Whether sketching initial design concepts, planning out user journeys, or prototyping high-fidelity interactions, you must consider privacy throughout your design process. It is easier to resolve issues in a design phase than if you discover them later on.
Consider privacy throughout your design activities
You can address privacy issues through a range of design activities, including UI sketching, information architecture, prototyping, and content design:
- You could try using privacy concepts as a prompt for generating ideas, such as a ‘crazy eights’ sketching exercise that explores how your product might work if it processed no personal information.
- You should avoid using real user data when prototyping or mocking up interfaces. Realistic dummy data or synthetic data is safer.
- Critique sessions offer good opportunities to ask what-if questions about privacy. You could, for example, use the ICO’s Overview of data protection harms as a discussion prompt.
- If you are a design leader, you should make it clear that designers should consider privacy in their work. You could also specify that you will not sign designs off until the team shows how they have handled privacy questions.
Communicate privacy information in ways people understand
You should design experiences that allow people to understand what happens to their personal information, to help meet the requirements of the UK GDPR’s transparency principle and people’s right to be informed:
- Privacy information should be easy to read and understand. You must make it concise, transparent, intelligible, easily accessible, and use clear and plain language.
- People may not always read privacy notices. It may not be sufficient to only use this way of communicating privacy information. You should use a variety of techniques such as ‘just-in-time’ notices or a layered approach, where appropriate.
- Your users may not understand technology and privacy as well as you. Remember that the consequences of decisions may not be obvious to others, even if they are to you.
A young man, excited to have his first credit card, tries to post a photo of it to social media, unaware that sharing card information could expose him to fraud. The social media company uses an image recognition algorithm to scan for possible credit card photos, and intervenes in the posting flow, advising the user not to post his sensitive financial information. Although this safeguard is not legally required under data protection law, it helps to protect people.
- You should recognise and respect use cases that don’t fit your ideal user journey.
A designer working for a ride-hailing service believes the best pickup experience involves users sharing their device location. However, some people will decline to share, as is their right. The designer realises these are not edge cases and designs a smooth, accessible way for them to enter a pickup location, using either text or voice input.
Choose the right moments
Timing is everything. You should identify the moments when people might expect to make decisions about information, and when they are in the best state of mind to make reasonable, informed choices:
- Consider when in the user journey you should discuss privacy. You must provide privacy information at the time of collecting personal information from the person it relates to, but consider additional moments.
A design team is unsure whether to explain what happens to people’s information through step-by-step instructions during initial account sign-up, or as ‘just in time’ prompts before information is collected later on. Since the team agrees it is important that people fully understand what happens to their information, they opt to do both.
- The right moments may vary for different people with different needs.
- Whatever moments you choose, you should ensure people have enough time and knowledge to consider their options fully.
Ensure consent is valid
Consent is one of six lawful reasons for processing personal information. Your data protection colleagues can advise you about whether you need to seek consent for your use case. Consent must be freely given, specific and informed, and given by a clear affirmative act. It must represent an active choice and be as easy to withdraw as it is to give.
How you present choices in an interface can help people make better decisions, but it can also affect their actions and invalidate their consent:
- You must offer consent interfaces that are unambiguous and involve a clear affirmative action (an opt-in). Pre-ticked opt-in boxes are specifically banned under UK GDPR.
- If you offer multiple choices in a consent interface, you must not make one more appealing or prominent than another. This is likely to invalidate the user’s consent.
- Similarly, you must not use option labels that invite guilt or another negative emotion. Sometimes known as ‘confirmshaming’, this can bias people’s choices and invalidate their consent. You must not use ‘biased framing’ to emphasise the supposed benefits of one particular option to make it more appealing or the supposed risks of another to discourage people from
- When relying on consent for your lawful reason for processing data, you must ask for specific consent for each time you use data in a new way or for a different purpose. They should not be bundled together under a single consent choice.
- You should think carefully about when to use consent interfaces. Use too few and you may not comply with UK GDPR requirements, if you are using consent as your lawful reason. However, over-using unnecessary consent popups causes decision fatigue, training people to accept information sharing or other uses of their information blindly in every product they encounter.
- You must offer people a way to reopen consent interfaces later on. It must be as easy to withdraw consent as it is to give it.
Empower people to exercise their information rights in the interface
The UK GDPR gives people various rights about their personal information. These rights include:
- right of access – people have the right to get access to their personal information, and should be able to request a copy;
- right to rectification – people have the right to request that inaccurate information is rectified, or that incomplete information is completed;
- right to data portability – people have the right to move, copy or transfer personal information easily from your product to another, in a safe and secure way; and
- rights related to automated decision-making and profiling.
Your organisation must allow people to exercise these rights. Since it is good practice to provide privacy information through the same medium used to collect it, you should consider how you could help people exercise their rights directly through your product.
A credit agency allows people to request corrections to their personal records by email and post. However, these channels create high administration overheads and are expensive. The agency’s web team therefore builds an online form to let people request corrections themselves, and additionally to download their data in an interoperable format.