\n2. How do UX researchers leverage data processing?<\/span><\/a>
\n3. When do UX researchers need to obtain consent?<\/span><\/a>
\n4. How to write a data policy notice the right way?<\/span><\/a>
\n5. How can you prevent users from demanding to erase their data?<\/span><\/a>
\n6. How should UX researchers organise the data collection process?<\/span><\/a>
\n7. What other rights do test users have?<\/span><\/a>
\n8. How can UX researchers ensure facial recognition privacy?<\/span><\/a>
\n9. Who can help UX researchers to ensure GDPR compliance? <\/span><\/a><\/p>\n
<\/a>1. What is GDPR?<\/span><\/h2>\nGDPR stands for the <\/span>General Data Protection Regulation<\/span><\/a>. It\u2019s an EU regulation designed to <\/span>harmonise data privacy laws<\/span> across Europe. Its main function is to help users gain control over the way companies use their personal data.\u00a0The European Data Protection Regulation is applicable as of May 25th, 2018.<\/span><\/b><\/p>\n<\/a>1.1 What are the key principles of GDPR?<\/span><\/b><\/h3>\nThe GDPR sets out seven key principles:<\/span><\/p>\n1. Lawfulness, fairness, and transparency<\/b>
\nYou must inform users that you will collect their data and explain why you will do it.<\/span><\/p>\n2. Purpose limitation<\/b>
\n<\/span>You can\u2019t collect data just for the sake of it. You should do it for a specific purpose (e.g., improving customer service, enhancing user experience, running a marketing campaign).<\/span><\/p>\n3. Data minimisation
\n<\/b>You shouldn\u2019t collect any data that doesn\u2019t serve the purpose of data collection. Let\u2019s say you want to use users\u2019 first names to personalise your marketing emails. You can ask users to provide their first names, but you are not allowed to ask them to provide their family names.\u00a0<\/span><\/p>\n4. Accuracy
\n<\/b>You should delete any inaccurate data from your database.<\/span><\/p>\n5. Storage limitation<\/b>
\nYou are not allowed to store user data longer than it\u2019s actually needed.\u00a0<\/span><\/p>\n6. Integrity and confidentiality
\n<\/b>You can\u2019t collect and process user data if you are not able to secure these processes.<\/span><\/p>\n7. Accountability
\n<\/b>You need to adopt and implement data protection policies and put written contracts in place with organisations that process personal data on your behalf.<\/span><\/p>\n<\/a>1.2 What happens to the companies that do not comply with GDPR?<\/span><\/b><\/h3>\nFailure to comply with these seven principles leads to fines of \u20ac 20 million, or 4% of the company\u2019s worldwide annual turnover, whichever is higher.\u00a0<\/span>Do you doubt that these fines are a real thing? Check the list of the biggest GDPR fines and the reasons for these fines:<\/span><\/p>\nGoogle<\/strong> \u2013 \u20ac 50 million. The tech giant didn\u2019t provide sufficient information to users in consent policies.
\n<\/span><\/p>\nH&M<\/strong> \u2013 \u20ac 35 million. The company processed sensitive data about its employees\u2019 health and beliefs without having a specific purpose.
\n<\/span><\/p>\nTIM<\/strong> (Telecom Italia) \u2013 \u20ac 27.8 million. The company was penalised for bombarding millions of individuals with promotional calls and unsolicited communications.
\n<\/span><\/p>\nBritish Airways<\/strong> \u2013 \u20ac 22 million. Hackers attacked user databases and got their hands on login details, payment card information, and other sensitive data. The breach affected 400,000 customers.
