Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Impact of GDPR on User Experience

261 vues

Publié le

This slide deck explores best practices when applying GDPR into your product experience and user journey with the examples such as user onboarding, privacy by design and managing user consent.

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Impact of GDPR on User Experience

  1. 1. The Impact of GDPR on User Experience Dakshika Jayathilaka Associate Technical Lead, WSO2
  2. 2. 2 Mountain View, Colombo, New York, London, Sao Paolo, Sydney Founded in 2005 Venture backed by Cisco and Toba Capital 500 Employees; 300 Engineers 450+ Customers, 170+ New Customers in 2017 Profitable About Us 2
  3. 3. Introduction to GDPR 3 Introduction to GDPR
  4. 4. GDPR - A Bird's Eye View 4 What is GDPR Objectives of GDPR Impact of GDPR Privacy Principle Individual Rights Core Concepts
  5. 5. What is GDPR? ● GDPR is a new legal framework formalized in the European Union (EU) in 2016, which effectively replaces the previously used Data Protection Directive (DPD) ● GDPR will come into effect on May 25, 2018 ● GDPR is applicable for any data processing organization that processes personal data or monitors behavior of individuals residing in the EU 5
  6. 6. Objectives of GDPR ● Recognizes protection of personal data and control over processing of personal data as a fundamental right of an individual ● Free movement of personal data within the EU ● Provides business organizations certainty on personal data processing activities ● Broadens the scope of personal data as Personally Identifiable Information (PII) 6
  7. 7. Impact of GDPR ● Any business that delivers goods or provides services to individuals living in the EU is affected, regardless of whether the business is established in the EU ● Personal data processing organizations that cannot demonstrate GDPR compliance will be subjected to financial penalties up to 4% of their annual turnover, or €20 million 7
  8. 8. Storage Limitations Integrity & Confidentiality Accountability Lawfulness, Fairness & Transparency Purpose Limitation Data Minimization Accuracy Privacy Principles 8
  9. 9. 5 3 Comply with requests not to automate decision making using personal data Right to restrict processing6 7 8 Individual Rights 9 Allow individual’s data to be stored but not processed. Provide transparency over how personal data is collected, stored, managed, protected, and processed Right to be informed1 Right to stop processing Provide copies of all stored data in a portable format Right to data portability Honor requests not to process an individual’s data for specific purposes Right to access2 Provide individual’s access to their data and explain how they-and any supplemental data-are used 4 Correct any personal data if incomplete or inaccurate Right to correction Remove personal data on request when there is no compelling reason to keep it Right to be deleted Reject automated decisions
  10. 10. Understanding the Core Concepts
  11. 11. Personal Data Any information relating to an identified or identifiable natural person, which is also called a data subject (Article 4) Forms ● Alphabetical ● Numerical ● Graphical ● Photographical ● Acoustic ● Any other format Kept in ● Paper ● Stored in computers ● Videotapes ● CDs ● Any other manner Any information ● Name ● Gender ● An occupation ● An email address ● Health-related information ● Any other information
  12. 12. Personal Data Any information relating to an identified or identifiable natural person, which is also called a data subject (Article 4) Refers to the below points: ● Identity ● Characteristics ● Behavior of an individual ● Used to determine the natural person ● Use to influence the natural person
  13. 13. Personal Data Any information relating to an identified or identifiable natural person, which is also called a data subject (Article 4) Directly or indirectly, by reference to certain identifiers Natural Person = Living Individuals
  14. 14. Processing Article 4(2) ● Collecting ● Recording ● Organization ● Structuring ● Disclosure by transmission ● Dissemination ● Erasure
  15. 15. Controllers and Processors Processor A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Controller A natural or legal person, public authority, agency or other body, which alone or jointly with others, determines the purposes and means of processing personal data. 15
  16. 16. More on Processors ● A data processor may not opportunistically use or mine personal data it is entrusted with for purposes not outlined by the data controller (28.3) ● Obtain written permission from the controller before engaging a subcontractor (28.2), and assume full liability for failures of subcontractors to meet the GDPR (28.4) ● Enable and contribute to compliance audits conducted by the controller or a representative of the controller (28.3.h) ● Notify data controllers without undue delay upon learning of data breaches (33.2) 16
  17. 17. Consent ‘Consent’ from the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. - Article 4(11) 17
  18. 18. Consent Management ● Consent is one of the six lawful basis of personal data processing as defined by GDPR ● It is the most common lawful basis for commercial businesses ● All personal data processing activities including collection, storage, and sharing need to be based on explicit and active consent from an individual ● Organizations must support complete consent lifecycle management to ensure that individuals can review and revoke consent given at any point 18
  19. 19. Implicit Consent vs Explicit Consent ● Personal data processing and the purpose is not ambiguous to you ➔ Clicking a box ➔ Choosing technical settings or ➔ Another affirmative action ● Individuals need to provide their consent literally and explicitly Signatures “I agree …” + checkbox. 19
  20. 20. Privacy by Design
  21. 21. 1 | Proactive not reactive; preventative not remedial 2 | Privacy as the default setting 3 | Privacy embedded into design 4 | Full functionality – Positive-sum, not zero-sum 5 | End-to-end security – Full lifecycle protection 6 | Visibility and transparency – Keep it open 7 | Respect for user privacy – Keep it user-centric Privacy by Design (Article 25)
  22. 22. Managing User Consent
  23. 23. Design Principles for Consent Design ● Unbundled consent ● Granular consent ● Named organizations ● Active opt-in ● Easy to withdraw ● Time limits ● Continuous review 27
  24. 24. Unbundled Consent 
  25. 25. Granular Consent
  26. 26. Named Organizations
  27. 27. Active Opt-in
  28. 28. Easy to Withdraw
  29. 29. Easy to Withdraw
  30. 30. Time Limits
  31. 31. Time Limits
  32. 32. Continuous Review
  33. 33. User Onboarding
  34. 34. UX or GDPR
  35. 35. Challenges and Tips ● Present the request for consent with minimum disturbance ● Phrase the request for consent in an understandable way ● Not everything requires user consent ● Promote the business goal of having users agree to you using their data
  36. 36. THANK YOU wso2.com