The General Data Protection Regulation— GDPR for short— was a massive consumer data protection and privacy law passed by the European Union in 2016 and implemented in 2018. For any company who collected data on European Union citizens, this demanded major changes to business practice and any products where personal information appeared.
Given the scope of the law and the changes it required, very few companies made changes before the effective date. There was also a lot of uncertainty in how some of the clauses might be interpreted by judges in the future— therefore, my role on the team was to design something entirely new. There weren’t any good (i.e. upheld by legal precedent) examples we could build from.
I worked closely with the legal staff to interpret the law and formulate design requirements.
Consent (is cool)
Consent is one of the key tenets of the GDPR law. The law defines it as “freely given, specific, informed and unambiguous indication […] by a statement or by a clear affirmative action.”
Users had to opt in to the uses of their information. Further, the law was interpreted that we couldn’t use design to make certain options more appealing, or use coercive design to steer a user to the choice we wanted them to take.
Designing for some of these new requirements required establishing new patterns that also needed to be built into the organization’s design system— as well as working with developers to ensure that there was clarity around when a “yes/no” option was consent and required an alternative design. After all, the use of red and green is so well established that removing it entirely would have adversely affected task completion and increased user error.
Consent wasn’t the only consideration— we additionally I designed the flows for the “Right to be forgotten,” changed how we presented our privacy policy, and further revamped our UX research program to be GDPR compliant and respectful of our E.U. members’ rights.