Design February 15, 2018

GDPR & product design: where to start?

Stephanie Depuydt

Product Designer

The General Data Protection Regulation (GDPR) will go into effect on 28 May 2018 and will change privacy laws across Europe. One of these changes is the introduction of 'Privacy by design'. If you are creating a product or service that involves processing personal data (and a lot of them do), you'll need to consider privacy from the initial design stages into the complete development process.

This requires a new mindset. During product design, before even a single line of code is written, you need to think about the privacy issues that could arise. And come up with a plan to avoid or manage those issues. Consider all the ways your user's data can be misused, stolen, accessed, shared, and combined. After all, the best way to mitigate privacy risks is to not create them in the first place. When reading the extensive legislation, deciding what to do design-wise can be daunting, though. 

So let's take a look at some of the guidelines and their impact, throughout the user's journey. 

This will help you explore the impact of GDPR on the user experience of your digital product. 

1. The initial design

You can never start thinking about protecting your user's privacy too early. That's why privacy should be an essential ingredient of your product's design, not the sauce you pour over it at the end. This way, you avoid situations in which you discover at a later stage that implementing essential privacy requirements is difficult, expensive or even impossible. 

During the initial design, think about the necessity of permissions:

  • Only ask for permissions that are required for the functioning of your product. 
  • Pay special attention to permissions that imply a large privacy invasion, such as microphone access or access to contacts.

2. Designing the first user experience

A great first experience is essential to a good and lasting relationship with your user. Creating trust and engagement is crucial. Start by being transparant. It lowers the user's privacy concerns and increases the number of users that give their consent. So clear notices and information are in both the user's as well as the creator's interest. 

You can achieve this by making the entire privacy space user-centric: 

  • Use plain language that is appropriate to your audience. Make sure your users understand what you're asking. You can also add some structure by using a layered approach: summarise the most important points and make more details easily available.
  • Explain why you need the data you're asking for. And reassure users by emphasising what you are definitely not going to use it for. 
  • Give users granular choices where possible. Don't force an 'all or nothing' opt-in on them. For example, separate asking consent for analytics and advertising from consent for essential third-party data sharing. 
  • Implement just-in-time notices. You need to provide relevant privacy information and get consent before your app processes any personal data. With just-in-time notices, you can give the info right before the data is processed. This means you can deliver a clear, specific and separate message for each functionality. 
  • Pre-ticked boxes are a no-go. Consent cannot be given by being inactive or silent, only by a clear and affirmative action. GDPR is very explicit about this. 
  • Consent should be non-blocking. It must be given freely. A blocking consent is only allowed when you can prove that you can't provide your service without the data you're asking for. For example, it's ok to ask for a user's e-mail if you need it to create an account. But it is strongly discouraged if you only want to use it for marketing campaigns.

3. Designing for engaged users

You might be off to a great start, but what about later on? These are a few things you should definitely pay attention to:

  • The privacy segment of your product should by easy to find. Users have to be able to review your policies at any time. 
  • Make privacy-friendly settings the default.
  • Redrawing or changing consent should be as easy as it was to give consent, and it should always be possible. For example, if a user gave consent by ticking a single box, she should be able to uncheck that box with the same ease. You can't hide the feature somewhere deep in your product.
  • When your privacy policy changes, you need to clearly communicate this to your users and they need to renew their consent. In a mobile application, you could do this with a full screen splash screen that communicates in plain language what has changed and allows the user to seamlessly give renewed consent. 

Conclusion? It's a balancing act

Accomplishing all of the requirements above and maintaining a seamless onboarding at the same time, will be quite the balancing act. 

Where do you put the 'delete account'-button, for instance? Of course, you don't want users to delete their account. However, once they've decided to delete it, you don't want to put them through a long and discouraging flow either. That wouldn't be GDPR compliant and it would completely alienate the user. On the other hand, you don't want to encourage users by making account deletion too prominent. The sweet spot? Putting the button somewhere the user can manage her profile as a secondary action. This way, it is accessible enough, but not so prominently placed that it encourages deletion. 

Image: the actual user flow for deleting your Instagram account

Look at it as an opportunity

We're moving towards a future where not just computers, but all sorts of everyday objects are acquiring data from their users. So getting informed consent from users will become more and more important. Informing users is critical, but it is also part of a signifcant balancing act: information has to be useful, not paralysing. Just think of all the privacy policies that you never read. 

GDPR entails a great change for all departments of an organisation, and product design is no exception. But it's important to see GDPR as a challenge to innovate instead of a burden. Don't do it because 'the law says so', but take this opportunity to really put your user's integrity first. This way you can build a much more trusting and lasting relationship with your users.