Many designers don’t work with data directly. So why should they care about the General Data Protection Regulation, Europe’s far-reaching new privacy law? In short, GDPR will make privacy a mandatory design principle–and, in doing so, may redefine the profession.
To prepare for the GDPR’s May 25th deadline, the vast majority of companies that you interact with on the internet are already altering their products, from internet giants like Facebook and Google to small startups. You’ve probably noticed the barrage of emails noting how they’re changing their privacy policies and even their designs. The GDPR will likely fundamentally alter how products are developed both in Europe, where the law applies across every country, and in the United States, where many companies have European customers.
So, what does the GDPR actually require? And how will it reshape the work designers do? Co.Design spoke to design agencies, data protection officers, and privacy advocates about how these changes in Europe will impact designers all over the world. If you’ve heard the acronym floating around but have been too afraid to ask what it is, you’ve come to the right place.
First things first: There are six key components to the GDPR that establish European Union citizens’ data rights.
First, citizens have a right to be notified within 72 hours if a company has been hacked and the breach will risk their personal information, to prevent situations like Yahoo’s massive data leak that people only found out about years later. Users also have the right to access what data a company has on them and learn where and how it is being used. And people have the right to be forgotten–meaning that if you don’t want a company to have your data anymore, you can ask them to delete all traces of it from their system. That also means that companies have a legal directive to delete data if it’s no longer relevant, even if you haven’t asked them to do so. Likewise, asking for consent from users to capture their data must be presented in an accessible, easily understood way.
Another key element of the law is “data portability.” This means the ability to download your data from one place in a machine-readable format (like a CSV file) so that you can take it to another carrier if you desire. If you downloaded your data from Facebook after the Cambridge Analytica scandal, you were exercising this right–though that download mostly includes data you explicitly shared with Facebook, and doesn’t include every inference the company has made about you based on your activity.
Worth noting: Right to access and right to portability are slightly different. Right to access means a company has to provide all data it has on you, including what it’s been used for, how long the company will store it, the source (if it doesn’t come from you), and sometimes information about how automated decisions were made using your data. If you request to download your data, however, the company only has to supply data you’ve explicitly provided to it.
Crucially, a concept called “privacy by design” is part of the GDPR. It requires that all products that utilize user data integrate privacy as part of the design and development process, including only capturing data that’s absolutely necessary for it to function. And under the law, big companies that use lots of data will need to hire Data Protection Officers–which has led to a hiring scramble as companies move to comply.
Some of these requirements aren’t necessarily new–but they are being applied consistently across the EU for the first time. So why do non-European companies care about GDPR? Because the sweeping regulation applies to all EU states, that means that any company that has users in Europe or European offshoots has to comply with GDPR for those particular people; companies can also offer different services in the U.S. without the same data protections that EU citizens are entitled to as a way of toeing the line.
Companies have been panicking for over a year about complying because the GDPR mandates serious repercussions for failing to do so. Companies can be fined up to 4% of their annual global turnover, or as much as $23.8 million (20 million euros), whichever fee is larger. And while the stakes are high, the exact legal details of the regulation are muddy, adding to the confusion.
Though the regulation was ratified in April 2016, companies are still struggling to comply–and the deadline is just weeks way. Emily Hancock, the newly hired data protection officer at the internet services company Cloudflare, thinks much of the panic is coming primarily from U.S. companies, where data policy has been far laxer. “It applies to all countries across Europe, but it’s an evolution of a directive that was put in place in 1995,” she says. “In Europe, companies have been dealing with these kinds of data protection regs for a long time. It’s the added penalties and the extraterritorial scope that’s causing people outside of Europe to panic.”
With all of these new regulations in mind, here’s what designers and privacy experts have to say about the way GDPR is changing their business.
1. Designers can’t play ignorant about data anymore
Thanks to GDPR, designers will be forced to reckon with the underlying technology that powers their products–namely, databases. “We’re looking at a place where it’s no longer okay for designers to not understand what a database looks like or what goes into it,” says Sarah Gold, the CEO of the London-based privacy and design organization Projects By IF.
Gold believes there are big challenges for designers when it comes to notifying people about how to delete their information from systems that are powered by machine learning–systems that are becoming increasingly prevalent. “For designers it’s going to mean understanding the databases they’re using and the kind of technology being used in services,” she says. “You need to have a much greater understanding of that to design usable, understandable, accessible design patterns in the first place.”
