What does GDPR mean for UX?

Unless you’ve been living under a rock for the past 12 months, you won’t have failed to see the term “GDPR” being thrown about with wild abandon. But what exactly is it and how will it affect how we approach the UX of digital products?

The General Data Protection Regulation (GDPR) act came into effect in May last year — it’s a legal framework that sets out guidelines on how to collect and process personal information within the European Union. GDPR affects all companies that do business in the EU and it will particularly affect companies that process data digitally such as websites and apps.

GDPR guidelines have already had an impact on companies’ data processes, as you may have noticed from the influx of emails you no doubt received entitled ‘We have updated our privacy policy…’

The new legislation affects not just how we should handle user’s data, it also has a direct impact on how we design user interfaces. Digital products now need to empower users by helping them make informed decisions about their privacy and give them easier, more accessible ways to control their data. This new approach will require us to rethink the UX and UI of interfaces.

With that in mind, we have created a set of UX guidelines that will be our GDPR framework for approaching projects. We aim to use these to educate and guide our colleagues and clients so that we can all become experts in the UX best practices for handling data.

Mubaloo’s GDPR framework

The following guidelines offer up a framework to guide us on how to build products that follow one of the major tenants of the legislation, that is — “Privacy by Design.” The framework is based on guidelines first set out by CyberDuck. They are the minimum steps we need to take into account to adhere to GDPR, and follow some of the main proponents of user experience design. That being, to create user-friendly interactions that are clear, transparent and which have empathy for the user.

1. Opt-in

Users must actively opt-in to having their data collected and used. Controls and copy should be user-friendly, clear and easy to understand.

2. Granular

Users must give consent to all data processing activities. Displaying consent forms at the time of collection helps give context to the user.

3. Withdraw-able

Users now have the right to easily withdraw their consent at any time. Settings should be designed so that they are easy to access and understand.

4. Transparent

Name every organisation who will handle user data. If you can’t explain why you’re collecting data you probably shouldn’t be!

5. Separate

Consent is completely separate to agreeing to T&Cs; forms and consent agreements should be designed so that this is clear.

6. Beneficial

Whilst asking for consent at the right times is good, it’s even better to clearly explain why consent will benefit their experience.

What does this mean in practice?

Registering an account

Registering an account is one of the first times a user is going to encounter a request for data. It’s really important to clearly explain why you are collecting the data you are, and how it will be used. The following examples will outline some UX recommendations for getting this right.

1. ‘Just in time’ data collection explanations
   ‘Just in time’ notices are called so because they give information about data consent at the time of collection. This example shows how to give your users context surrounding the types of data you need to collect and how it will, and won’t be used. Note that the explanations also give info on how to withdraw consent where applicable.
2. Required & optional data
   Clearly labelling fields that are required and optional will help give context to users when they read the data collection explanations.
3. Email marketing preferences
   Under the new GDPR rules, you cannot assume email marketing consent when users enter email addresses at registration. Instead, it’s all about the micro-copy! Explain to your users the benefits of opting in, and give them granular control over what they are receiving. This could be options on the types of emails they receive and the frequency they are sent.
4. Privacy Policy
   The Privacy Policy shouldn’t be something that is skipped, we want to encourage users to read it so that they are well informed on how their data is being used. Explain why it exists so that the user understands the benefit of reading it.

Privacy Policy

The Privacy Policy has evolved. GDPR states that companies must provide clear and accessible information regarding their personal data processing methods. We should be creating privacy policies that are easy to scan and completely transparent, whilst eliminating the jargon.

1. Separated policy sections
   The length of privacy policies has been an ongoing joke in the tech community. With so much to cover they became endless tomes which users were unlikely to read. Creating user-friendly privacy policies with clearly labelled sections and expandable text is easy and makes it so much easier for individuals to scan, locate and understand the information they need.
2. Explaining the benefit
   The language used is also important. To help users understand what data is being collected and why we should ditch the legal language and give contextual explanations that directly relate to the features within the app. Describing how data collection will benefit their experience is also a great way of encouraging the user to invest.
3. Transparency on 3rd parties
   It is essential that privacy policies name every company, your own and any third parties, who will handle the data. This isn’t a recommendation, it’s a requirement so don’t forget!

Onboarding

Onboarding has traditionally been reserved for practical explanations on how to use an app, however, in the wake of GDPR we can utilise this feature to help uncover the mysterious world of data collection.

1. Introduce the value
   If data collection is a cornerstone of your app, you can never have too many ways to explain the value to the user. For apps like this it’s essential we get the user invested in sharing their data — making the value clear from the start is a great way to get them on board from the offset.
2. Remind users that they are in control
   Again, for apps that rely heavily on data collection and storage, it’s essential to reassure your users about how their data is being handled. App users post GDPR are much more savvy about who they trust with data; using onboarding to remind users that they are in control will help reassure them and build a foundation of trust.

In-app consent

GDPR states that before we collect or use any data we must acquire informed and explicit consent from users. The most effective way of doing so is by using so-called ‘just-in-time’ alerts, so users can give consent only when they need to. Contextually explaining the need for data at the point of collection will help to strengthen trust.

1. Describe the enhanced experience
   Whilst just-in-time alerts help you comply with GDPR and give users context to consent, we can also use it as another chance to describe the benefits. Showing the value in every data notice will encourage users to give consent, and help them get the most out of the app experience.
2. Direct users to data settings
   A great way to help users feel even more in control whilst asking for consent is to tell them where they can go to edit what data is being shared. We’ll talk about how these data settings are enhanced in the next section.

Data settings

Enhanced data settings are where we are going to see some real change in app UX going forward. To comply with GDPR we need to give users full control over their data, this means giving them the right to browse, change and delete any of the data our apps hold.

1. Revoking consent
   This is an important one as it is essential that users have the right to revoke consent on any of the data policies they have previously agreed to. So… tell users where they can go to do this, make it easy to access, and when they are there make sure you are explaining the implications and how it may affect their experience.
2. Granular marketing preferences
   We should ideally be giving users access to their marketing preferences within the app. To bring some added value, don’t just give them one option — make it granular! Giving the user control over how often they want to be contacted, or even the types of email they receive will make for a happy customer and most likely will result in more users opting in to your mailing list.
3. The right to download and delete
   Users now have the right to download and/or delete any data that we have collected from them, at any time. Making the data options granular so that users can have flexible control is a nice way of enhancing this rule. We also need to make sure that downloading and deleting data is not hidden in deep layers of settings as it has been previously.

In conclusion…

The GDPR rules can be a confusing set of guidelines to work from, however, once we distil the rules into a basic set of standards (as outlined in Mubaloo’s GDPR framework) it becomes much easier to design user interfaces that adhere to them. UX designers strive to design with the user in mind, and our GDPR framework makes sure we are doing just that when designing for data collection. Data handling and its intent should be clear and transparent, privacy controls should be accessible and uncomplicated in design and language, and everything surrounding data that we embed into a product should be beneficial to the user's experience. In essence, we’re simply extending our current user-centred design practices into the realm of data collection, and that can only be a positive thing for digital products.

Thanks to David Higgs who was the first write about GDPR at Mubaloo and got the ball rolling for this article. And to CyberDuck who’s guidelines, this framework is based upon.