GDPR: Good Designers Practice (data) Regulation

GDPR is really big deal. But you probably knew that already. If you are in any way involved in collecting people’s personal information, it’s a sweeping piece of legislation that impacts all areas of your business. What’s more, since it is the first regulation of its kind for the tech industry, an industry that typically — necessitated by the pace of change — resists regulation, there is inevitably a lot of upheaval for everyone involved.

For designers, I believe GDPR is a real opportunity. With a global spotlight on everything from Cambridge Analytica to developers accessing your Gmail, GDPR strives to give people significantly more control over their own information, elevating the impact of user-centred design. UX best practices now align to your organisations larger objectives, becoming an essential part of complying with laws that have potentially enormous consequences.

We are uniquely positioned to transform the process of data gathering, moving from forms that are overly invasive and riddled with dark patterns to a more mutually beneficial and trusting experience. But where to start?

At White October, we have recently been working with UNISON to modernise their new-member online joining experience. UNISON are the UK’s largest public sector trade union, with over 1.3 million members. They take the personal information of their members incredibly seriously, and worked with us through the GDPR implementation period to ensure their signup form was a world-class example.

There are plenty of documents, articles, and whitepapers out there (that I would encourage you read), but they often don’t serve as a practical foundation to base decisions on. We found our success by working in the spirit of the legislation’s principles. Those principles are:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

Each principle is important and together they form a solid framework, but fairness and transparency, purpose limitation, data minimisation, and accuracy lend themselves to being user-facing. When facing GDPR, begin by asking yourself four questions.

1. Are we hiding anything? (Fairness & transparency)

Be transparent about what people are signing up for and about the process they are about to embark on. Clearly title pages, show what to expect next, and communicate progress.

As a matter of fairness, don’t assume your audience has completed a form online before or will hunt for your policy documents. Lay out your questions sequentially, make certain your audience can access them from their device of choice, and don’t hide your policies.

The new UNISON Join online experience with nice clear title and progress indicator.

2. Are we being specific? (Purpose limitation)

It’s no longer appropriate to ask your users to consent to a sweeping generalised statement about all the possible ways you might use their information.

Tell your audience specifically what you intend to do with their information, in close proximity to the information you are requesting, and with the explicit action to opt-in (there is no more opt-out, leave those checkboxes empty by default!).

Especially with phone numbers, be specific and granular

3. Do we really need this? (Data minimisation)

This one is my favourite. Drastically reduce the amount of information you ask your audience to provide. If you do not absolutely need it for the purpose of the form (this doesn’t mean you can’t ask for it later) then you should not be asking for it.

Ultimately, I believe this should result in zero ‘optional’ fields, reducing both errors and time to complete.

4. Can it be explained clearly? (Accuracy)

Frankly, if you can’t easily describe what you’re asking for and why, then you shouldn’t expect your audience to enter it.

Use familiar or common terms, and if it’s complicated don’t be afraid to use extensive microcopy to build confidence.

These 4 questions make a great starting point for maximising the design opportunity GDPR offers. But they are just the beginning. GDPR is not single-use, it’s a practice.

It’s useful to think how you could use these everyday within your creative team. Beyond your creative teams, good design practice in GDPR acts as a conversation starter across your entire organisation.

Believe us, your company, audience, and clients will thank you.

Originally published at blog.whiteoctober.co.uk on July 13, 2018.