\n<\/span><\/p>\nMarriott<\/strong> \u2013 \u20ac 20.4 million. The hotel chain\u2019s guest reservation database wasn\u2019t secure enough. Eighty-three million guest records (30 million EU residents) were exposed after the database was compromised.<\/span><\/p>\n<\/a>1.3 How does GDPR define the term \u2018personal data\u2018?<\/span><\/b><\/h3>\nProbably one of the most confusing parts of GDPR is a vague description of the term \u2018personal data\u2018. GDPR defines personal data as \u2018any piece of information that relates to an identifiable person\u2018. No wonder that many UX researchers don\u2019t understand what kind of information they can and can\u2019t collect without a user\u2019s consent.<\/span><\/p>\nSo what types of data does GDPR apply to?<\/span><\/p>\n\n- Name<\/span><\/li>\n
- Email<\/span><\/li>\n
- Phone number<\/span><\/li>\n
- An identification number<\/span><\/li>\n
- Location data<\/span><\/li>\n
- Internet protocol (IP) addresses<\/span><\/li>\n
- Cookie identifiers<\/span><\/li>\n
- Frequency Identification (RFID) tags<\/span><\/li>\n
- Browser type and version<\/span><\/li>\n
- Operating system<\/span><\/li>\n
- Referral source<\/span><\/li>\n
- Length of visit<\/span><\/li>\n
- Page views\u00a0<\/span><\/li>\n
- Website navigation paths<\/span><\/li>\n
- Type of software<\/span><\/li>\n
- Users\u2019 digital fingerprint<\/span><\/li>\n
- Face images and videos<\/span><\/li>\n
- Medical history<\/span><\/li>\n
- Criminal records<\/span><\/li>\n
- Bank statements<\/span><\/li>\n
- Payment data<\/span><\/li>\n
- Credit card data<\/span><\/li>\n
- Employment evaluation<\/span><\/li>\n<\/ul>\n
This list can go further. Basically, any textual, video, audio, numerical, graphical, and photographic data\u00a0that somehow relates to the users should be considered as personal data.<\/span><\/p>\n<\/a>2. How do UX researchers leverage data processing?<\/span><\/h2>\nSome UX researchers are not fully aware of how often they \u2018process\u2018 user data. Data processing occurs every time you save the user\u2019s data to a spreadsheet, send a thank-you email to a test user, or share the test result report with your client. The more often you process sensitive data, the higher the chances of a data breach or another data-related issue.<\/span><\/b><\/p>\n<\/a>3. When do UX researchers need to obtain consent?<\/span><\/h2>\nUX researchers can\u2019t start collecting any personal data before they get the declaration of consent. There are no exceptions to this rule.\u00a0<\/span>If you have already collected some data and now need to collect some missing personal data, they need to obtain an additional declaration of consent from the test user.\u00a0<\/span><\/p>\nLet\u2019s say you\u2019ve run a test with 100 participants. You know the names and ages of these users. Now you want to extend your study and get to know the gender of your participants. You should create an additional consent form and ask test users to sign it.<\/span><\/p>\nIf you are going to <\/span>record or observe test users<\/span><\/a>, you should specify that in informed consent. You should explain who will watch the record and for what purpose. Also, you should mention whether test users will be observed in real time.\u00a0\u00a0<\/span><\/p>\nYou should be aware that if you ignore this rule, the consequences will be dramatic. If you fail to comply with GDPR, you will likely be fined.<\/span><\/b><\/p>\n<\/a>3.1 TestingTime\u2019s feature: document to be signed<\/span><\/b><\/h3>\nWith TestingTime you can have documents signed by your test users before the study. Let\u2019s say, a non-disclosure agreement, or a consent to record the test. You can do this very easily and completely digitally through their <\/span>online order form<\/span><\/a>. Simply activate the option \u201cDocument to be signed\u201d in the \u201cAdd-ons\u201d section. This will allow you to upload a document of your choice.<\/span><\/p>\nTestingTime will subsequently integrate the document to be signed directly into their recruitment process. Every document will be legally signed, including the date, the full name of the test user and their electronic signature. You will have access to all signed documents in your order overview before commencing the test.<\/span>
\n<\/span><\/b><\/p>\n![\"TestingTime](\"https:\/\/www.testingtime.com\/app\/uploads\/2021\/06\/TestingTime-NDA-neutral-EN.png\")
Source: TestingTime<\/a><\/p><\/div>\nA GDPR-compliant template for an NDA can be found\u00a0here<\/a>. It is advisable to clarify with your internal or an external legal team what to do in case of doubt.<\/p>\n<\/a>3.2 When is consent valid?<\/span><\/b><\/h3>\nThe trickiest part of GDPR compliance is that UX researchers should not only <\/span>obtain consent <\/span><\/i>and also make sure that it\u2019s <\/span>valid<\/span><\/i>. Here is a list of conditions that proves the validity of the test user consent:<\/span><\/p>\nThe consent<\/p>\n
\n- is freely given. You are not allowed to force users to consent.<\/span><\/li>\n
