Balancing Business Models with GDPR
GDPR Compliance by 25 May 2018
In the months leading up to the General Data Protection Regulation, the tech industry was sweating.
The new regulation would mean more power to the people. Control over our own information. Finally!
But the big question everyone was asking themselves; how do we comply with GDPR when your business model is dependant on user consents?
Timeline: February - May 2018
Role: UX Designer
Team: 2 UX Researchers, 1 UX Designer (me), Tech Lead, Developer and Product Manager, 1 Lawyer, and 1 Copywriter
Disclaimer: I’m not a lawyer and this is by no means an example of GDPR compliance. This is a white label case study, meaning details and visuals are not disclosed. Contact me for more details.
Discovery
Everyone that worked on GDPR read through the 48.000-word document. Written by lawyers for lawyers. A painful experience to say the least.
The regulation document states what, but not how. That means everything is up for interpretation. Everyone is going to have their own opinion. There’s no real right or wrong answer.
During the months leading up to the GDPR implementation deadline, we set out to source all the information we could find. Only a few businesses with enough resources was able to do prominent testing and form a solid conclusion of how to comply with GDPR (or in retrospect, balance GDPR with existing business models.)
Unable to comply would mean a fine up to 10 million euros and the end of the business and hundreds of jobs.
Initial Version
Based on what we knew from reading through the GDPR regulation document, we set out to implement our initial prototype. It is serious business, so until we knew more, we implement our “safest” interpretation.
We went for an onboarding type of experience where we taught what GDPR meant for the user. Our reasoning was that we should do the safest possible solution to ensure 100% compliance with GDPR.
Guerilla testing was conducted on the streets using our design prototypes using InVision. Our goal was to understand peoples first reaction and if this was something they would like.
To our surprise, a vast majority didn’t like this at all. It interrupted their intent and they weren’t looking to get a lesson about GDPR. Too tedious and long.
First Iteration
Using the insight from our guerilla testing lead us to a more simplified version. We still needed consent from users in order to do business. And we still needed to comply with GDPR.
This time we tested it live with 2000 users to gather new insight.
A true aha moment. Less than 20% continued through the onboarding process (not even counting the consents.) This would mean the end of the business.
Second Iteration
The insight we gained from our first ideation led us to completely re-think our approach. How do we actually interpret the new regulation? By now word had spread that “everyone is moving towards a grey zone.” Which meant an informative notification with the option to give consent or to learn more about it.
We tested our completely new approach and got a much better (in terms of business) result.
The biggest question now was; are we compliance?
Unexpected Obstacle
On top of our uncertainty, it was made clear that Google is part of The Coalition for Better Ads. SEO is the main traffic source and potentially hurting our stance with Google would be devastating.
The Coalition for Better Ads states that sticky bars could not exceed 30% of the screen real estate. Beyond that Google could punish your ranking or worse, as rumored in near future, Chrome would warn of usage (similar so SSL.)
This meant we had to create the same experience with fewer words and visuals. A challenge for our lawyers and copywriters.
GDPR Notice
We ended up with a solution to notify the user about the new GDPR regulation and give an option to consent or access settings. Settings we’re basically the onboarding experience, with an option to regulate what data you’d want to share.
At this point, I stopped working on the project and a variation of this was implemented live.
Post-mortem
25th of May 2018 ended up as “privacy awareness day”. The whole point of the regulation is so that companies such as Facebook and Google would not spin out of control. A good thing. As well as getting rid of the malicious sharing of personal data.
However, many businesses rely on consents, otherwise, it would mean the end. Until they change their business model there will be a grey area.
We need GDPR to remind us of our privacy. The general consensus is that doing something is better than doing nothing. Unless you’re big and profit hugely on “selling” data.