This post accompanies a workshop first delivered at UX Bristol 2018. The motivation behind our workshop was that the aims of GDPR and good UX are aligned and are all about transparency, understanding and control.
We have argued that in fact, GDPR can be used as a springboard for innovative approaches to interface design where data protection principles are better integrated into the flow of interactions. This is compatible with the Mydata.org principles, one of which is moving “beyond data protection to data empowerment”.
Striking a productive balance
The processing of personal data should be designed to serve mankind.
GDPR Regulations
This vision statement for GDPR captures the joint aim of enabling companies and organisations to process and manage data in order to deliver products and services, while giving due respect to the rights of the individual citizen. The regulation is careful to maintain the ability for companies to innovate and develop tools with societal benefits - but individuals should not be exploited in the process.
Four key rights in GDPR
While informed consent is one of the better known provisions of the regulation, the right to removal of data (erasure) and the right to download your own data for personal use or transfer (portability) are additional features that can be implemented in the UI.
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay
Article 17
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided
Article 20
A further important area covered in GDPR is the effect on the individual of decisions made as a result of automated / algorithmic processing (profiling). While the regulation focuses specifically on decisions with potentially legal impact such as getting a job or access to finance, we feel that it should also be applied to any sort of classification process: the individual has a right to an explanation of the steps in the process and the assumptions made as to why they are being placed in any particular category.
the controller shall .. provide the data subject with the following further information necessary to ensure fair and transparent processing: the existence of automated decision-making, including profiling .. and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Article 13
We looked at a number of examples from the web that included good, bad and ugly UI design practice. What came out well were sites which combined simple microcopy with indicative images or icons:
- Google’s Personal Info and Privacy Tools (https://myaccount.google.com/privacy)
- Dyson Privacy Policy (http://privacy.dyson.com/en/globalprivacypolicy.aspx)
Conclusion
Apart from warning against pre-ticked checkboxes for consent, the regulation does not stipulate particular user interface approaches to implementing our data protection rights. So it is useful to look at emerging practice and to explore new ways of making them both actionable and understandable. UX practice and the emerging area of legal design can help to suggest and validate these interactions with personal data.
Resources
We mentioned some useful resources, including If’s CC licensed design patterns and Juro’s blog covering their UX approach to redesigning their privacy policy.
- If’s data permissions catalogue design patterns (https://catalogue.projectsbyif.com/)
- Legal Design in Practice - Redesign of Juro’s privacy policy (https://medium.com/juro-blog)
- GDPR & the User Experience (https://uservision.co.uk/2018/05/gdpr-the-user-experience/)