The new EU General Data Protection Regulation, GDPR, will come into effect next month, on 25th May 2018. The new regulation applies to all companies that collect and process personal data of European users. GDPR will definitely have an impact on brands and how they design and deliver their digital products and services. The new regulation will also impact on the data that brands can collect, process and how this data can be used. The new regulation will make brands responsible for the privacy and security of their customers' / users’ personal data.
There are 6 lawful basis for processing personal data in GDPR:
- Legal Obligation
- Vital Interests
- Public Task
- Legitimate Interests
The maximum penalty for not complying with GDPR is 20 million euros or 4% of annual turnover.
Brands that use user-centred design process to design their products and services, deliver great branded user experience (UX) that meets their users’ needs and expectations, which helps to build trust in the brand. Brands that have high UX maturity level would not be challenged by GDPR, as the business focus is on the customer / user and they already comply with existing data protection laws. So, GDPR is good for brands that are authentic, transparent and customer / user centric.
To find out the UX maturity level of your brand, please see the UX Magazine article, How Mature is Your Organization when it Comes to UX?
Brands that use dark patterns will need to redesign their user experience, in order to comply with GDPR . Dark patterns may include asking users for their date of birth when it is not essential for the business activity. Other dark patterns include using pre-checked form fields to mislead users into signing up or buying extra products or services they did not want / need or for marketing purposes.
As brands must comply with GDPR, this is good for users. Brands will have to deliver good user experience, where their users will be in control, as they will have the following rights:
- Right to be informed
- Right of access
- Right to amend their personal data
- Right to have their personal data deleted
- Right to data portability
- Right to object
- Rights related to automated decision making include profiling
For brand communication, it is the customer / user who decides whether they are interested in receiving brand communication and if so, to specify what type of communication they are interested in and how they prefer to receive it. With GDPR, brands must seek customers' / users’ consent for each specific type of brand communication and their preferred contact method. Users that actively opt-in to brand communication are more likely to engage with the brand. For good user experience design examples, please see e-consultancy article on GDPR: 10 examples of best practice UX for obtaining marketing consent
For more information about GDPR, please see the ICO guide.