GDPR: The Newest Trend or a Trendy Must?

9 August 2018

The technology boom observed in the 21st century raised many important issues,and the protection of users data can be rightly considered a crucial one. The increasing number of internet scams and frauds, not to mention Internet terrorism were the impetus for the creation of GDPR (General Protection Data Regulation). In April, 2016, GDPR was finally approved after four years of editing and debate with the enforcement date of May 25th, 2018. After this date, many companies operating in non-compliance with these regulations are likely to meet heavy penalties and fines.

Today we consider the need to turn software development via the regulatory course of GDPR both a necessity and a trendy must for all new and existing products. More often BA practitioners encounter projects supposed to serve users with an appropriate level of transparency and user rights observation. NIX Solutions, a company seeking to provide our clients with the most relevant services, has scrutinized the regulatory principles of GDPR and the best-practices of GDPR compliant applications to bring out a list of features and requirements to be considered on the project stage.

The key regulatory requirements can be condensed to the following:

  • transparent and fair data processing driven by legitimate purposes only (companies require no other data but legitimate, take responsibility for the data they obtain and process, and inform subjects about the activities concerning their provided information)
  • constraints on data purposes and storage (companies collect only data necessary for legitimate purposes and process them within the limits of this purpose, removing them after the processing is over)
  • users rights (providing users with the rights: to know the exact personal information the company possesses; for which purposes it needs the data; to demand the correction, transfer or removal of their information; and  to object to data processing or submit a complaint)
  • consent for data needed outside the predefined legitimate purpose (providing the user with a clear request for the additional data obtaining and processing). Collecting data about children under 16 requires the particular consent of parents or legal guardians.
  • management of Personal Data Breach Register (keeping the regulator and users informed about a data breach within the following 72 hours)
  • default privacy mechanisms (new systems and applications should be designed ensuring users’ privacy protection)
  • Data Protection Impact Assessment (procedure prescribed for the assessment of any considerable changes to the data processing mechanisms of existing products/projects or new products/projects)
  • protection of data transfers (the company is accountable for the protection of personal data even if its processing is conducted by a third party, and thus, has the responsibility to ensure secure data transfer to the third party within or outside the company)
  • Data Protection Officer (a person assigned specifically for consulting on EU GDPR requirements – mostly applicable for the companies conducting considerable processing of personal data)
  • employees awareness (the company should conduct trainings on privacy protection mechanisms and ensure awareness of GDPR regulations among its employees, to make it a personal responsibility for every team member)

Among the listed requirements, consent is probably the most vital one as by giving consent, users acknowledge their permission for collecting and processing their data according to your legitimate purposes. Getting deliberate consent is not as simple as it seems. There are several aspects of this procedure according to GDPR. Let’s examine some of them with the examples from best working UX practices.

    1. Consent forms should be separated from terms and conditions forms. Consent cannot be exploited as a condition for service sign up if not needed for the service operation. Sainsbury’s has made a good example of this practice with two separate blocks for Contact permission and Terms and conditions giving the user the right to reject special offers distribution, and thus, not to provide any personal information.
    2. Opt-in fields should be either unticked or provide a binary choice option to choose from. Canadian Walmart hit this requirement with an active opt-in solely for e-mail distribution emphasizing the request is optional (in brackets) and listing in detail the kind of content users are about to get by giving their consent.
    3. Detached consent forms for different kinds of data requests serve you best since users won’t reject the whole request because it contains one piece of data they don’t want to share, not to mention the level of transparency it grants. A nice job in this field was done by Woolworth’s Australia designing three checkboxes for SMS, e-mail and sample posting. Age UK came up with four checkboxes for e-mail, phone, SMS and posting, each with an active opt-in.
    4. Transparency as to the specific company and any third party involved in processing personal data. Transparency requires the name of the company  and the third party. A fine example is provided by Waitrose with different checkboxes for all the organizations who are supposed to send updates. Users can select the organization they do not want to receive updates from.
    5. The consent request should have the precondition of the possibility for erasure by the user at any time without delay. The data withdrawal process should be as clear as giving consent. The Guardian offers its users the option to delete their account with all the information involved and explains how it would affect user’s previous activities.

All the mentioned requirements and their peculiarities are carefully considered by our team; new products will have some default features ensuring privacy protection and compliance with GDPR like encrypted data storage, clear consent forms, etc. Although our company does not have GDPR Certification, we have enough expertise to provide our clients with a list of important recommendations on its functionality requirements for further discussion with lawyers and consultants to change the end product in compliance with GDPR. All parties involved in product development as well as stakeholders will be notified of the need to perform additional changes and add proper functionality. Afterall, with technology evolving out of simple mechanised solutions into personalized ones, protection of users rights must be put at the forefront to enhancing consumers experience and support further technology development.