This slide deck explores best practices when applying GDPR into your product experience and user journey with the examples such as user onboarding, privacy by design and managing user consent.
Exploring the Future Potential of AI-Enabled Smartphone Processors
Impact of GDPR on User Experience
1. The Impact of GDPR on User Experience
Dakshika Jayathilaka
Associate Technical Lead, WSO2
2. 2
Mountain View,
Colombo, New York,
London, Sao Paolo,
Sydney
Founded in 2005
Venture backed by
Cisco and Toba Capital
500 Employees;
300 Engineers
450+ Customers,
170+ New Customers
in 2017
Profitable
About Us
2
4. GDPR - A Bird's Eye View
4
What is GDPR Objectives of GDPR Impact of GDPR
Privacy Principle Individual Rights Core Concepts
5. What is GDPR?
● GDPR is a new legal framework formalized in the European
Union (EU) in 2016, which effectively replaces the previously
used Data Protection Directive (DPD)
● GDPR will come into effect on May 25, 2018
● GDPR is applicable for any data processing organization that
processes personal data or monitors behavior of individuals
residing in the EU
5
6. Objectives of GDPR
● Recognizes protection of personal data and control over
processing of personal data as a fundamental right of an
individual
● Free movement of personal data within the EU
● Provides business organizations certainty on personal data
processing activities
● Broadens the scope of personal data as Personally Identifiable
Information (PII)
6
7. Impact of GDPR
● Any business that delivers goods or provides services to
individuals living in the EU is affected, regardless of whether the
business is established in the EU
● Personal data processing organizations that cannot demonstrate
GDPR compliance will be subjected to financial penalties up to
4% of their annual turnover, or €20 million
7
9. 5
3
Comply with requests not to automate
decision making using personal data
Right to restrict processing6
7
8
Individual Rights
9
Allow individual’s data to be stored
but not processed.
Provide transparency over how
personal data is collected, stored,
managed, protected, and processed
Right to be informed1
Right to stop processing
Provide copies of all stored data in a
portable format
Right to data portability
Honor requests not to process an
individual’s data for specific purposes
Right to access2
Provide individual’s access to their data and
explain how they-and any supplemental
data-are used
4
Correct any personal data if
incomplete or inaccurate
Right to correction
Remove personal data on request when
there is no compelling reason to keep it
Right to be deleted
Reject automated decisions
11. Personal Data
Any information relating to an identified or identifiable natural person,
which is also called a data subject (Article 4)
Forms
● Alphabetical
● Numerical
● Graphical
● Photographical
● Acoustic
● Any other format
Kept in
● Paper
● Stored in computers
● Videotapes
● CDs
● Any other manner
Any information
● Name
● Gender
● An occupation
● An email address
● Health-related information
● Any other information
12. Personal Data
Any information relating to an identified or identifiable natural person,
which is also called a data subject (Article 4)
Refers to the below points:
● Identity
● Characteristics
● Behavior of an individual
● Used to determine the natural person
● Use to influence the natural person
13. Personal Data
Any information relating to an identified or identifiable natural person,
which is also called a data subject (Article 4)
Directly or indirectly, by reference to certain identifiers
Natural Person = Living Individuals
15. Controllers and Processors
Processor
A natural or legal
person, public
authority, agency or
other body which
processes personal
data on behalf of the
controller.
Controller
A natural or legal
person, public authority,
agency or other body,
which alone or jointly
with others, determines
the purposes and means
of processing personal
data.
15
16. More on Processors
● A data processor may not opportunistically use or mine personal data it is
entrusted with for purposes not outlined by the data controller (28.3)
● Obtain written permission from the controller before engaging a
subcontractor (28.2), and assume full liability for failures of
subcontractors to meet the GDPR (28.4)
● Enable and contribute to compliance audits conducted by the controller or
a representative of the controller (28.3.h)
● Notify data controllers without undue delay upon learning of data
breaches (33.2) 16
17. Consent
‘Consent’ from the data subject means any freely given,
specific, informed and unambiguous indication of the
data subject’s wishes by which he or she, by a statement
or by a clear affirmative action, signifies agreement to the
processing of personal data relating to him or her.
- Article 4(11)
17
18. Consent Management
● Consent is one of the six lawful basis of personal data processing as
defined by GDPR
● It is the most common lawful basis for commercial businesses
● All personal data processing activities including collection, storage, and
sharing need to be based on explicit and active consent from an individual
● Organizations must support complete consent lifecycle management to
ensure that individuals can review and revoke consent given at any point
18
19. Implicit Consent vs Explicit Consent
● Personal data processing and the purpose is not ambiguous to you
➔ Clicking a box
➔ Choosing technical settings or
➔ Another affirmative action
● Individuals need to provide their consent literally and explicitly
Signatures
“I agree …” + checkbox.
19
25. 1 | Proactive not reactive; preventative not remedial
2 | Privacy as the default setting
3 | Privacy embedded into design
4 | Full functionality – Positive-sum, not zero-sum
5 | End-to-end security – Full lifecycle protection
6 | Visibility and transparency – Keep it open
7 | Respect for user privacy – Keep it user-centric
Privacy by Design (Article 25)
46. Challenges and Tips
● Present the request for consent with minimum disturbance
● Phrase the request for consent in an understandable way
● Not everything requires user consent
● Promote the business goal of having users agree to you using
their data