚀
If you found this helpful, I’d appreciate a clap (or two?!) and if you have any questions or feel like sayin hi, you can find me here 👉🏽 drift.me/amandayee
