By Martin Groen
GDPR has a big impact on every organisation that processes personal data. The buzz on GDPR is mostly on topics like removing data from backups, control from IT and business perspective, privacy statements, legal consultants, etc. Although GDPR is intended to give people control on their personal data, there seems not much buzz is on the human part of GDPR, e.g. customer life cycle, customer journeys, the way to use rights, visitors not being a customer at all, former customers, et cetera.
Being a user experience consultant, my job is to represent user’s needs when organisations ask me to design their channels, mostly websites and apps. In this work I found an organisation can prepare for impact on your channels by doing 5 steps. Of course, there is more to do than channel preparations, so first let’s breakdown the impact of GDPR on your organisation. This article focuses on your preparations to the outside world, not internal employee preparations.
GDPR impact on your organisation involves internal preparation that your audience does not see and preparations your audience will perceive, via your channels. The latter category can be split up into a user interface and a system interface. In order to have your channels GDPR ready from user perspective, you should take the following steps.
Step 1: Prepare notifications on data breach
Let’s hope this does not happen to your organisation. But when it happens, you better be prepared for that. You should have placeholders set up to avoid a hectic development effort in a stressful situation. You should meet the GDPR timelines for this communication. When development takes more time, you might have an issue. Get a design template to create your own GDPR proof data breach notifications.
Step 2: Set up a data protection center
GDPR requires to have EU citizens’ rights easily accessible. I recommend implementing a single point of having control facilitating those rights. A secondary point should be available for people not able to use these online facilities (e.g. elderly or specific disabled people). For your own efficiency is it wise to refer to this center from your app, e-mail and contact center. I recommend adding a “Protecting your data” link in your footer, which emphasises your responsibility in data protection. Get a design template to create your own data protection center.
Step 3: Update “cookie” and privacy interactions
When you have a “cookie” message intended to process personal data (e.g. for tracking, advertisements or personalisation purposes), you need to reconsider the way you ask consent. A template for this can be found in my whitepaper. Your privacy statement also most likely needs reconsideration, covering data protection matters. Get a design template to create your own GDPR proof cookie message (page 19 of the whitepaper).
Step 4: Facilitate GDPR rights
GDPR offers rights to EU citizens to control personal data. You need to facilitate these rights. For each right there is a bandwidth on how to facilitate.
How you can facilitate EU citizens using their data protection rights.
- Do it yourself - This means you fully facilitate using this right in a self-service system. This decreases employee effort, but increase technical impact. This way of working is recommended when you expect high volumes of people using their rights. Get a design template to create your own Do it yourself platform.
- Do not do it yourself - This means a person can submit an order to use a right, e.g. using a web form. An employee then needs to process that order for that person, and afterwards, confirming fulfilment. This way of working increases employee workload, but decreases technical impact. It is recommended for low volumes. Get a design template to create your own Do it not yourself webform.
Step 5: Make consents GDPR proof
When you intend to process personal data, a lawful basis is required. A GDPR proof consent is one way to get that basis. Studying the regulation, you will find 18 requirements on how to acquire consent. Those requirements, descriptions and examples are described in my whitepaper “With your permission - How GDPR impacts consent from your audience” and accompanying practical “GDPR Consent Workbook”. It contains a helpful GDPR ConsentCreator, a formula to acquire your own compliant consents.
GDPR shifts an organisation’s way of working towards a “permission first” paradigm.
A reflex might be to panic on this topic. Another way to think of this paradigm is to communicate in a transparent and accessible way you respect a person’s personal data.