Many companies are now making sure they're compliant with the EU's upcoming General Data Protection Regulation, but how many are considering user experience in this? Here, I look at why it's paramount you don't forget UX design during your GDPR overhaul!

The General Data Protection Regulation (GDPR) arrives in 2018, and companies across the European Union are reviewing their data and privacy policies – despite Brexit, the GDPR will affect the UK, too. As these companies review their policies, it’s becoming increasingly clear that the user journeys and experiences they’ve tailored over the years will be disrupted by the GDPR.

Now usually ‘disruption’ sounds like a bad thing, but here at Cyber-Duck we think the GDPR is in fact a brilliant opportunity. It provides a huge incentive to businesses to take another look at how they interact with users – chiefly, how they request, use and store their information. For more general information about the GDPR, you can check out our introduction article here. Alternatively, you can make sure your website is GDPR compliant now by taking up our GDPR audit service.

But in this article we’ll be looking at two closely linked areas, which are particularly affected by the GDPR: privacy notices and consent. Both areas will see a comprehensive overhaul of how you handle them. If you aren’t careful, you run the risk of making your user journeys complicated and inaccessible, but how to avoid that is what we’ll be addressing today.

Tied at the Hip

The GDPR will completely revolutionise how we think about data protection, especially where privacy is concerned. Granted, privacy is more the preserve of the legal department or the engineering department, but it is also the concern of the user experience (UX) designer or marketer. Good UX practice means making privacy policies accessible, and this is what the GDPR now makes legally binding. In the past, some companies have had poor UX around their privacy policies, but the GDPR will tie privacy to UX like never before.

 UX Prototyping

UX design is based on research. Designers interview users and test designs with them so they can create more engaging and user friendly experiences.

What is user experience design though? On the one hand, it is about making an interaction more usable and accessible, but it is more than this alone. UX design is also about enhancing the overall user experience across the entire user journey. A good user experience will feature more pleasant interactions that will help users to not only reach what they think are their goals, but to fulfil their unknown, deeper needs too. Achieving this experience takes patience and a disciplined hand because it requires extensive research and testing. With a UX design approach, anything a user interacts with is tested and tailored through various iterations to create a better experience overall.

If the GDPR states that we need to make our consent forms and privacy notices clearer, that means bringing them closer to the user, making them easier to read, and more enjoyable to interact with. What it means is that privacy, data protection and UX are now tied at the hip: there is no room to gloss over the user experience of privacy policies.

Privacy Notices & GDPR

In all honesty, have you ever read the terms and conditions? Of anything? It’s safe to assume you probably haven’t. The length of Apple’s terms and conditions for iTunes is a running joke at this point. We could have agreed to anything by clicking ‘I accept’ and wouldn’t even know it (something Eddie Izzard covered hilariously during his tour, Stripped Live). The GDPR seeks to address this issue.

But first, let’s just make clear what a privacy notice is, or has been up to this point. A privacy notice traditionally informs users what an organisation will do with their information. These notices are usually comprehensive in both detail and length and they are written in lawyerly speak, which is why we don’t read them. But they cover important points, including what information an organisation will collect, how they’ll do it, who they’ll share it with and how they’ll use it. That certainly covers a lot of bases, but it’s not great for the user, who may end up agreeing to things they never would have done if the information had been made clearer.

This is where the GDPR aims to improve matters. It states that companies must provide clear and accessible information regarding its personal data processing methods. Privacy notices must now be:

  • Written and presented in a clear, concise manner
  • Free of charge
  • Transparent, intelligible and easy to access

It’s all about being more open and honest with your users. Some organisations already are, and that’s brilliant, but others are found wanting in this area. Ultimately, improving your standards in these areas is going to lead to a better customer experience and make it more likely that they’ll use your services again. So get on it!

A Balancing Act

The GDPR states that you need to acquire informed and explicit consent from your users before you can collect, store and use their personal data. Accomplishing that while maintaining a great and seamless user experience is a balancing act.

You need to bring the most pertinent points of the privacy notice to the user – under GDPR, you can’t expect the user to go to the notice of their own accord. Instead, it must be clear and prominent. When your users are inputting their information and agreeing to your terms, they need to see the relevant part of the privacy policy right there, right then.

At Cyber-Duck, we recently began a complete overhaul of our website. On the one hand, we were updating the design, but we also had another motive: the GDPR. We were eager to make sure we were GDPR compliant while maintaining a phenomenal user experience. How we presented our contact forms were of particular importance, especially when it came to marketing. To handle it, we looked into the best ways to present privacy information, and altered our internal data policies to ensure our audience’s experience was the best it could be.

