Table of contents
1. What is GDPR?
2. How do UX researchers leverage data processing?
3. When do UX researchers need to obtain consent?
4. How to write a data policy notice the right way?
5. How can you prevent users from demanding to erase their data?
6. How should UX researchers organise the data collection process?
7. What other rights do test users have?
8. How can UX researchers ensure facial recognition privacy?
9. Who can help UX researchers to ensure GDPR compliance?
GDPR stands for the General Data Protection Regulation. It’s an EU regulation designed to harmonise data privacy laws across Europe. Its main function is to help users gain control over the way companies use their personal data. The European Data Protection Regulation is applicable as of May 25th, 2018.
The GDPR sets out seven key principles:
1. Lawfulness, fairness, and transparency
You must inform users that you will collect their data and explain why you will do it.
2. Purpose limitation
You can’t collect data just for the sake of it. You should do it for a specific purpose (e.g., improving customer service, enhancing user experience, running a marketing campaign).
3. Data minimisation
You shouldn’t collect any data that doesn’t serve the purpose of data collection. Let’s say you want to use users’ first names to personalise your marketing emails. You can ask users to provide their first names, but you are not allowed to ask them to provide their family names.
You should delete any inaccurate data from your database.
5. Storage limitation
You are not allowed to store user data longer than it’s actually needed.
6. Integrity and confidentiality
You can’t collect and process user data if you are not able to secure these processes.
You need to adopt and implement data protection policies and put written contracts in place with organisations that process personal data on your behalf.
Failure to comply with these seven principles leads to fines of € 20 million, or 4% of the company’s worldwide annual turnover, whichever is higher. Do you doubt that these fines are a real thing? Check the list of the biggest GDPR fines and the reasons for these fines:
Google – € 50 million. The tech giant didn’t provide sufficient information to users in consent policies.
H&M – € 35 million. The company processed sensitive data about its employees’ health and beliefs without having a specific purpose.
TIM (Telecom Italia) – € 27.8 million. The company was penalised for bombarding millions of individuals with promotional calls and unsolicited communications.
British Airways – € 22 million. Hackers attacked user databases and got their hands on login details, payment card information, and other sensitive data. The breach affected 400,000 customers.
Marriott – € 20.4 million. The hotel chain’s guest reservation database wasn’t secure enough. Eighty-three million guest records (30 million EU residents) were exposed after the database was compromised.
Probably one of the most confusing parts of GDPR is a vague description of the term ‘personal data‘. GDPR defines personal data as ‘any piece of information that relates to an identifiable person‘. No wonder that many UX researchers don’t understand what kind of information they can and can’t collect without a user’s consent.
So what types of data does GDPR apply to?
- Phone number
- An identification number
- Location data
- Internet protocol (IP) addresses
- Cookie identifiers
- Frequency Identification (RFID) tags
- Browser type and version
- Operating system
- Referral source
- Length of visit
- Page views
- Website navigation paths
- Type of software
- Users’ digital fingerprint
- Face images and videos
- Medical history
- Criminal records
- Bank statements
- Payment data
- Credit card data
- Employment evaluation
This list can go further. Basically, any textual, video, audio, numerical, graphical, and photographic data that somehow relates to the users should be considered as personal data.
Some UX researchers are not fully aware of how often they ‘process‘ user data. Data processing occurs every time you save the user’s data to a spreadsheet, send a thank-you email to a test user, or share the test result report with your client. The more often you process sensitive data, the higher the chances of a data breach or another data-related issue.
UX researchers can’t start collecting any personal data before they get the declaration of consent. There are no exceptions to this rule. If you have already collected some data and now need to collect some missing personal data, they need to obtain an additional declaration of consent from the test user.
Let’s say you’ve run a test with 100 participants. You know the names and ages of these users. Now you want to extend your study and get to know the gender of your participants. You should create an additional consent form and ask test users to sign it.
If you are going to record or observe test users, you should specify that in informed consent. You should explain who will watch the record and for what purpose. Also, you should mention whether test users will be observed in real time.
You should be aware that if you ignore this rule, the consequences will be dramatic. If you fail to comply with GDPR, you will likely be fined.
With TestingTime you can have documents signed by your test users before the study. Let’s say, a non-disclosure agreement, or a consent to record the test. You can do this very easily and completely digitally through their online order form. Simply activate the option “Document to be signed” in the “Add-ons” section. This will allow you to upload a document of your choice.
