Unless you’ve been living under a rock for the past 12 months, you won’t have failed to see the term “GDPR” being thrown about with wild abandon. But what exactly is it and how will it affect how we approach the UX of digital products?

The General Data Protection Regulation (GDPR) act came into effect in May last year — it’s a legal framework that sets out guidelines on how to collect and process personal information within the European Union. GDPR affects all companies that do business in the EU and it will particularly affect companies that process data digitally such as websites and apps.

GDPR guidelines have already had an impact on companies’ data processes, as you may have noticed from the influx of emails you no doubt received entitled ‘We have updated our privacy policy…’

The new legislation affects not just how we should handle user’s data, it also has a direct impact on how we design user interfaces. Digital products now need to empower users by helping them make informed decisions about their privacy and give them easier, more accessible ways to control their data. This new approach will require us to rethink the UX and UI of interfaces.

With that in mind, we have created a set of UX guidelines that will be our GDPR framework for approaching projects. We aim to use these to educate and guide our colleagues and clients so that we can all become experts in the UX best practices for handling data.

Mubaloo’s GDPR framework

The following guidelines offer up a framework to guide us on how to build products that follow one of the major tenants of the legislation, that is — “Privacy by Design.” The framework is based on guidelines first set out by CyberDuck. They are the minimum steps we need to take into account to adhere to GDPR, and follow some of the main proponents of user experience design. That being, to create user-friendly interactions that are clear, transparent and which have empathy for the user.

1. Opt-in

Users must actively opt-in to having their data collected and used. Controls and copy should be user-friendly, clear and easy to understand.

2. Granular

Users must give consent to all data processing activities. Displaying consent forms at the time of collection helps give context to the user.

3. Withdraw-able

Users now have the right to easily withdraw their consent at any time. Settings should be designed so that they are easy to access and understand.

4. Transparent

Name every organisation who will handle user data. If you can’t explain why you’re collecting data you probably shouldn’t be!

5. Separate

Consent is completely separate to agreeing to T&Cs; forms and consent agreements should be designed so that this is clear.

6. Beneficial

Whilst asking for consent at the right times is good, it’s even better to clearly explain why consent will benefit their experience.

What does this mean in practice?

Registering an account

Registering an account is one of the first times a user is going to encounter a request for data. It’s really important to clearly explain why you are collecting the data you are, and how it will be used. The following examples will outline some UX recommendations for getting this right.