- is specific and designed for a particular purpose.<\/span><\/li>\n
- provides test users with sufficient information for decision-making.<\/span><\/li>\n
- is free from any ambiguous statements.<\/span><\/li>\n
- is an <\/span>act<\/span><\/i>. Users need not just read the information, but check the box and click the \u2018submit\u2018 or \u2018agree\u2018 button.<\/span><\/li>\n
- is distinguishable from other matters.<\/span><\/li>\n
- request is written in clear and plain language.<\/span><\/li>\n
- isn\u2019t presented as a precondition of a service<\/span>
\n<\/b><\/b><\/li>\n<\/ul>\n<\/a>4. How to write a data policy notice the right way?<\/span><\/h2>\nWriting a data policy notice is the first step to GDPR compliance. Here is a list of rules you should follow to create a winning data policy notice.<\/span><\/p>\n\n- Include the name of your organisation and the names of third parties that will have access to personal data.<\/span><\/span><\/span><\/li>\n
- Be clear about intention. Test users should have a clear understanding of what specific data will be collected and for what purpose. If you are going to record video or audio<\/a> of the testing process, you should inform users upfront. If you don\u2019t do it, you will put your UX research at risk.<\/span><\/span><\/span><\/li>\n
- Remember that the vast majority of European users are not native English speakers. You should write everything in plain language and avoid using words that your target audience may not understand. Do you need help with writing texts for a global audience? If so, you can <\/span>order website content writing<\/span><\/a> and ask experts to write a data policy notice on your behalf.<\/span><\/span><\/span><\/li>\n
- Draw users\u2019 attention to the fact that they have the right to object to processing their data and demand to erase it from the database without undue delay.<\/span><\/span><\/span><\/li>\n
- Don\u2019t try to manipulate users\u2019 decisions. Instead, provide them with all necessary data and let them decide whether they should share their personal data.<\/span><\/li>\n<\/ul>\n
<\/a>5. How can you prevent users from demanding to erase their data?<\/span><\/h2>\nAccording to GDPR, you should write in your privacy policy that people can withdraw their consent at any time. And that\u2019s another point where UX researchers can face a challenge.\u00a0<\/span><\/p>\nIf test users use their right to withdraw the consent, researchers will lose part of the collected data. Naturally, it may negatively affect the results of the testing.\u00a0<\/span><\/p>\nWhat can UX researchers do to protect the results of their work while maintaining GDPR compliance? They can add such a clause to their privacy policy:<\/span><\/p>\nIf our <\/span><\/i>X organisation<\/i><\/b> bases the processing of your personal data on a balancing of interests, you can object to the processing. This is the case in particular if the processing is not necessary for the purpose of fulfilling a contract with you, which is set out by <\/span><\/i>X\u00a0<\/i><\/b>organisation<\/b>\u00a0in each case in the description of functions below. <\/span><\/i>
<\/a>1.1 What are the key principles of GDPR?<\/span><\/b><\/h3>\nThe GDPR sets out seven key principles:<\/span><\/p>\n1. Lawfulness, fairness, and transparency<\/b>
\nYou must inform users that you will collect their data and explain why you will do it.<\/span><\/p>\n2. Purpose limitation<\/b>
\n<\/span>You can\u2019t collect data just for the sake of it. You should do it for a specific purpose (e.g., improving customer service, enhancing user experience, running a marketing campaign).<\/span><\/p>\n3. Data minimisation
\n<\/b>You shouldn\u2019t collect any data that doesn\u2019t serve the purpose of data collection. Let\u2019s say you want to use users\u2019 first names to personalise your marketing emails. You can ask users to provide their first names, but you are not allowed to ask them to provide their family names.\u00a0<\/span><\/p>\n4. Accuracy
\n<\/b>You should delete any inaccurate data from your database.<\/span><\/p>\n5. Storage limitation<\/b>
\nYou are not allowed to store user data longer than it\u2019s actually needed.\u00a0<\/span><\/p>\n6. Integrity and confidentiality
\n<\/b>You can\u2019t collect and process user data if you are not able to secure these processes.<\/span><\/p>\n7. Accountability
\n<\/b>You need to adopt and implement data protection policies and put written contracts in place with organisations that process personal data on your behalf.<\/span><\/p>\n<\/a>1.2 What happens to the companies that do not comply with GDPR?<\/span><\/b><\/h3>\nFailure to comply with these seven principles leads to fines of \u20ac 20 million, or 4% of the company\u2019s worldwide annual turnover, whichever is higher.\u00a0<\/span>Do you doubt that these fines are a real thing? Check the list of the biggest GDPR fines and the reasons for these fines:<\/span><\/p>\nGoogle<\/strong> \u2013 \u20ac 50 million. The tech giant didn\u2019t provide sufficient information to users in consent policies.
