Blog Detail

UX and GDPR


There is much commentary online raising concerns that GDPR will detrimentally impact on user experience. Commentators claim that multiple tick box consents will be required, that additional explanations will be needed to help data subjects make access requests, and exercise their new rights including the right to erasure.

We at Buckworths Compliance don't agree. In fact GDPR offers some significant opportunities for websites to improve their UX and to streamline the data they collect. Here are some reasons:


Consents


Most businesses will not rely on consent as the condition for processing much of the personal data they collect. There are 6 processing conditions for standard data, of which consent is only one. Contractual performance and legal obligation are likely to apply to most activities undertaken by businesses. In many cases, consent will only be relevant for one or two processing activities, of which direct marketing is the most common. So, businesses probably won't need loads of new tick boxes.


The type of data collected


Historically many UK businesses have collected information "because it could be useful" or because it has an indirect benefit. This impacts on UX as users may be required to provide more information at sign-in. The collection of data generated by a user in the context of using a website or app (such as navigation data etc.) could greatly complicate the GDPR analysis.

GDPR emphasises that business should only collect information for a specific purpose and that is adequate, relevant and limited to what is necessary.

The implementation of GDPR is an opportunity for businesses to reconsider the data that they collect and to stop collecting data is that extraneous to their direct needs. Of course data has value (and lots of businesses have aspirations to develop a big data model) but the added regulatory complexity and potential impacts on UX may encourage businesses to limit the data they collect.


When data is collected


Traditionally the model in the UK has been to collect all data at sign up and to provide a privacy policy that covers everything at the outset. But it doesn't have to be this way.

GDPR requires specific information to be provided to data subjects in a clear and transparent manner. When considering the principles of data minimisation, there is an argument that businesses should move to a model of taking the minimum information required for each stage of engagement.

For example, imagine you operate a dating app. You provide a free profile to users which lists (i) username (ii) sex (iii) sexuality and (iv) a brief description, and allows the user to post a picture. You then offer premium (paid for) services which allow a user to add additional information including (i) sexual preferences (ii) location (iii) health information (iv) ethnic grouping and (v) job details.

It would make sense to collect only the information needed for the free profile at sign-up and to provide the relevant information for that limited information including consents (if required). If and when the user signs up for the premium services, the required information and consents could then be taken for the additional information. At that stage, the client has used the app, and decided to pay for it. They will probably put up with a little more friction on the UX side as they have made the decision to progress to paid for services.


Erasure, withdraws of consent and access requests


GDPR requires that users can easily withdraw consent for processing activities, make requests for data erasure and make requests for copies of personal data held on them. In addition, requests must be effected in a timely manner and passed through to all third parties processing data on behalf of the data controller. GDPR effectively imposes obligations on user experience.

Businesses by necessity will need to ensure that they are able to track personal data provided to them, and will be incentivised to minimise the data collected.

As compliance with GDPR becomes a minimum requirement for business, smart companies will seek to develop easy methods for data subjects to make these requests, thereby demonstrating their compliance is better than their competitors.


Conclusion


GDPR provides opportunities to improve UX. Most changes made to bring about compliance with GDPR can augment the user experience. UX developers should celebrate.