As I commented in my first post the GDPR was approved by the European Commission in 2018 to protect the privacy and rights of individuals with regard to personal data. These rights apply to any person whose personal data (PD) is processed by a controller or processor.
- Personal data (PD) is any form of data that can be used to identify a person. It obviously refers to your name, identification number, location data and online identifiers, but also to physical and demographic factors such as physical, psychological, genetic, mental, cultural data or even a person’s social identity and opinion.
This touches directly on aspects such as online marketing, but also on some specific areas such as health or scientific research. They would need to disconnect that data from other personal identifiers, creating identification codes to disaggregate the information. But all of this concerns developers or back-end programmers more than designers, so I’m going to make a brief list of the rights that I do think we should know impetuously:
- Right to be informed: the subject must know that their data is being used and why, among other things, a good example is this one from EasyJet:
- Right of access: the subject is guaranteed to know what data has been collected about him and how it has been processed.
- Right to rectification: allows the subject to make changes on their data to correct them.
- Right to Oblivion: guarantees subjects the possibility of deleting their data if they do not want to be processed anymore and also that the controller stops storing them.
- Right to restriction of the process: right of the subject to limit the processing of his data.
- Right to obligation of notification: user must be notified of modifications, rectifications, restrictions or deletions of procedures
- Right to data portability: allows the subject to request the personal data that has provided to a controller and to transmit that data to another controller of them choice.
- Right to object: the subject can say that does not want them data to be processed or to be further processed.
- Right to subjective data: includes not being subject to a decision based solely on an automatic process, this directly attacks the so-called profiling.
Let’s take an easy example, if in the fitness app you use to count your steps, the company decides to sell your GPS location data, it will need to inform users before and that they give you consent both to collect and store this data and for the other uses that will be given to them.
Returning to our protagonist, cookies are not only regulated under the GDPR, but also by the EU regulation of ePrivacy, which has come to be known as the cookie law. This law is interesting because aims to simplify the rules regarding cookies and streamline cookie consent in a more ‘user-friendly‘ way. In practice it, among others means that EU websites and websites with EU visitors, will not need to show those cookie consent pop-ups anymore.
Hurray, that is indeed more user-friendly and less of a hassle for website owners. For that to happen, we need to understand common pain points that users have and establish interface patterns that designers and developed could easily use. In any case, although the forms are flexible, we must remember the obligation that the site options offer users to accept or reject the use of cookies or other identifiers.
This might also work against the business goals of the company that is heavily dependent on advertising and maximizing customer fees. However, there is a fine line between techniques used to keep users on the site and exploiting their privacy.
And it will be a complicated task, because, although all the information must be provided in a clear and sensitive way, it must also be done in a comprehensive manner. The organization’s policy page should clearly show:
- Information about the organisation that will process your personal data
- The reason why the organisation will use your personal data
- How long your personal data will be kept
- Details of any other company or organisation that will receive your personal data
- Information about your data protection rights (access, rectification, deletion, complaint and withdrawal of consent).
Most laws lag behind technological advances, so both are constantly changing. Therefore, as designers we need to take these rights into account when designing screens and interactions. All this applies not only to web design, but also to the design of mobile applications and devices with the so-called Internet of Things (IoT).
Special mention to those who work with minor subjects, since the law speaks of this group of age specifically and have different rights!
I am sorry that the post is so theoretical, but it was necessary this base to build on it, the following entries will be more based on user interviews and practical examples.
See you around!
Literature and references:
- https://www.smashingmagazine.com/2019/04/privacy-concerns-ux-web-forms/
- https://www.i-scoop.eu/gdpr/gdpr-personal-data-identifiers-pseudonymous-information/
- https://www.lawinfographic.com/data-controller-who-and-duties_by_jessica_lam/
- https://europa.eu/youreurope/citizens/consumers/internet-telecoms/data-protection-online-privacy/index_es.htm