2. Privacy must be part of the design process
GDPR is poised to become a crucial part of the design process itself. Product teams won’t be able to ignore what data is collected and shared by their product, and then go to a lawyer a few weeks before launch and say, “Do you see any problems with this? We’re going to launch in a few weeks,” Hancock explains.
Instead, thinking about privacy should happen during the design process. Yashoda Sampath, group director of research at New York-based design agency Huge, says that the data privacy conversations that tend to currently occur “closer to the build and implementation phase when we’re ready to put in the ad-tech and the partners and the business model, versus now we’re going to start having those conversations much earlier in design and development–even in the ideation phase.”
That means GDPR is on the table during brainstorming–not unlike how healthcare products are built around regulations like HIPAA from the beginning.
There’s a downside to thinking about regulation earlier, at least according to Mark Rolston, the founder and chief creative officer of Argodesign. “Things will cost more to do,” he says, and, indeed, Fortune 500 companies are spending billions to change their systems. Yet it’s a necessary step into the future. “I’m okay with it. I’m super excited for it to happen in the sense of the world growing up. We’ve been in this juvenile stage playing around with a lot more power than we’ve respected.”
3. Bad Design Will Become A Pricey Liability
A key part of designing for GDPR will be answering this question: What data should this product collect? The designers I spoke with all had an easy answer: Don’t collect data if it doesn’t make the UX better.
“There’s so many [companies] collecting data and they don’t know what they’re doing with it,” Rolston says. “That’ll just stop. We’re afraid of 4%.”
Laws like GDPR could spell the end of business models based purely on data collection–mostly because the risks and costs will be too great. “Here in the Valley not so long ago, I’m talking about a year or two ago, you would hear executives talking about how they package and sell users’ data and how this is the core valuation factor in their startups or established companies,” says Gadi Amit, the founder and principal of the San Francisco-based agency NewDealDesign. “I think the cost associated with keeping track of all the regulation is just going to go up. It’ll come to a point where, obviously there will be benefits of keeping user data, but there will be quite a lot of costs and responsibilities associated with that.”
In practice, Cloudflare’s DPO Hancock says that deciding what data to collect means asking questions like: If I pull data from an API, do I really need all the fields of data that I could get, or do I narrow it for the specific purpose of this product? When thinking about geolocation data–do I really need it? And if I do capture geolocation data, what are the risks associated with that? “That’s the thought process you’d want developers to go through earlier in the cycle rather than after the product is built and ready to ship and someone just wants to get a sign off,” she says.
In a conversation that’s been dominated by data scientists, legal experts, and researchers, Sampath believes designers are the right ones to be asking these questions.
“The next step is to empower designers to participate in this conversation: These are the pieces of data I need to improve personalization. These are the pieces of data I need to improve anticipation. And this is where we can really add value using data,” she says. “In that regard, having them be both advocates and be a bit of a check and say, this kind of data will make users wary of our experience and reduce the joy of our experience.”
4. Design Could Help Solve One Of Today’s Biggest Problems–Or Not
The new directives have created a serious design challenge: creating better, clearer interfaces that make navigating privacy easier for users.
Today, privacy settings are often buried deep inside apps where no one can find them, and privacy policies are a mess of legalese that no one reads. Amit of New Deal believes that designers are partially complicit in this, and points to Facebook’s acquisition of WhatsApp to illustrate. “You had to really dig down very deeply to prevent WhatsApp from shifting all your contacts and sending them to Facebook,” he says. It’s unclear if that UI would be noncompliant legally under GDPR, but WhatsApp’s UI certainly didn’t make this significant data sharing easy to understand or access, making it virtually impossible to get meaningful consent. “I checked with my friends, most people didn’t know that WhatsApp is preying on their contact lists,” Amit adds. That’s all done by UX and UI designers. That is something patently designed to mislead and bury something very important. So I think we need to start having a real discussion within the design industry about cooperation and willingly playing along with those traps.”
Many companies facing GDPR are relying on a familiar interface design to comply: the “settings” screen. These ubiquitous screens don’t do much to functionally protect users, though they may be technically compliant.
“The main response for GDPR has been to put in place a dashboard where people can adjust the data sharing permissions from one central location. That for me has been a real shame,” Gold says. “The preference center is an easy way out of GDPR, but none of the research we’ve done shows any individual that’s not a privacy specialist goes into those settings. [It] is a real wasted opportunity.”
