GDPR from a UX/UI designers perspective!

the little gyroscope
5 min readMay 8, 2018

5 minute read or scroll down to see the pictures ;)

If you haven’t already heard the word GDPR yet! Here’s a brief overview for you.

General Data Protection Regulations (GDPR for short or the cool cats) has been coined up by EU Parliament & Council for the purpose of protecting citizens information in the digital space. It will be coming into force across the EU on the 25th May 2018 by which time, businesses not in compliance will face massive fines.

It will be replacing the 1995 Data Protection Directive (because of course nothing’s really changed in these last two decades). The plan will be to harmonise data privacy laws across Europe, to protect and empower all EU citizens. This will reshape the way businesses approach data privacy; with the user taking more control over its shared data and companies to provide clear guidance on how and why user data is being used.

How is it going to affect us UX/UI-ers?

Firstly let’s start with a few positive lines (cue soothing cup of word cocoa). This new policy change is a great opportunity, us to collaborate with the client and stakeholders in the design and architecture of onboarding processes especially when it comes to gathering personal data (name, location, ID numbers) and sensitive personal data (biometric, health, racial).

Two areas you will see an overhaul of (without making your user journeys complicated and inaccessible) is how we handle privacy notices and consent.

Okay, Dave! Enough of that, let’s get visual and show me what you mean!

So I have whipped up a few quick visuals, based on a fictional brand I call ‘Dave’s Fitness’ on an Android device. You will be able to re-apply the same core values and themes across native iOS and Web.

Below is a few examples of — the registration process, privacy policies and pop-ups around gaining access/permission and also how we handle collecting or storing data.

Let’s take a look at the way we request data and consent around the registration process:

  1. Number one shows what we are starting to call just in time data rationale. This simply means having some form of indicator on an input field which the user may want to know the rationale behind you wanting this data. It is a perfect chance for you to put your users at ease. I have represented this with a (?) icon, and when the user taps, it will display a simple message for the user to read.
  2. Displaying a link to view the privacy policy and a checkbox to confirm you have read them.
  3. Privacy policy video; I have seen some companies implement a privacy policy video summary. This is normally done by a GDPR champion or high ranking individual who talks through a high-level overview of their policies, data collection, data storage and security.
  4. Firstly this is an ‘opt in’ service now under the GDPR rules so no more auto-checked boxes please! For the sake of this point I have made the checkbox, a button on tap which will take you to a popup for your newsletter preferences. Also add a note that this is optional somewhere.
  5. Have inactive buttons until all of the mandatory fields are filled.
  6. This is showing a simple way for a user to add their preferences (in the way of a popup). The two key areas for this will be how and what; how would you like to receive our newsletter and what would you like to hear about. If there are any third parties involved with any selection made then they will need to be brought into the form also.
  7. When the user taps ‘add’ it will bring them back into the form with their preferences displayed an option to remove / edit.

What about the way we onboard user’s that things have changed? Also what should it look like when they view the privacy policy screen?

Providing the users with a simple modal or overlay to alert them to any changes or updates that they may need to read or accept, if they choose to ‘learn more’ then it should take them to the privacy policy.

The privacy policy should be easily accessible and worded in a manner that is user-friendly and understandable to all your products demographic. You should consider the user’s age, ability to understand & retain information and the main areas of data that may be of interest.

What about the way we ask for access to user’s data when they proactively select the feature’s that need it or could make the UX better?

The image above shows a pre-permissions pop-up which allows us to give a deeper rationale to what the user will gain from enabling their location. You should also provide a polite reminder that the user can still continue without any effect to there current service or/and that they can update, change or remove any access to the app via the settings.

How about implementing polite data reminders?

We all know by now we should not be adding additional input/fields without real rationale to the user; also how about offering users the chance to remove data if they have not used a service for a while?

If you have a fitness app tracking the user’s location for when they go for a jog and after x amount of months they are no longer using this service. They are still using your product for something else; let’s say healthy food recipes then we no longer need to be collecting that data. Why not give them a nudge to turn it off.

Photo by alan King on Unsplash

So in conclusion…

I hope you found this article helpful! If you have any comments, links or further reading, I would love to hear from you. I want this article to evolve over time, as discoveries and comments are made, I will update this post to reflect that.

Further reading;

The Information Commissioner’s Office (ICO) was a great resource in this research. It is responsible for upholding information rights in the public interest. As such, they’ve detailed some of the best practices for preparing for the GDPR.

Article version 1.0