GDPR brings with it many challenges for businesses both small and large, one of the most visible ways in which your compliance will be on display to your customers is in meeting the transparency requirements of the regulation. User Experience (UX) optimisation is pivotal to achieving this.
From Article 12 (1) of the General Data Protection Regulation (GDPR):
The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language...
What it means
The business should be looking at the ways that they collect personal information from their customers and assess for each point of data collection if they are being transparent with them with respect to the information they are collecting, the purposes they will be using it for, how it will be processed, what their rights are and how to exercise them.
Why it’s difficult
The GDPR requires that while being transparent with your customer by giving them more detail about how you process their personal information, you also must be concise, which can on the face of it seem paradoxical. It mandates that you give specific information such as:
- The identity and the contact details of the Data Controller and, where applicable, of the controller’s representative.
- The contact details of the Data Protection Officer, if applicable.
- The purposes of the processing for which the personal data are intended as well as the legal basis for the processing.
- Where the processing is based on legitimate interests, notify the legitimate interests pursued by the Controller or by a third party.
- The recipients or categories of recipients of the personal data, if any.
- Where applicable, the fact that the Data Controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers based on another instrument, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
In addition to the above information, where necessary to ensure fair and transparent, processing you should also be informing your customers of:
- The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
- The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability.
- Where the processing is based on consent or explicit consent for processing special categories of personal data, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
- The right to lodge a complaint with a supervisory authority.
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.
- The existence of automated decision-making, including profiling, referred to in Article 22(1) and 22(4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
That is a lot of information! It’s no small task to present all that in a concise and easily-accessible format.
What this is trying to achieve
By specifically defining the information that you should be conveying your customers, the GDPR should achieve some consistency in what individuals can expect across the different services that they may engage with; these requirements are attempting to make this information more accessible and comprehensible by the individual.
How to achieve it?
The WP29 Transparency Guidelines recommend that you take a layered approach to displaying information as requested by the user as an “appropriate way to deal with the two-fold obligation of being precise and complete on the one hand and understandable on the other hand.”
From the WP29 Guidelines on Transparency:
In the digital context, in light of the volume of information which is required to be provided to the data subject, WP29 recommends that layered privacy statements/notices should be used to link to the various categories of information which must be provided to the data subject, rather than displaying all such information in a single notice on the screen, in order to avoid information fatigue.
This makes a lot of sense as it helps to avoid information fatigue. It does, however, have front-end implications for websites and apps in how to support the configuration and presentation of that layered approach. In a website context, where you may be collecting personal information through forms, there can be a few scenarios for how those forms are constructed in the back-end and implemented in your website:
- Custom built and implemented by your developers.
- Using a form builder plugin on the backend (e.g. Umbraco, WordPress, Drupal, Joomla or another CMS).
- Embedding a form using a third-party service (e.g. Typeform, Wufoo, Third Party email subscribe forms like MailChimp).
If you custom build your forms, you can roll your own solution and you are only restrained by resources and budget. If you use a form builder that is not open-source and doesn’t support extending, you are reliant on that plugin vendor to enable you to meet these transparency requirements. If you use a third party to embed forms on your site, you are similarly at the mercy of that vendor to enable you to do this.
There are a few questions you should be asking with any potential solution you are considering:
Layering and granularity
Does the tool you use to build your forms enable you to provide privacy information related to your intended processing to your user in-context, at the point they are being asked to submit their personal information to you? Does that tool support separating that information into defined layers that allows the user to drill down and discover more information about that processing and their rights as they need it?
Capturing multiple lawful bases
Does the form allow for informing of and recording of agreement to multiple types of bases for processing – for example: you may want to record agreement of the individual to entering into a contract by them agreeing to your terms of service, but also offer them optional consent options to allow for processing that you would like to perform beyond what is needed to deliver on that contract.
Clearly defined UX separation for different lawful processing basis
In cases where you are collecting consent to processing beyond a single or related purpose you should clearly define this separation in the UX of the form. For example, if a user is agreeing to optional types of processing outside of agreeing to a contract, it should be evident to them that they are providing consent and that this consent is optional. It should be clear to the user what lawful basis they are agreeing to for each purpose you are requesting processing their information. See the example job application further down this article for a suggested implementation of this.
Also, be aware that if you are processing on the basis of consent, that you should be providing a method for your user to opt out of processing as easily as they were able to opt in to it. This could mean, for example, if you are gaining consent from them to send out a newsletter, that you provide an opt-out with each contact. If you are processing for other purposes where you cannot provide an ongoing opt-out opportunity in this fashion, it would be advisable to provide a preference management facility on your website where they can manage their consent options.