\n<\/span><\/p>\nH&M<\/strong> \u2013 \u20ac 35 million. The company processed sensitive data about its employees\u2019 health and beliefs without having a specific purpose.
\n<\/span><\/p>\nTIM<\/strong> (Telecom Italia) \u2013 \u20ac 27.8 million. The company was penalised for bombarding millions of individuals with promotional calls and unsolicited communications.
\n<\/span><\/p>\nBritish Airways<\/strong> \u2013 \u20ac 22 million. Hackers attacked user databases and got their hands on login details, payment card information, and other sensitive data. The breach affected 400,000 customers.
\n<\/span><\/p>\nMarriott<\/strong> \u2013 \u20ac 20.4 million. The hotel chain\u2019s guest reservation database wasn\u2019t secure enough. Eighty-three million guest records (30 million EU residents) were exposed after the database was compromised.<\/span><\/p>\n<\/a>1.3 How does GDPR define the term \u2018personal data\u2018?<\/span><\/b><\/h3>\nProbably one of the most confusing parts of GDPR is a vague description of the term \u2018personal data\u2018. GDPR defines personal data as \u2018any piece of information that relates to an identifiable person\u2018. No wonder that many UX researchers don\u2019t understand what kind of information they can and can\u2019t collect without a user\u2019s consent.<\/span><\/p>\nSo what types of data does GDPR apply to?<\/span><\/p>\n\n- Name<\/span><\/li>\n
- Email<\/span><\/li>\n
- Phone number<\/span><\/li>\n
- An identification number<\/span><\/li>\n
- Location data<\/span><\/li>\n
- Internet protocol (IP) addresses<\/span><\/li>\n
- Cookie identifiers<\/span><\/li>\n
- Frequency Identification (RFID) tags<\/span><\/li>\n
- Browser type and version<\/span><\/li>\n
- Operating system<\/span><\/li>\n
- Referral source<\/span><\/li>\n
- Length of visit<\/span><\/li>\n
- Page views\u00a0<\/span><\/li>\n
- Website navigation paths<\/span><\/li>\n
- Type of software<\/span><\/li>\n
- Users\u2019 digital fingerprint<\/span><\/li>\n
- Face images and videos<\/span><\/li>\n
- Medical history<\/span><\/li>\n
- Criminal records<\/span><\/li>\n
- Bank statements<\/span><\/li>\n
- Payment data<\/span><\/li>\n
- Credit card data<\/span><\/li>\n
- Employment evaluation<\/span><\/li>\n<\/ul>\n
This list can go further. Basically, any textual, video, audio, numerical, graphical, and photographic data\u00a0that somehow relates to the users should be considered as personal data.<\/span><\/p>\n<\/a>2. How do UX researchers leverage data processing?<\/span><\/h2>\nSome UX researchers are not fully aware of how often they \u2018process\u2018 user data. Data processing occurs every time you save the user\u2019s data to a spreadsheet, send a thank-you email to a test user, or share the test result report with your client. The more often you process sensitive data, the higher the chances of a data breach or another data-related issue.<\/span><\/b><\/p>\n<\/a>3. When do UX researchers need to obtain consent?<\/span><\/h2>\nUX researchers can\u2019t start collecting any personal data before they get the declaration of consent. There are no exceptions to this rule.\u00a0<\/span>If you have already collected some data and now need to collect some missing personal data, they need to obtain an additional declaration of consent from the test user.\u00a0<\/span><\/p>\nLet\u2019s say you\u2019ve run a test with 100 participants. You know the names and ages of these users. Now you want to extend your study and get to know the gender of your participants. You should create an additional consent form and ask test users to sign it.<\/span><\/p>\nIf you are going to <\/span>record or observe test users<\/span><\/a>, you should specify that in informed consent. You should explain who will watch the record and for what purpose. Also, you should mention whether test users will be observed in real time.\u00a0\u00a0<\/span><\/p>\nYou should be aware that if you ignore this rule, the consequences will be dramatic. If you fail to comply with GDPR, you will likely be fined.