Rather than relying on these old solutions, Tiago Luchini, a partner of technology at the New York-based agency Work & Co, believes in something he refers to as “micro-consent,” where users can learn what each piece of data they’re giving up is going to be used for–and how their experience might suffer if they decide not to provide it. He uses the example to illustrate: He recently signed up for an app to run a marathon, which asked him for his ethnicity.
He prefers a system where users can determine what information they want cookies to have on a service-by-service basis. “Maybe you’re fine with Facebook, but not one of the retargeting programs they use,” he says. “It’s a fascinating design challenge. You have to communicate back to the user every time those take place.”
Rolston agrees. “We’re going to have to get better at making those data events transparent,” he says. “Privacy becomes a virtue that gets communicated through the interface.”
5. GDPR Isn’t Enough–Design Culture Must Change, Too
While GDPR might be a step in the right direction, some think that the the law isn’t enough. The progression needs to lead the way. Amit sees a disconnect between law and actual design practice, but thinks there could be a solution in changing who designers look up to and what is valued . . . or shamed, in turn.
“I think it’ll be a lot more effective from a design community and design culture element to start pointing out douchebaggy experiences that people are building and boasting and feeling proud of,” he says. That means that designers should call out nefarious dark patterns, even when their colleagues are building them, so that manipulative interfaces that encourage people to give up their data don’t remain the default.
For Gold as well, designers can pick up where the law fails. For instance, the idea of data portability doesn’t take into account that data can often be tied to many people–take your utility bill if you live in a shared house, or even your Facebook data. Gold and her organization Projects By IF recently published a new study on this very topic in collaboration with the Open Data Institute, and included a series of prototypes posing ways in which data portability could function.
One concept illustrates a faux social media service called FriendShare, where when you delete your account, you can download an archive of data. But because other people are involved in that data, the service sends each person a message letting them know they have 24 hours to change the data that’s in the archive if they don’t want you to hold on to it.
“There’s an opportunity for designers to help improve the legislation by showing how it can be adapted to the real world and how people really use services,” Gold says. She also believes that thinking of consent as a key performance index (KPI) could make it more of a priority. “How does that have an impact on a company’s bottom line?” she says. “There’s more to be done to bring that into the culture of the way we design and make.”
GDPR also doesn’t have to be viewed as a negative. Work & Co’s Luchini sees it as a form of creative constraint.
“This is the kind of constraint that makes designers and technologists happy and makes us thrive at the end of the day,” he says. “In the long run this is not something that’s going to be bad for business. It’ll be good for business and good for users.”
6. GDPR Is Just The Beginning Of A Sea Change
Designers are already working on many of these points. For Amit, simply doing good design means upholding many of the elements of the GDPR. “If you believe in good design values, that means you lead the user to understand exactly what the app is supposed to be doing. That’s my view of it,” he says. “If you’re doing good design, inherently it means you provide people with a tool that’s clear, that is easy, that is transparent, and therefore the chances of it being misused or miscommunicated to the end user are very low.” Sampath has a similar view. “[GDPR] really gels well with our views on user experience,” she says. “In that sense any push that leads to greater transparency is a net good.”
One of the most compelling reasons to embrace the GDPR is that these kinds of data standards are here to stay–even if they haven’t hit the U.S. yet.
Rolston uses the analogy of California emissions laws. To meet the state’s more stringent standards, car companies end up building cars for all states that comply with California law because it makes more sense to just build them all to the same regulation. The GDPR is similar, in that it’s going to force companies to comply in Europe–so why not just adopt the same standard everywhere? Of the companies I spoke with for this story, both Cloudflare and Mozilla will be GDPR compliant no matter where their customers are located. Facebook said it would comply, but sneakily decided to exclude 1.5 billion of its users. Others are taking an all-or-nothing approach: Mobile advertising company Verve is pulling out of Europe entirely.
Still, Sampath is certain this kind of data law is here to stay. “GDPR is only going to be the first regulation that looks like this,” she says. “Internally we’re all pretty confident that some version of the GDPR will be coming to the U.S. in the next year and a half. It’s a nice kick in the pants to think about it ahead of time.”
Ultimately, the designers I spoke with remain optimistic that the GDPR will be good for users and businesses. “I think the net is that each company will have a more mature product that’s better for people overall, and that will have a net positive,” Rolston says. “Aligning our interests with the market will make them better products. It’ll force them to grow up.”