Clear affirmative act
Your customer, when giving consent, should be performing a clear affirmative act to indicate their consent. In the context of form collection, this could be ticking a checkbox. Pre-ticked checkboxes are expressly invalid under GDPR. The silence or inactivity of your user can not be taken as implicit consent.
Can you capture and record the statements that your users are agreeing to? To be accountable under the GDPR, it is necessary not only to record that you gained consent, but if you can’t demonstrate what was consented to you would not be fulfilling your accountability obligations.
As your processing purposes and policies may evolve over time, it would be ideal to be able to version these and record a reference to that version when taking consent or agreement to processing from your customers.
How to organise the layering of information
The first layer of information should give your user a clear overview of what they can expect to be able to find by drilling down into subsequent layers. It is important to be consistent between those layers – avoid conflicting information. If you are undertaking processing which may have a significant impact on your customer, you should make this clear within the first layer presented to them.
Just in time notices
Another way of providing transparency in-context is to use ‘just in time’ methods such as notifications or inline-accessible popups alongside form inputs. This allows informing the user at the moment they are about to give you a specific piece of information, why you require it.
An example of unbundled, layered & in-context transparency
Following on from introducing the fictional Galaxy Recruitment – “recruiting stars”, in my previous article on Consent being the GDPR elephant in the room, here is an example of a job application form providing layered transparency information regarding processing and their data protection rights to the potential candidate.
Click on the ‘Terms of Service’ and ‘More Info’ links below to find privacy and processing information specific to the context in which the user is requesting it.
What this achieves
- A modal dialog-based approach that affords the layered presentation of privacy and processing information.
- The sections where a user is agreeing to a contractual agreement vs an optional (consent-based) agreement are clearly defined.
- The ‘Optional’ section is based on collecting a user’s consent. The user can find that out by choosing to view the ‘Lawful basis of processing’ after clicking ‘More Info’.
- The information contained in the modal dialogs are specific to the context in which the user is requesting it.
It’s not an exhaustive consideration of all the information a recruitment agency should be displaying, in many cases that will vary depending on the individual operation, but it should serve to illustrate how to achieve the layered, transparent yet concise approach required. How that is assembled in your application back-end and how consent/agreement to processing is captured and recorded for accountability is going to vary depending on individual implementations.
UX beyond data collection
The Data Subject rights of the GDPR will result in many businesses developing technical solutions to deliver them efficiently. The development of privacy dashboards can be a vehicle for enabling many of these rights such as:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object
- Rights concerning automated decision making and profiling
Providing a dashboard where your customers can exercise their rights, manage their privacy preferences and obtain privacy and processing-related information is an elegant and user-friendly way of meeting your obligations under GDPR. A thoughtful, user-centric implementation of the privacy dashboard integrated into your application, embedded into the branding and design that your users are accustomed to, provides an effective, intuitive and user-friendly way for managing privacy-related settings and easily accessing privacy-related information.
Privacy by Default
Privacy should be the default setting for features that process personal data which are not needed to deliver the core functionality of your service or application.
If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy – it is built into the system, by default. – 2nd Principle of Privacy by Design.
When you plan to release a new feature that requires processing a user’s personal data beyond the reason it was collected for, you should be considering the lawful basis that you intend to process that data under and how to fulfil your transparency and accountability requirements under the GDPR.
For example, if a recruiter would like to build a profile of their job site users for the purposes of displaying what they determine to be relevant jobs based on the information they hold about their users and their users’ habits when engaging with their website, this would be processing beyond original purpose if their users were not informed of this intended processing ahead of time and given an opportunity to object.
With this being the case, you should consider how you best to inform your users and allow smooth opt-in to new features as they become available. You should inform them of the processing that would be performed and give them a meaningful opportunity to opt in or object to it.
A way of achieving this is to implement a notification system as part of your application that can inform the user that a new feature is available, afford them the opportunity to learn about the processing that would occur and to either opt in or out of that processing. Once either opted in or out, the user would have continued access to enabling or disabling the feature in their Privacy Dashboard.
From the WP29 guidelines on transparency:
Connected to the exercise of data subject rights is the issue of timing… the provision of information in a timely manner is a vital element of the transparency requirements under Articles 13 and 14 and is inherently linked to the concept of fair processing. Information in relation to further processing must be provided “prior to that further processing”.
Meeting the transparency requirements of the GDPR is a difficult task with many of the tools available to us today. Those using third-party services and plugins to enable them to do so are reliant on those vendors to enable them to be compliant and provide the required in-context, relevant processing and transparency information to their users. I would advice any business collecting personal information through their platforms to look at their data collection points and evaluate whether they are currently meeting those requirements as laid out in the GDPR and the WP29 guidelines. If you are not, do an assessment of what it would take to reach that point and document the roadmap needed to get there. By making a consistent and determined effort to realise that goal you will be off to a good start.