GDPR brings with it many challenges for businesses both small and large, one of the most visible ways in which your compliance will be on display to your customers is in meeting the transparency requirements of the regulation. User Experience (UX) optimisation is pivotal to achieving this.

From Article 12 (1) of the General Data Protection Regulation (GDPR):

The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language...

What it means

The business should be looking at the ways that they collect personal information from their customers and assess for each point of data collection if they are being transparent with them with respect to the information they are collecting, the purposes they will be using it for, how it will be processed, what their rights are and how to exercise them.

Why it’s difficult

The GDPR requires that while being transparent with your customer by giving them more detail about how you process their personal information, you also must be concise, which can on the face of it seem paradoxical. It mandates that you give specific information such as:

  • The identity and the contact details of the Data Controller and, where applicable, of the controller’s representative.
  • The contact details of the Data Protection Officer, if applicable.
  • The purposes of the processing for which the personal data are intended as well as the legal basis for the processing.
  • Where the processing is based on legitimate interests, notify the legitimate interests pursued by the Controller or by a third party.
  • The recipients or categories of recipients of the personal data, if any.
  • Where applicable, the fact that the Data Controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers based on another instrument, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

In addition to the above information, where necessary to ensure fair and transparent, processing you should also be informing your customers of:

  • The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
  • The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability.
  • Where the processing is based on consent or explicit consent for processing special categories of personal data, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  • The right to lodge a complaint with a supervisory authority.
  • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.
  • The existence of automated decision-making, including profiling, referred to in Article 22(1) and 22(4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

That is a lot of information! It’s no small task to present all that in a concise and easily-accessible format.

What this is trying to achieve

By specifically defining the information that you should be conveying your customers, the GDPR should achieve some consistency in what individuals can expect across the different services that they may engage with; these requirements are attempting to make this information more accessible and comprehensible by the individual.

The days where this information would be buried (or not present at all) in a general site privacy policy or terms and conditions are gone. It needs to be provided in context, unbundled from your wider privacy policy, at the point of data collection, and presented in such a way as to be easily consumed. It should also be granular – if you are providing an opt-in to your users to be contacted through various channels (e.g. email, SMS, phone), you should provide opt-ins for each channel (recommended in the Working Party 29 (WP29) Guidelines on Consent).

How to achieve it?

The WP29 Transparency Guidelines recommend that you take a layered approach to displaying information as requested by the user as an “appropriate way to deal with the two-fold obligation of being precise and complete on the one hand and understandable on the other hand.”

From the WP29 Guidelines on Transparency:

In the digital context, in light of the volume of information which is required to be provided to the data subject, WP29 recommends that layered privacy statements/notices should be used to link to the various categories of information which must be provided to the data subject, rather than displaying all such information in a single notice on the screen, in order to avoid information fatigue.

This makes a lot of sense as it helps to avoid information fatigue. It does, however, have front-end implications for websites and apps in how to support the configuration and presentation of that layered approach. In a website context, where you may be collecting personal information through forms, there can be a few scenarios for how those forms are constructed in the back-end and implemented in your website:

  • Custom built and implemented by your developers.
  • Using a form builder plugin on the backend (e.g. Umbraco, WordPress, Drupal, Joomla or another CMS).
  • Embedding a form using a third-party service (e.g. Typeform, Wufoo, Third Party email subscribe forms like MailChimp).

If you custom build your forms, you can roll your own solution and you are only restrained by resources and budget. If you use a form builder that is not open-source and doesn’t support extending, you are reliant on that plugin vendor to enable you to meet these transparency requirements. If you use a third party to embed forms on your site, you are similarly at the mercy of that vendor to enable you to do this.

Considerations

There are a few questions you should be asking with any potential solution you are considering:

Layering and granularity

Does the tool you use to build your forms enable you to provide privacy information related to your intended processing to your user in-context, at the point they are being asked to submit their personal information to you? Does that tool support separating that information into defined layers that allows the user to drill down and discover more information about that processing and their rights as they need it?

