GDPR is a Design Challenge
“The truth is, no-one in the universe has ever read the terms and conditions. Not even God has read the terms and conditions. Anything could be on there and we’d agree to it!” When Eddie Izzard pointed this out on his 2011 standup tour, 21st century tech’s manifest of ‘the fine print’ wasn’t the same embodiment of public revolt as it is today. Sadly, this joke won’t work come tomorrow, as the EU’s General Data Protection Regulation (GDPR) finally comes into effect after two years of prep time. The amendment, among dozens of other things, will make hidden and incomprehensible terms of service a thing of the past.
No doubt your inbox has exploded with endless emails about privacy policies this week. This is the GDPR’s doing. Current privacy and data regulations were written in the mid 90s when IoT was still the stuff of sci-fi and the only cookies around had chocolate chips. Though the powers that be could never have known, the amendments to these outdated laws have come at a most opportune moment. Recent data breaches that concern elections both foreign and local, and underhandedness from the likes of Facebook and Google, have reinforced already present anxiety over contemporary tech. The weighty fines that will be slapped on any company that breaks the GDPR’s rules will hopefully start restoring the public’s trust in companies that need to collect data as a part of their service. These rules banish purposefully baffling legalese, insist on transparency, and make security a priority, and will change the way apps, devices and websites are built.
Security Becomes a Part of Design
The GDPR has effectively made privacy a mandatory design principle. Developers will have to consider privacy from conceptualization to rollout, and perhaps rethink functionalities that require user data. Currently, security is often just an afterthought, added in updates subsequent to release to make sure the launch date isn’t pushed back. Thinking about data can’t be carried out hastily post-production anymore, it must become a part of the design process.
Ideally this will lead to more IoT devices that require no personal data at all, or that can function without connecting to the cloud. We recently finished a project in which we designed a smart home device that requires no login details, and therefore no personal data, without compromising the ‘smart’ functionality of the device. The only information needed for the smart mode is its location — gained via GPRS — and there is even the option to opt out of that. The device can be controlled with an app or a physical button on the device itself, giving the user an option for functionality without any connection at all.
Bringing Information Forward
Collecting less data isn’t the only design challenge the GDPR will pose to studios like Colorfy. Companies have to communicate exactly what kind of data is going to be collected, plus many other important details that need to be concisely presented before asking the user for their consent. It doesn’t, however, give any indication of how developers and designers should do that.
Users now need to be able to scrutinize and handle their own data, a challenge that draws together user experience and business strategy. Take the set-up processes for IoT systems and apps, for instance. They’re already long and laborious, turning people off their devices and disinclining them to invest in more. Designers need to somehow abstract away the added complexity of the GDPR behind simple and attractive UI during the configuration.
Achieving clarity while avoiding daunting blocks of text and maintaining enjoyable UX might seem impossible at first, but there are many tools beyond the written word on a digital designer’s belt. The IoT industry could exploit the ability of its smart devices to make processes regarding data interactive. For example, home assistants could ask the user to answer questions out loud, turning the act into a conversation. Simpler devices could require a certain button to be pushed, and websites and apps could use sliders for advanced user control in a novel and coherent way.
Before data is entered, a justification will have to be given for each piece of information that’s asked of the user. The Information Commissioner’s Office (ICO) recommends layering information so as not to suffocate the user with endless reasoning. Cyber Duck, a London-based digital agency, was taken with ICO’s ‘just in time’ method of conveying information. In a blog post, they give a sneak peak of their forthcoming website update which will use this method to comply with the GDPR.
Cyber Duck’s use of colour and pop ups is extremely effective, but not the only way to go. Image hosting site 500px takes ‘plain English’ to heart in their minimal, attractive and a pleasure to read terms of service. They hold on to the (perhaps legally necessary) technicalities, but also provide succinct subtitles, all laid out calmly with a contemporary font and color palette and plenty of breathing space.
Unburying IoT Design
As so many IoT departments and tech companies now scramble to update their products and websites, the question of why this wasn’t already common practice is raised. In a rush to jump onto the fat and galloping IoT horse, companies have “stak[ed] out a claim in the area without further thought to security,” said John Cook, senior director of product management at Symantec, at the 2018 RSA Conference. Even those in the know have been inclined to forgo security in favour of lower costs and easier development. Furthermore, aside from the ethics of these practices, good UI and UX design should inherently be seamless and clear, anyway. As Katherine Schwab writes of buried terms and conditions on the Co.Design blog, “designers are partially complicit in this… Good design provides a tool that’s clear, easy and transparent”.
Alexandra Randall works at our Berlin office and can be reached via email here.