Taking what we learned from GDPR compliance and bringing it into our design process
It’s no secret that we’re in a time of data overload. From advertising to digital profiles and location tracking, apps are gathering user data on anyone with a device. Large companies like Facebook have built their success on gathering user data, which has led to many companies trying to copy the same business model under the belief that more user data is the way to succeed.
A big problem is that many companies are gathering user data and don’t even know what to do with it. While others are selling it without users ever knowing. In most cases, it’s simply stockpiled. All because they believe that a large amount of user data will give them that ‘moat’, a competitive advantage, that investors like to see. Even when they don’t know how to put that data to use, it’s viewed as a valuable product.
The desire for creating a monetarily successful platform isn’t the only reason why user data has become so ubiquitous. Users have been trained over the years to hand over their data for convenience. As technology progressed designers asked for more and more and it became habitual for users to just say yes. But with numerous data breaches and abuses being exposed (Cambridge Analytica, Facebook) the concern for privacy is starting to surpass the desire to use free systems.
So how did we get to this point? And what do we have to do to fix it?
The force behind User-Centered Design
‘User-Centered Design’ isn’t just a buzzword in the design world, but one of the largest paradigm shifts in software design in the last few decades. Gaining popularity after the publication that coined the term by Dan Norman and Stephen W. Draper in their 1986 work ‘User Centered System Design: New Perspectives on Human-Computer Interaction’. It was a drastic shift towards focusing on usability and collaboration from a user’s perspective instead of the purely data-centred focus design from the decades before. User feedback, user research, and usage metrics became the secret sauce for building digital products. Putting the desires and wants of the user at the center of how we build products.
For a while this was a great development all around, users received products that fit their life better and didn’t require 100-page manuals. To be able to gather more usage metrics without having to put a demand on users time, software started to track users in more detail systematically. It started small, and over time it became second nature to hand over our data. Be it either consciously typing it out, or simply agreeing to send automated use data. While some groups warned about the erosion of our privacy, the convenience that came from using these tools felt worth it. Get information faster, communicate more easily, have access to more resources.
“The only way to avoid being affected by the algorithm would be to never, ever give anyone access to your data.”
After years of this one-sided exchange and exposure of poor data management practices, there is now a push back with privacy at the helm. Designing around the user can no longer be done without thinking about their data.
Privacy changes on the horizon
Becoming GDPR compliant was a serious undertaking for Luffa. We already had European users and we believed in the goals and ambitions of what the GDPR was setting out to do: Allow users to stay in control of their own data. As part of our GDPR prep, we created a Data Map. As an exercise, this gave us a view on our platform that we hadn’t seen all together before. We could now easily understand where our user’s data started, where it got processed and how many different systems it interacted with during its life cycle. When thought of in this full context and including the user in the flow, we call it the Data Journey.
While the GDPR doesn’t affect all corporations, there are new laws on the way for more countries to protect the data privacy rights of users. These changes can’t simply be fixed with up to date privacy policies and disclaimers. The goals behind regulations such as the GDPR is to make sure that our design choices properly respect and empower these rights.
From User-Centered to Data-Conscious Design
If a user isn’t familiar with data management and how data they give a company can be used and sold, it should be up to the designers to make sure that they are doing everything in their power to protect this data. As it’s been shown that companies can’t be trusted to protect user data, data laws have been forced to play catch up. The GDPR isn’t the first data privacy law to be put into action but it’s one of the first of its scale. People are becoming more well informed about the rights they hold and will begin to demand more from the services that they use.
“By giving consumers the ability to understand their data, the way it’s being used, and how that affects their lives, we will have designed a system that puts consumers in control of their own freedom.” — Joe Toscano⚡️
Becoming GDPR compliant isn’t only about user features and legal requirements but adopting a whole new level of design thinking. Accountability over data is a company-wide effort, which is why the GDPR states education about privacy practices as a key objective of Data Privacy Officers (DPOs). Becoming compliant means building a kit of tools to force builders to think about data privacy before they begin building.
Keeping your official GDPR documents up to date means referencing them whenever you set out to build a new feature. By physically having to update these documents to remain compliant it creates a real step in the process of development instead of just a vague sense of “thinking about it”. Having processes in place is one of the most reliable ways to integrate new ways of thinking into development as it forces team members to take action. Another step is to have an internal DPO who is the key member of the team to promote proper data practices and champion the user’s rights.
At Luffa we build technology that works with the user’s spoken word. We know that privacy concerns are often the forefront of new users’ minds. To address this issue early we made everything Luffa does transparent to the user so they know exactly what’s going on at any point. With this approach, we’re able to be clear about data use, give users control, and promote a more positive approach instead of relying on automated restrictions such as access controls and user hierarchies.
“I do want to make sure we’re thinking of privacy not necessarily in terms of the specific piece of information being private or not private but thinking about who controls that piece of information, who owns it, and what they’re allowed to do with it.” — Malka Older
For lots of teams and designers, making space for more data-conscious design will mean re-working existing systems to meet new laws. But that isn’t the bar that teams should be aiming for. The old exchange of data for service can no longer be the main basis for products, not when users don’t know exactly how their data is going to be used.
With a Data-Conscious approach to design, we need to prioritize privacy and data control. Which goes hand in hand with being transparent to users. Tech literacy is the highest it’s ever been and users should no longer be kept in the dark about systems just because we might assume that they wouldn’t be able to understand. Even if they don’t understand, it doesn’t mean we should be taking advantage of that. Design choices need to take into account the least tech-savvy people so that privacy isn’t the privilege of the knowing.
Data management is now a social issue and tech cannot claim to be agnostic towards social issues. Technology is more prevalent than it was in the 60s so we made it so people and computers get along better with user-focused designs. Now technology isn’t just more prevalent but nearly unavoidable. People have few ways to avoid engaging with technology, every store wants their email, every new device wants access to their contacts. A user data-centred approach shows users that you take their data privacy seriously and aren’t out to take advantage of them. In the world of ever more competitive apps, consumers’ trust in your system is the real competitive advantage that you should be after.
Have questions about Luffa’s GDPR approach? You can reach our DPO at email@example.com. Curious about Luffa in general? You can sign up for a free account at okluffa.com