Capturing multiple lawful bases

Does the form allow for informing of and recording of agreement to multiple types of bases for processing – for example: you may want to record agreement of the individual to entering into a contract by them agreeing to your terms of service, but also offer them optional consent options to allow for processing that you would like to perform beyond what is needed to deliver on that contract.

Clearly defined UX separation for different lawful processing basis

In cases where you are collecting consent to processing beyond a single or related purpose you should clearly define this separation in the UX of the form. For example, if a user is agreeing to optional types of processing outside of agreeing to a contract, it should be evident to them that they are providing consent and that this consent is optional. It should be clear to the user what lawful basis they are agreeing to for each purpose you are requesting processing their information. See the example job application further down this article for a suggested implementation of this.

Also, be aware that if you are processing on the basis of consent, that you should be providing a method for your user to opt out of processing as easily as they were able to opt in to it. This could mean, for example, if you are gaining consent from them to send out a newsletter, that you provide an opt-out with each contact. If you are processing for other purposes where you cannot provide an ongoing opt-out opportunity in this fashion, it would be advisable to provide a preference management facility on your website where they can manage their consent options.

Clear affirmative act

Your customer, when giving consent, should be performing a clear affirmative act to indicate their consent. In the context of form collection, this could be ticking a checkbox. Pre-ticked checkboxes are expressly invalid under GDPR. The silence or inactivity of your user can not be taken as implicit consent.

Accountability

Can you capture and record the statements that your users are agreeing to? To be accountable under the GDPR, it is necessary not only to record that you gained consent, but if you can’t demonstrate what was consented to you would not be fulfilling your accountability obligations.

As your processing purposes and policies may evolve over time, it would be ideal to be able to version these and record a reference to that version when taking consent or agreement to processing from your customers.

How to organise the layering of information

The first layer of information should give your user a clear overview of what they can expect to be able to find by drilling down into subsequent layers. It is important to be consistent between those layers – avoid conflicting information. If you are undertaking processing which may have a significant impact on your customer, you should make this clear within the first layer presented to them.

Just in time notices

Another way of providing transparency in-context is to use ‘just in time’ methods such as notifications or inline-accessible popups alongside form inputs. This allows informing the user at the moment they are about to give you a specific piece of information, why you require it.

An example of unbundled, layered & in-context transparency

Following on from introducing the fictional Galaxy Recruitment – “recruiting stars”, in my previous article on Consent being the GDPR elephant in the room, here is an example of a job application form providing layered transparency information regarding processing and their data protection rights to the potential candidate.

Disclaimer: The below is an example of a job application form, providing an unbundled, layered and in-context delivery of required information as suggested in the transparency guidelines provided by the Working Party 29. It is not an exhaustive example and should only be used for information purposes. Each individual use-case will be different and need to be tailored to the specific purposes and processing that is being undertaken. In terms of user experience - it is a high-fidelity mockup of how such a form could work.

Click on the ‘Terms of Service’ and ‘More Info’ links below to find privacy and processing information specific to the context in which the user is requesting it.

Apply for Job
Terms of Service

Please read and agree to the Terms of Service which are necessary for us to process your job application

Optional

We would also like to provide you the following optional additional services. Please indicate your consent as you prefer

Receive our occassional newsletter with relevant updates in your industry sector.

What this achieves

  • A modal dialog-based approach that affords the layered presentation of privacy and processing information.
  • The sections where a user is agreeing to a contractual agreement vs an optional (consent-based) agreement are clearly defined.
  • The information presented when clicking ‘Terms of Service’ is different to that presented when clicking a ‘More Info’ link in the ‘Optional’ section. ‘Terms of Service’ gives processing information specifically related to that contract, as well as allowing the user to drill down into the company’s general privacy policy.
  • The ‘Optional’ section is based on collecting a user’s consent. The user can find that out by choosing to view the ‘Lawful basis of processing’ after clicking ‘More Info’.
  • The information contained in the modal dialogs are specific to the context in which the user is requesting it.

