Collecting and processing information on users and their behaviour is how we make informed decisions. The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. At Ostmodern, we value keeping our users safe and clients compliant, so understanding what GDPR is and how to effectively apply it in our work is critical.
User research is a fundamental part of our product design process here at Ostmodern. Understanding who users are and their motivations, or pain points, is a key part of designing any service.
We engage with existing and potential service users in a multitude of ways - testing prototypes for future products, gathering insights to optimise existing services, or understanding an industry landscape to launch a new service. We talk to users from all over the world, which means we are handling lots of user data (information that we gather during research) on behalf of our clients, and we need to ensure that we are sensitive in how we do this.
GDPR is an European Union (EU) regulation on information privacy. Although the UK is no longer part of the EU, the Data Protection Act (DPA) 2018 which governs the UK, is based on this regulation. There are multiple different data protection laws across the world, GDPR is the strictest, so it’s a good benchmark for our practice.
Guidelines can be a little dry, so we wanted to pull out some of the key takeaways, to illustrate how we ensure we are protecting users’ data in our work.
1. What is ‘personal data’?
GDPR defines personal data as all information that can be used to identify a person. A person is also known as a ‘data subject’.
A data subject can be identified, directly or indirectly, by reference to key pieces of data such as a name, contact number, address, social media handle or account. Combinations of data that identify a person are also considered personal data; things like cultural or social identity, economic background, job title, location etc.
We are highly likely to handle lots of personal data points about users in our research, so we need to know the rules.
2. Who owns data? Who can collect it?
The ‘owner’ of the personal data is always the individual; the participant in user testing. GDPR was introduced to ensure that individuals have control and ownership of their data once it’s shared, and they retain the right to retract or edit it, as they see fit.
The definition of a data ‘controller’ in GDPR is the person or representative (public authority, agency or other body) to jointly determine which pieces of data should be collected, and how they will be processed. The ‘controller’ makes decisions about how and why personal data should be stored, used, and shared.
When gathering insights, an agency and a client can be joint ‘controllers’ of user data, as they are both involved in the decision-making process surrounding data collection and processing.
3. How should consent be recorded?
In order to verify consent given by the owner of personal data (participants in user testing), there must be a record of the consent received from participants, to demonstrate when and how it happened. This is an important protection for all parties.
Key things to capture when gathering consent are:
- Who consented?
- When did they consent?
- What information was given when consent was given?
- How did they consent?
4. How long can we store personal data?
There is no maximum time limit you can store the personal data of users, however, it is highly advised to only store it for as long as is necessary for the project.
If personal data is aggregated and anonymised, and cannot be directly or indirectly traced back to an individual, it is no longer considered ‘personal data’, and can be stored for as long as needed.
A good example of this is when we use personal data to create research tools that inform product strategy and design, such as; user archetypes, personas or mindsets. Once data is consolidated and changed in this way, individual users are no longer traceable, so this is considered OK to keep for longer.
Minimising the personal data we store about users is good practice for data hygiene and efficiency. Some data is only valuable within a specific context and when it’s reviewed in isolation, it doesn’t always make sense.
5. Do users have control over the data we hold?
Under GDPR, data ‘owners’ have the ’right to erasure’, also known as the ‘right to be forgotten’, which means they can request to have their personal data deleted or edited, at any time.
However, under GDPR, when data is anonymised and can’t be traced back to an individual the ‘data owner’ loses jurisdiction over it.
This article shows how we apply GDPR when handling user data and conducting research. We cannot design services well without an understanding of how products will be used and their significance to users. Gathering real-life data from users helps us to make good choices. Ostmodern has lots of experience stimulating valuable insights from users, which have proved invaluable for clients when making informed decisions about their digital services.