<\/span><\/b><\/p>\n<\/a>3.1 TestingTime\u2019s feature: document to be signed<\/span><\/b><\/h3>\nWith TestingTime you can have documents signed by your test users before the study. Let\u2019s say, a non-disclosure agreement, or a consent to record the test. You can do this very easily and completely digitally through their <\/span>online order form<\/span><\/a>. Simply activate the option \u201cDocument to be signed\u201d in the \u201cAdd-ons\u201d section. This will allow you to upload a document of your choice.<\/span><\/p>\nTestingTime will subsequently integrate the document to be signed directly into their recruitment process. Every document will be legally signed, including the date, the full name of the test user and their electronic signature. You will have access to all signed documents in your order overview before commencing the test.<\/span>
\n<\/span><\/b><\/p>\nSource: TestingTime<\/a><\/p><\/div>\nA GDPR-compliant template for an NDA can be found\u00a0here<\/a>. It is advisable to clarify with your internal or an external legal team what to do in case of doubt.<\/p>\n<\/a>3.2 When is consent valid?<\/span><\/b><\/h3>\nThe trickiest part of GDPR compliance is that UX researchers should not only <\/span>obtain consent <\/span><\/i>and also make sure that it\u2019s <\/span>valid<\/span><\/i>. Here is a list of conditions that proves the validity of the test user consent:<\/span><\/p>\nThe consent<\/p>\n
\n- is freely given. You are not allowed to force users to consent.<\/span><\/li>\n
- is specific and designed for a particular purpose.<\/span><\/li>\n
- provides test users with sufficient information for decision-making.<\/span><\/li>\n
- is free from any ambiguous statements.<\/span><\/li>\n
- is an <\/span>act<\/span><\/i>. Users need not just read the information, but check the box and click the \u2018submit\u2018 or \u2018agree\u2018 button.<\/span><\/li>\n
- is distinguishable from other matters.<\/span><\/li>\n
- request is written in clear and plain language.<\/span><\/li>\n
- isn\u2019t presented as a precondition of a service<\/span>
\n<\/b><\/b><\/li>\n<\/ul>\n<\/a>4. How to write a data policy notice the right way?<\/span><\/h2>\nWriting a data policy notice is the first step to GDPR compliance. Here is a list of rules you should follow to create a winning data policy notice.<\/span><\/p>\n\n- Include the name of your organisation and the names of third parties that will have access to personal data.<\/span><\/span><\/span><\/li>\n
- Be clear about intention. Test users should have a clear understanding of what specific data will be collected and for what purpose. If you are going to record video or audio<\/a> of the testing process, you should inform users upfront. If you don\u2019t do it, you will put your UX research at risk.<\/span><\/span><\/span><\/li>\n
- Remember that the vast majority of European users are not native English speakers. You should write everything in plain language and avoid using words that your target audience may not understand. Do you need help with writing texts for a global audience? If so, you can <\/span>order website content writing<\/span><\/a> and ask experts to write a data policy notice on your behalf.<\/span><\/span><\/span><\/li>\n
- Draw users\u2019 attention to the fact that they have the right to object to processing their data and demand to erase it from the database without undue delay.<\/span><\/span><\/span><\/li>\n
- Don\u2019t try to manipulate users\u2019 decisions. Instead, provide them with all necessary data and let them decide whether they should share their personal data.<\/span><\/li>\n<\/ul>\n
<\/a>5. How can you prevent users from demanding to erase their data?<\/span><\/h2>\nAccording to GDPR, you should write in your privacy policy that people can withdraw their consent at any time. And that\u2019s another point where UX researchers can face a challenge.\u00a0<\/span><\/p>\nIf test users use their right to withdraw the consent, researchers will lose part of the collected data. Naturally, it may negatively affect the results of the testing.\u00a0<\/span><\/p>\nWhat can UX researchers do to protect the results of their work while maintaining GDPR compliance? They can add such a clause to their privacy policy:<\/span><\/p>\nIf our <\/span><\/i>X organisation<\/i><\/b> bases the processing of your personal data on a balancing of interests, you can object to the processing. This is the case in particular if the processing is not necessary for the purpose of fulfilling a contract with you, which is set out by <\/span><\/i>X\u00a0<\/i><\/b>organisation<\/b>\u00a0in each case in the description of functions below. <\/span><\/i>
