The link between GDPR & UX
The General Data Protection Regulation (GDPR), which is designed to enable individuals to better control their personal data, comes into effect on 25th May 2018. Whilst there is plenty of advice out there on what you need to do to comply with this new regulation, we wanted to discuss how the changes required can enhance your UX, if you do it right.
Our aim at User Vision is to shape the best customer experiences and this is achieved by helping our clients to deliver products and services that are useful, usable and engaging.
The key goals of GDPR closely mirror many of the aspects that are important in delivering a positive user experience, specifically trying to create transparency, clarity and giving the users increased control.
This should lead to a win-win situation; one in which user experience principles help make GDPR easy to understand and apply, and in turn, the application of GDPR principles help to improve the overall user experience.
How does data help us with UX?
The application of personal data can affect the digital experiences we have, anything from booking a holiday online to catching up on our favourite shows on Netflix. However, this use of personal information has always created a tension; the benefit it brings to the service versus the capture, storage and application of our activities, preferences and personal data.
For all these doubts, an Ofcom survey showed that 68% of people surveyed were happy to provide personal information online to companies as long as they get what they want (and that was three years ago).
Equally, data is often necessary to give users the full, personalised experience that designers envision. The more a company knows about us the more they can do to help and pre-empt our needs.
Look at Argos vs Amazon. Essentially, they deliver the same service – offering products from a vast inventory. But Amazon uses data to recommend options based on your profile, needs, shopping history and search terms. This in turn provides a better experience and builds trust and credibility. So, companies recognise that being able to leverage customer data is important.
Experian figures released last year stated that 64% of companies believe that ‘inaccurate data is currently undermining their ability to provide an excellent customer experience.’
And in that lies the key question – how can we balance the benefit to consumers, using their data to create a positive experience for them, while also maintaining trust and credibility through transparent, clear use of data, where the user remains in ultimate control?
Building privacy by design
So now we know that the collection and use of data isn’t evil, as long as it’s done right, we need to know how to collect and maintain it in a way that generates a positive impact.
Privacy should be baked in to design from the outset. It shouldn’t be the afterthought in the event of a problem. We need to think about WHY we are collecting data, HOW it will be collected and WHAT will be collected.
Those key principles of the GDPR can be directly linked to various aspects of the user experience (as described by Peter Morville in his honeycomb model).
Transparency – Does it allow people to understand how the company’s use of their data will make things better for them? Is privacy communicated in a way that builds trust?
Clarity – Can people get to the privacy information? Can people understand the privacy information?
Control – Can they securely take action to control what information is stored and how it is used? Is the control easy to use and accessible?
We would like to suggest four UX considerations for building privacy into our services, by design.
1. Be clear and contextual (about why you are collecting)
- Don’t hide privacy information: The privacy notice should not be tucked away in the footer of a site. Information about how the organisation handles privacy should be accessible at the point when information is being requested.
- Highlight how specific pieces of data will be used: Let users know why information is being requested. Particularly if it is sensitive or unexpected information.
- Present explanation at the right time: Give people the information they need at the point when they need it. Don’t force them to hunt around!
Example: An effective way to be clear and contextual is to use ‘Just in time’ notifications, as exampled in the image below.
2. Practice minimalism
- Capture minimal data: Capturing more data increases your responsibility to store it securely, report it accurately and remove it on request. To reduce liability and workload, only capture the data you really need.
- The more you ask for the less likely you will get it: As the number of fields in a form increases, the likelihood that the form will be completed reduces. A statistic from quicksprout.com showed that when a company reduced their contact form from 11 to 4 fields they gained a 120% conversion increase!
Example: Less is more, as exampled nicely by Typeform:
3. Be straightforward
- Be clear: Be clear on what you’re collecting, how it will be used and why, including who it will be shared with and any effect it will have on the individual.
- Be true: Remain authentic to your brand personality. Explain your policies in a way that reflects who you are as an organisation (it’s not essential to sound like a law firm as soon as it comes to privacy!)
Example: A clear and user-friendly overview section can work well, like this one from AVG. They have also employed video to communicate their policies in a straightforward and natural way.
4. Offer control
- Ensure consent is informed and explicit: If the basis for collecting and processing data is consent, then ensure that what is being consented is clearly explained and explicit.
- Opt-in only: Ensure users have a clear choice (don’t try to hide consent) and that all choices are ‘opt-in’ (not automatically ticked)
- Be consistent: Ensure that all choices are phrased in the same way. Don’t reverse the choice part way down a list of choices. Don’t make the user have to think about what they are answering.
- One tick for one choice: Make sure that consent is ‘unbundled’, i.e. don’t have contact consent wrapped up in the overall T&Cs, and ‘granular’, i.e. if multiple contact methods are available, present them as individual choices.
- Allow easy editing: Once data has been provided and consent has been given, provide the user with easy access to the data they have provided and the choices they have made, allowing them to make any changes, or reverse any choices. If this is a complex choice then consider using a dashboard view, as has been utilised by larger organisations like Google and Microsoft who have multiple products and services under one account.
Example: Sainsbury’s make use of unbundled consent
Example: RSPB adopt a granular consent approach
The spirit of GDPR and UX are in sync, as they both aim to help customers have a positive experience. The way companies handle data affects trust, but users do understand that giving their data is useful to them as well as the company. So as long as we build in Privacy by Design and follow a user-centred approach when applying privacy and GDPR, we can make the new regulations work for us in a positive way for everyone.
If you are looking for help shaping a more effective user experience, please get in touch to find out more about us and our work.