It’s not an exhaustive consideration of all the information a recruitment agency should be displaying, in many cases that will vary depending on the individual operation, but it should serve to illustrate how to achieve the layered, transparent yet concise approach required. How that is assembled in your application back-end and how consent/agreement to processing is captured and recorded for accountability is going to vary depending on individual implementations.

UX beyond data collection

The Data Subject rights of the GDPR will result in many businesses developing technical solutions to deliver them efficiently. The development of privacy dashboards can be a vehicle for enabling many of these rights such as:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Rights concerning automated decision making and profiling

Providing a dashboard where your customers can exercise their rights, manage their privacy preferences and obtain privacy and processing-related information is an elegant and user-friendly way of meeting your obligations under GDPR. A thoughtful, user-centric implementation of the privacy dashboard integrated into your application, embedded into the branding and design that your users are accustomed to, provides an effective, intuitive and user-friendly way for managing privacy-related settings and easily accessing privacy-related information.

An example of a Privacy Dashboard to enable a user to manage their rights

An example of a Privacy Dashboard to enable a user to manage their rights

Privacy by Default

Privacy should be the default setting for features that process personal data which are not needed to deliver the core functionality of your service or application.

If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy – it is built into the system, by default. – 2nd Principle of Privacy by Design.

New Features

When you plan to release a new feature that requires processing a user’s personal data beyond the reason it was collected for, you should be considering the lawful basis that you intend to process that data under and how to fulfil your transparency and accountability requirements under the GDPR.

For example, if a recruiter would like to build a profile of their job site users for the purposes of displaying what they determine to be relevant jobs based on the information they hold about their users and their users’ habits when engaging with their website, this would be processing beyond original purpose if their users were not informed of this intended processing ahead of time and given an opportunity to object.

With this being the case, you should consider how you best to inform your users and allow smooth opt-in to new features as they become available. You should inform them of the processing that would be performed and give them a meaningful opportunity to opt in or object to it.

Notifications

A way of achieving this is to implement a notification system as part of your application that can inform the user that a new feature is available, afford them the opportunity to learn about the processing that would occur and to either opt in or out of that processing. Once either opted in or out, the user would have continued access to enabling or disabling the feature in their Privacy Dashboard.

An example of notifying a user that a new feature is available and giving them a meaningful opportunity to opt in or object

An example of notifying a user that a new feature is available and giving them a meaningful opportunity to opt in or object

From the WP29 guidelines on transparency:

Connected to the exercise of data subject rights is the issue of timing… the provision of information in a timely manner is a vital element of the transparency requirements under Articles 13 and 14 and is inherently linked to the concept of fair processing. Information in relation to further processing must be provided “prior to that further processing”.

Conclusion

Meeting the transparency requirements of the GDPR is a difficult task with many of the tools available to us today. Those using third-party services and plugins to enable them to do so are reliant on those vendors to enable them to be compliant and provide the required in-context, relevant processing and transparency information to their users. I would advice any business collecting personal information through their platforms to look at their data collection points and evaluate whether they are currently meeting those requirements as laid out in the GDPR and the WP29 guidelines. If you are not, do an assessment of what it would take to reach that point and document the roadmap needed to get there. By making a consistent and determined effort to realise that goal you will be off to a good start.

LET'S KEEP IN TOUCH

From time to time I send a digest of my latest updates. With premium content just for my subscribers. If that sounds like something you'd be interested in, signup below!

By providing your email address you agree to Serve IT contacting you. More information is available in our Privacy Statement.

How can I help?

I work with a multidisciplinary team covering the Technical, Operational and Legal aspects of compliance. If you're struggling with meeting your Data Protection needs feel free to reach out and see if I can help.

- Alan

topics mentioned in this article

Author

Alan Mac Kenna

Alan Mac Kenna

Development & Data Protection Consultant

More Info

About Alan Mac Kenna


I help my clients achieve their business goals by putting the systems and processes in place to build their brand, get more customers and grow their profits. As a certified Umbraco CMS Master and Data Protection Officer, I can help you build your web presence with a Data Protection by Design approach that helps you be accountable under EU regulations like the GDPR. Explore my service offering and feel free to get in touch if you'd like to work together.


Back

Latest Posts