Making Your Forms User-Centered and GDPR Proof

gdpr final

From May onwards, collecting personal data properly will not just be matter of good user-centered design, but a legally binding regulation. As people responsible for creating customer-centric products and services, we take the notion of consent seriously and would like to encourage everyone to do the same. We’ve been helping companies navigate the new new General Data Protection Regulation (GDPR) landscape and have some advice on how you can prepare your business for all upcoming changes that will improve the user experience.

One of the things the new privacy regulations are trying to solve is the fact that most people don’t read what type of data processing activities they’re agreeing to. Because let’s be honest, terms and conditions are way too long and often written in a way that’s too complicated for most people to understand. With the new GDPR, businesses will have to start being open and clear about what they do with their user’s data (if you haven’t done that already).

A good first step is to look at your data capture forms (e.g. newsletters, webinars, sales requests). If they are designed with the users’ privacy in mind it can be a great way to start building a relationship with your customers. This was also the first step we took as part of a bigger project for Elsevier. If you haven’t designed your forms with your user’s personal data in mind, use this as an opportunity to really make a difference and demonstrate what your business stands for. Don’t try to solely comply with the new regulations.

Here are the basic things to watch out for when you make your own forms both user-centered and GDPR-proof:

1. Informed

Consent to the processing of one’s personal data should be clear, concise and specific. Ambiguous or generic statements are not acceptable any longer, as you can see here:

Sign up Newsletter GDPR image 1

2. Separating terms & conditions from consent

That brings us to separating consent from the rest of the terms & conditions. While often bundled together - meaning users have to agree to both - this will no longer hold up. Users have to give consent to the processing of their data and accepting the terms separately from each other. This is one of the things we also implemented for the newsletter sign-up forms for Elsevier. It can look like this:

Webinar register alternative GDPR image 2

3. No pre-ticked boxes

That being said, being considerate of your users’ privacy is also about stimulating them to actively think about what they are agreeing to. This means the end of pre-ticked boxes and the start of implementing active opt-in methods. Make it clear and visible for users what is optional and what exactly they are giving permission for.

4. Naming all third parties

Having unknown third parties unwillingly use your data is one of the things that the new GDPR tries to solve. One of the ways this is enforced is by requiring to name all organizations and third parties who will be relying on user’s consent. Naming only the categories of third-party organizations will not suffice. That’s why you should think of a way to provide transparency and clarity for your users about who exactly has access to their data. With Elsevier, we did this by providing additional information about the third parties involved. Therefore, users have the possibility to see who can consult their data by accessing a list in a very simple way during the account sign-up.

5. Granular consent

Obtaining consent should not only be made explicit, but also granular. This could be done by splitting all marketing and communication consent into separate checkboxes (e.g. one for email, one for text messages etc). By doing this, you show your users to which type of data processing activity they’re giving consent. And if this type of transparency is perceived as valuable.

6. Easy to withdraw

Something to always keep in mind is the ease of withdrawal. Make your users aware that they have the right to withdraw their consent anytime, and provide clear and easy instructions on how to do this. It should be as easy to withdraw consent as it was to give it.

So, in short, complying with the new privacy rules is all about making the options explicit and granular with the goal of ensuring the user is aware what he is giving permission to. Remember to be as honest and concise as possible, and ideally even provide examples of what the user can expect when ticking that opt-in box. This should be a good start to making changes, and if you have any questions we’re here to help.