Designing for privacy : design patterns for making online products GDPR compliant

Abstract

Having come into force on May 25, 2018, the General Data Protection Regulation (GDPR) sets a new standard for processing, storing and protecting the personal data and privacy of EU citizens. The law requires businesses that operate online take actions to ensure that they process customer data in a fair way, that they clearly explain to customers how long their personal data will be used and stored, and that they receive valid consent from their customers to do so. As follows, in order to achieve GDPR compliance, companies need to rethink strategies for dealing with customer personal data and designing user privacy. While simple in theory, the GDPR turns out to be quite difficult to interpret and understand. In this thesis, we present the aid to guide designers through the process of creating GDPR compliant and privacy-friendly online systems. We began by examining existing approaches to achieving GDPR compliance. As the further step, we conducted the workshop with five privacy and design experts. The results of the workshop helped to define the set of aspects that should be highlighted while creating design patterns. The first paper prototype of the card deck ‘Designing for Privacy was evaluated by privacy experts. After having made changes according to the experts feedback, the design patterns were visualized and evaluated by four designers. To define if designed patterns are also understandable for the end users, we conducted a qualitative informal evaluation of the privacy-friendly web prototype with three participants. Received positive feedback from the experts and end users demonstrate expediency and effectiveness of the concept suggested in this thesis.