1. Lawfulness, fairness, and transparency<\/b> 2. Purpose limitation<\/b> 3. Data minimisation 4. Accuracy 5. Storage limitation<\/b> 6. Integrity and confidentiality 7. Accountability Failure to comply with these seven principles leads to fines of \u20ac 20 million, or 4% of the company\u2019s worldwide annual turnover, whichever is higher.\u00a0<\/span>Do you doubt that these fines are a real thing? Check the list of the biggest GDPR fines and the reasons for these fines:<\/span><\/p>\n Google<\/strong> \u2013 \u20ac 50 million. The tech giant didn\u2019t provide sufficient information to users in consent policies. H&M<\/strong> \u2013 \u20ac 35 million. The company processed sensitive data about its employees\u2019 health and beliefs without having a specific purpose. TIM<\/strong> (Telecom Italia) \u2013 \u20ac 27.8 million. The company was penalised for bombarding millions of individuals with promotional calls and unsolicited communications. British Airways<\/strong> \u2013 \u20ac 22 million. Hackers attacked user databases and got their hands on login details, payment card information, and other sensitive data. The breach affected 400,000 customers. Marriott<\/strong> \u2013 \u20ac 20.4 million. The hotel chain\u2019s guest reservation database wasn\u2019t secure enough. Eighty-three million guest records (30 million EU residents) were exposed after the database was compromised.<\/span><\/p>\n Probably one of the most confusing parts of GDPR is a vague description of the term \u2018personal data\u2018. GDPR defines personal data as \u2018any piece of information that relates to an identifiable person\u2018. No wonder that many UX researchers don\u2019t understand what kind of information they can and can\u2019t collect without a user\u2019s consent.<\/span><\/p>\n So what types of data does GDPR apply to?<\/span><\/p>\n This list can go further. Basically, any textual, video, audio, numerical, graphical, and photographic data\u00a0that somehow relates to the users should be considered as personal data.<\/span><\/p>\n Some UX researchers are not fully aware of how often they \u2018process\u2018 user data. Data processing occurs every time you save the user\u2019s data to a spreadsheet, send a thank-you email to a test user, or share the test result report with your client. The more often you process sensitive data, the higher the chances of a data breach or another data-related issue.<\/span><\/b><\/p>\n UX researchers can\u2019t start collecting any personal data before they get the declaration of consent. There are no exceptions to this rule.\u00a0<\/span>If you have already collected some data and now need to collect some missing personal data, they need to obtain an additional declaration of consent from the test user.\u00a0<\/span><\/p>\n Let\u2019s say you\u2019ve run a test with 100 participants. You know the names and ages of these users. Now you want to extend your study and get to know the gender of your participants. You should create an additional consent form and ask test users to sign it.<\/span><\/p>\n If you are going to <\/span>record or observe test users<\/span><\/a>, you should specify that in informed consent. You should explain who will watch the record and for what purpose. Also, you should mention whether test users will be observed in real time.\u00a0\u00a0<\/span><\/p>\n You should be aware that if you ignore this rule, the consequences will be dramatic. If you fail to comply with GDPR, you will likely be fined.