Privacy

Since the General Data Protection Regulation (GDPR) got introduced in the EU (25th of may 2018), ‘Privacy by Design and by Default’ is a mandatory Design Principle and is therefore something that should always be taken into account.

What is GDPR and what does it state?

GDPR is legislation about privacy rights for citizens of the European Union. It states that companies must be transparent on how your personal data is used and stored, and that they have to get your consent before collecting this data. Personal data, in this case, refers to things like a person's name, email, and IP address, but also pseudonymized information that could be traced back to them. In article 25, the principle Privacy by Design and by Default say something about digital services:

• Privacy by Design means that you take privacy into account early in the process while developing a new product or service. Consider which data is really necessary and which is not, but also think of the storage, modification and disposal of the data in an early stage.
• Privacy by Default can be seen as part of privacy by design and requires that the default settings of a product or service are always as privacy friendly as possible.

Additionaly, ensuring privacy means that:

• each part of the service should also be secure, so there is no moment in the ‘life’ of data it could be lost;
• a company should assess their services to make sure it is indeed private and secure;
• the default option should be private, so users have to actively opt-in to share additional data;
• and that there should be transparency about how data is handled and by who.

This is based on the 7 Foundational Principles of Privacy by Design by Ann Cavoukian.

Tips

• Take privacy into account early in the process to make sure it’s really integrated in the product. After all, making adjustments afterwards often requires more costs and effort.
• When implementing privacy by design in an existing system/design, do a privacy audit on your system. Look at how privacy has been embedded into your current system, identify weak points, and create new user-friendly solutions.
• Make sure your designs are compliant with the GDPR privacy law to avoid high fines. When not sure, discuss this for example with the legal department of your client or an external legal party.
• Minimize the collection of data: only ask users for information that is really necessary. ‘Might come in handy’ is not a valid reason.
• Do not use misleading copy and checkboxes.

Learn more

• GDPR LunchLecture in general from Evelien
• Fines/Penalties
• GDPR and how to handle Google Analytics (in Dutch)
• How will GDPR affect UX design?