The General Data Protection Regulation (GDPR) is set to change the rights of data subjects (i.e. people), and ergo how companies process and store data, and how they communicate with data subjects at the point of consent and beyond.
So far on the Econsultancy blog, we’ve concentrated on picking out examples of best practice UX for ‘opt-ins‘ and privacy notices. But as much as we can point out good practice, it’s often easier to spot those that look like they may be on shaky ground. I thought it would be useful to round up some examples to see what our readers think.
I don’t want to point the finger or scaremonger, merely to point out UX which is likely already earmarked for improvement ahead of the May 2018 deadline. In some cases, companies are straying into ‘dark patterns‘ territory, but others are guilty only of ill-thought-through design.
Remember that the key point of GDPR is lawfulness of data processing, which when it comes to user experience demands that the data subject gives their clear, affirmative consent (and then subsequently has rights such as the right to erasure or rectification).
As the ICO advises in its guidance for consultation: ‘Consent means offering individuals genuine choice and control. Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default. Explicit consent requires a very clear and specific statement of consent.’
There’s much more to consider in the GDPR – see the ICO’s overview – notably storing consent profiles, notifying data subjects of breaches etc., but in this piece once again we’ll be looking at website UX at the point of data collection.