<\/span><\/b><\/p>\n With TestingTime you can have documents signed by your test users before the study. Let\u2019s say, a non-disclosure agreement, or a consent to record the test. You can do this very easily and completely digitally through their <\/span>online order form<\/span><\/a>. Simply activate the option \u201cDocument to be signed\u201d in the \u201cAdd-ons\u201d section. This will allow you to upload a document of your choice.<\/span><\/p>\n TestingTime will subsequently integrate the document to be signed directly into their recruitment process. Every document will be legally signed, including the date, the full name of the test user and their electronic signature. You will have access to all signed documents in your order overview before commencing the test.<\/span> Source: TestingTime<\/a><\/p><\/div>\n A GDPR-compliant template for an NDA can be found\u00a0here<\/a>. It is advisable to clarify with your internal or an external legal team what to do in case of doubt.<\/p>\n The trickiest part of GDPR compliance is that UX researchers should not only <\/span>obtain consent <\/span><\/i>and also make sure that it\u2019s <\/span>valid<\/span><\/i>. Here is a list of conditions that proves the validity of the test user consent:<\/span><\/p>\n The consent<\/p>\n Writing a data policy notice is the first step to GDPR compliance. Here is a list of rules you should follow to create a winning data policy notice.<\/span><\/p>\n According to GDPR, you should write in your privacy policy that people can withdraw their consent at any time. And that\u2019s another point where UX researchers can face a challenge.\u00a0<\/span><\/p>\n If test users use their right to withdraw the consent, researchers will lose part of the collected data. Naturally, it may negatively affect the results of the testing.\u00a0<\/span><\/p>\n What can UX researchers do to protect the results of their work while maintaining GDPR compliance? They can add such a clause to their privacy policy:<\/span><\/p>\n If our <\/span><\/i>X organisation<\/i><\/b> bases the processing of your personal data on a balancing of interests, you can object to the processing. This is the case in particular if the processing is not necessary for the purpose of fulfilling a contract with you, which is set out by <\/span><\/i>X\u00a0<\/i><\/b>organisation<\/b>\u00a0in each case in the description of functions below. <\/span><\/i>
\nYou must inform users that you will collect their data and explain why you will do it.<\/span><\/p>\n
\n<\/span>You can\u2019t collect data just for the sake of it. You should do it for a specific purpose (e.g., improving customer service, enhancing user experience, running a marketing campaign).<\/span><\/p>\n
\n<\/b>You shouldn\u2019t collect any data that doesn\u2019t serve the purpose of data collection. Let\u2019s say you want to use users\u2019 first names to personalise your marketing emails. You can ask users to provide their first names, but you are not allowed to ask them to provide their family names.\u00a0<\/span><\/p>\n
\n<\/b>You should delete any inaccurate data from your database.<\/span><\/p>\n
\nYou are not allowed to store user data longer than it\u2019s actually needed.\u00a0<\/span><\/p>\n
\n<\/b>You can\u2019t collect and process user data if you are not able to secure these processes.<\/span><\/p>\n
\n<\/b>You need to adopt and implement data protection policies and put written contracts in place with organisations that process personal data on your behalf.<\/span><\/p>\n<\/a>1.2 What happens to the companies that do not comply with GDPR?<\/span><\/b><\/h3>\n
\n<\/span><\/p>\n
\n<\/span><\/p>\n
\n<\/span><\/p>\n
\n<\/span><\/p>\n<\/a>1.3 How does GDPR define the term \u2018personal data\u2018?<\/span><\/b><\/h3>\n
\n
<\/a>2. How do UX researchers leverage data processing?<\/span><\/h2>\n
<\/a>3. When do UX researchers need to obtain consent?<\/span><\/h2>\n
<\/a>3.1 TestingTime\u2019s feature: document to be signed<\/span><\/b><\/h3>\n
\n<\/span><\/b><\/p>\n<\/a>3.2 When is consent valid?<\/span><\/b><\/h3>\n
\n
\n<\/b><\/b><\/li>\n<\/ul>\n<\/a>4. How to write a data policy notice the right way?<\/span><\/h2>\n
\n
<\/a>5. How can you prevent users from demanding to erase their data?<\/span><\/h2>\n