UX Bristol 2019 Lightning talk - Tips to develop a user-centred GDPR policy

Editor's Notes

1. Working with Ben Cubbon and Nic Price, who have done workshops at UX Bristol using this same framework, helped is realise how participants experience the research process. I also recently did a workshop with Jess Lewes, Business Development Director at PFR, where we used this framework to demonstrate how early in the process user needs come into play, but also how early you start collecting data about your users.
2. Define your audience with GDPR in mind – not just demographics and personas, but think: Are they your customers? Are you already collecting their data? Are they aware of this? Or are you going outside of your customer data to find other users? Define your legal grounds for processing – there are six legal grounds for processing, one of them being informed consent. If you’re not sure how to define this, the ICO has a checklist and online interactive tool that you can use - https://ico.org.uk/for-organisations/gdpr-resources/lawful-basis-interactive-guidance-tool/ / Make sure you get it right the first time - you should not swap to a different lawful basis, especially if you’ve started this journey using consent as your basis. What data are you capturing? GDPR protects all identifiable data that can be linked to a living individual. During primary user research, it’s essential to list the information you need to capture. This is likely to include basic data like full name, contact details, postcode, etc. – but maybe special data as well, which includes information like health conditions, ethnicity or, specifically in the UK, criminal record. Informed consent doesn’t cover this data, so you need to get special consent to process these details everytime you ask about them. Define how you are storing and processing this data – this could include online forms, audio or visual recordings, offline paper forms – as well as how you share it and who can access it. 
3. Ensure your privacy policies are available Access to data has been agreed within your team Try to keep your data anonymised or pseudonymised when possible Using third party platforms to store or manage data or communicate with the users? Make sure they comply with GDPR or are members of the Privacy Shield.
4. Pseudonymise research notes and audio/video recordings, as well as anything else you may share with the end client/agency/other teams When conducting online surveys anonymise user data collection by not capturing personal details if not necessary, as well as IP, GeoLocation and switching off audience profiling analytics. For all research, always inform participants of your privacy policies or where they can access them.
5. Make sure data is safely stored and anonymised, where possible. If not anonymised, make sure it’s encrypted or password protected if digital or locked with restricted access if physical. Shred any unnecessary physical documents that contain personal data – this reduces risks in case of a data breach. Remember to revoke access to shared documents containing personal data – or if using a platform like Sharepoint, set up an expiry date on the shared document.
6. If you have any questions, email gdpr@peopleforresearch.co.uk