Research covers user research, UX research, or design research that technology teams run to understand user needs and evaluate product choices. The UK GDPR and DPA 2018 contain research provisions that refer to personal information processing carried out for a) archiving purposes in the public interest, b) scientific or historical research purposes, or c) statistical purposes. Most user research is not covered by these provisions. Therefore, in this guidance, ‘research’ refers to user research, not the research provisions covered in privacy law.
User research helps you learn about people’s privacy needs and concerns so you can create products that people trust.
Survey the landscape
Just like the world of technology, the world of privacy is constantly evolving. To understand how things stand in your market and for your particular project, you could:
- conduct competitor analysis to understand how others are positioned and look for ways to compete or differentiate by enhancing privacy;
- explore emerging technology or industry trends that could offer novel ways of tackling privacy challenges; or
- review any consumer trends that are shaping the privacy landscape, and identify how to investigate these more deeply in your own research.
Gather audience perspectives on privacy
Researching people’s attitudes towards privacy means you’re less likely to violate their expectations. ‘Formative’ research such as focus groups, interviews, diary studies, and citizens’ panels can help you learn how different groups feel about privacy and personal information use in your product. Questions you could explore in research include:
- Who will use the product? Do they include children or vulnerable groups?
- How might the collection of personal information affect them?
- What risks might there be in collecting personal information for different people using the product?
- Would people expect you to use their information in this way?
- When in your user journey do people need to understand how their information is used?
- How can you design that information in ways people can understand and engage with in the context of your product’s user journey and people’s state of mind?
If time and budget allow, you could also use participatory methods, such as co-designing critical interactions with representative users.
Findings about people’s views on privacy and personal data might feed in to any data protection impact assessment that you or your data protection and legal colleagues complete.
Get feedback on privacy work in progress
You could also conduct ‘summative’ research to test work in progress and see whether you are on the right track:
- Assess the design of privacy information screens, consent interfaces and flows, and other data interactions, just as you would for other elements of your product experience.
- Test whether people can easily access and understand relevant privacy information, whether participants feel they have the right information at the right time, and whether they are in the appropriate state of mind to take informed action.
- Recruit a representative sample of your intended users for tests; you may find different people have significantly different privacy needs and reactions.
Protect the privacy of your research participants
Conducting research ethically and properly means taking participants’ privacy seriously. If your research requires you to process personal data, you must:
- minimise the information you collect about your participants. You should anonymise results where possible. You could, for example, refer to each participant just by a number rather than a name;
- clearly explain to participants how you will collect, store and use their information;
- ask for participants’ consent for data processing when appropriate, and keep records of this consent; and
- erase or anonymise participants’ personal information in the time period you specified. You must not keep personal information for longer than you need to.