TestingTime will subsequently integrate the document to be signed directly into their recruitment process. Every document will be legally signed, including the date, the full name of the test user and their electronic signature. You will have access to all signed documents in your order overview before commencing the test.
A GDPR-compliant template for an NDA can be found here. It is advisable to clarify with your internal or an external legal team what to do in case of doubt.
The trickiest part of GDPR compliance is that UX researchers should not only obtain consent and also make sure that it’s valid. Here is a list of conditions that proves the validity of the test user consent:
- is freely given. You are not allowed to force users to consent.
- is specific and designed for a particular purpose.
- provides test users with sufficient information for decision-making.
- is free from any ambiguous statements.
- is an act. Users need not just read the information, but check the box and click the ‘submit‘ or ‘agree‘ button.
- is distinguishable from other matters.
- request is written in clear and plain language.
- isn’t presented as a precondition of a service
Writing a data policy notice is the first step to GDPR compliance. Here is a list of rules you should follow to create a winning data policy notice.
- Include the name of your organisation and the names of third parties that will have access to personal data.
- Be clear about intention. Test users should have a clear understanding of what specific data will be collected and for what purpose. If you are going to record video or audio of the testing process, you should inform users upfront. If you don’t do it, you will put your UX research at risk.
- Remember that the vast majority of European users are not native English speakers. You should write everything in plain language and avoid using words that your target audience may not understand. Do you need help with writing texts for a global audience? If so, you can order website content writing and ask experts to write a data policy notice on your behalf.
- Draw users’ attention to the fact that they have the right to object to processing their data and demand to erase it from the database without undue delay.
- Don’t try to manipulate users’ decisions. Instead, provide them with all necessary data and let them decide whether they should share their personal data.
If test users use their right to withdraw the consent, researchers will lose part of the collected data. Naturally, it may negatively affect the results of the testing.
If our X organisation bases the processing of your personal data on a balancing of interests, you can object to the processing. This is the case in particular if the processing is not necessary for the purpose of fulfilling a contract with you, which is set out by X organisation in each case in the description of functions below.
When withdrawing your consent in this way, personal data in the way it does. If the objection is justified, X organisation will examine the matter and either cease or adapt the data processing or present you with compelling and legitimate reasons for why X organisation will continue to process it.
One of the biggest mistakes UX researchers make is that they try to collect as much data as possible. They think that even though they don’t need this data right now, they will probably use it later. They ask test users to provide the information they don’t need, and that goes against the GDPR principles.
The rule of thumb for GDPR compliance is to collect only that data that you actually need to make a specific decision or improve UX design. You should understand that if you need more information later, you will be able to obtain it.
Test users have a right to ask you to provide the data you have about them. So you should store the data adequately and be ready to give users access to their data upon their request. Also, you should be prepared to answer users’ questions about how their personal information is being used.
Besides, you should correct information about test users if they ask you to. You should do it to comply with the user’s rights and to improve your database accuracy.
Face images and videos are considered personal data. It means that if UX researchers want to video-record the user tests and share these videos with customers, they should comply with GDPR.
The thing is that face images are particularly prone to misuse. Anyone who gets access to the images can gather sensitive personal data and hack into accounts. If you decide to store face images, you should find a way to eliminate the risks of misuse, unauthorised tracking, and identity theft.
What anonymisation methods do companies use?
- Face blurring
- Face swapping
- Quality reduction
All these anonymisation techniques have one significant drawback – they dramatically affect the visual similarity of the face image. If UX researchers don’t want to sacrifice image quality, they should use software similar to D-ID™, which protects face images while preserving visual similarity.
Basically, UX researchers are not the only people in the organisations responsible for data collection and processing. The company needs to comply with GDPR in Europe at the highest management level and throughout the organisation. Managers of the company should use appropriate technical and organisational measures:
- Adopt and implement data protection policies on a corporate level
- Put written contracts in place with third-party organisations that process personal data on the company’s behalf
- Maintain documentation of all data processing activities
- Implement advanced security measures
- Record and report personal data breaches
- Review and update accountability measures on a regular basis.
GDPR is a big topic, and it may take you some time to research it. I hope this article will help you learn the basics, so you can start working on your UX research projects.