The Cyber-Duck GDPR compliant contact form

The new Cyber-Duck contact form brings the most pertinent privacy information directly to the user - this is the 'just-in-time' method, discussed below.

The Information Commissioner’s Office (ICO) was a great resource in this research. It is responsible for upholding information rights in the public interest. As such, they’ve detailed some of the best practices for preparing for the GDPR. Two methods they outline are layering and the ‘just-in-time’ notice.


Layering is all about making clear and intelligible privacy information easy to access. It’s a great way of saving space and getting all the information across to a user so they can make an informed decision. It is presented in a tidy layered format, with increasing amounts of detail found the deeper you go into the layers.

A direct question in an opening headline, for instance, could be your first layer. Clicking on this headline could show you collapsible information that provides an answer (at least the bare minimum a user needs), while a third layer could redirect a user to the full privacy policy. This policy itself would also be clearly written and presented. 

samsung privacy policy

Samsung layers its privacy policy on its website. This compiles the information in bite-sized chunks the user can engage with more easily.


The ‘just-in-time’ notice is one of our favourite options for achieving GDPR compliance. The information it provides can be very similar to that issued in the layering strategy, but it has one major advantage.

With this method, when users click on a field in a consent form, they see a pop-up with all the relevant information regarding why the organisation needs that data. There may also be a link to further details, but that isn’t the most important part of this method.

The point is that the information pops up – it draws the user’s eye in a way that a stationary block of text simply doesn’t. Therefore, you are making it more likely that users will engage with the privacy notice and that you’re actually acquiring informed consent.

You can find an example of it above in our new contact form.

Uncompromising Consent Forms

From 25th May 2018 onwards, we’ll need to ensure complete clarity when it comes to acquiring informed, explicit consent to collect and use personal data. Making our privacy notices more accessible to our users in order to gain that consent is crucial. But how do we also structure our consent forms to ensure they are GDPR compliant and still deliver a great user experience?

Although the GDPR will permeate through the entire business world, today we’re going to focus on online registration. Before we do, we’ll briefly assess what elements of the GDPR are relevant when seeking consent.

  • Opt-in – users must actively opt-in to having their data collected and used
  • Granular – users must give consent to every type of data processing activity
  • Withdrawable – users have the right to easily withdraw their consent, so you need to tell them this and how they can do it
  • Transparent – name every organisation, your own and any third parties, who will handle the data
  • Separate, clear – consent isn’t the same as agreeing to the terms and conditions, so they shouldn’t be bundled together; they are separate, so should have separate forms

How then, do we construct user friendly consent forms when we have so much detail to contend with?

Firstly, we separate the terms and conditions from consent – they’re separate things, so let’s treat them separately.

Next, pre-ticked agreement boxes are a big no go – they breach the GDPR’s opt-in rule. Users must opt-in, so they need to tick the box themselves. If they don’t tick it or agree, you can’t collect their data.

preticked consent form

UX Mastery showed that Australia's largest credit reporting company, Veda, featured a pre-ticked checkbox on its site. If the user didn't untick it before clicking continue, they would agree to Veda sharing their personal details. Under the GDPR, this strategy will be illegal wherever an EU citizen is involved.

Likewise, for every processing activity you want to do, you’ll need a new opt-in option. If you want someone’s email address to contact them, they must approve it. But if you wanted to contact them by phone too, they would also have to approve that – separately. This is what we mean by a granular consent form.

Albeit a good start on these two areas, we need to go further. Everyone who handles the data must be named. The GDPR encourages transparency, so if you’re going to share personal data with an external marketing company, you need consent for that.

Finally, you now need to ensure you’re making it clear to the user that they can withdraw their consent at any time. You need to show them exactly how they can withdraw consent, and that means designing and implementing robust, user friendly withdrawal systems.

But how you present this new, GDPR-compliant design to your users will need testing. UX design involves painstaking research and user testing to ensure we understand who we’re designing for. You can’t simply introduce the updated GDPR-compliant forms without finding out if your users’ needs are still being met. This is where Cyber-Duck excels – our expert UX designers have a reputation for conducting quality, in-depth user research, allowing us to create excellent user experiences that meet and exceed user expectations. You can find out more about our UX approach in our UX Book.

Before you get to the user research stage though, you’ll need to complete a comprehensive data audit.

Start Your Data Audit Now

Data protection legislation limits what data you can collect, but the GDPR will extend even further than previous legislation, as we’ve pointed out. 

That said, when was the last time that you reviewed your data policies? When did you last look at what data you were collecting and assess whether you actually needed it?

It may well have been a long time, but doing so is crucial to become GDPR compliant. You need to take stock of your current data and privacy processes by conducting a comprehensive data audit. Look at what data you collect, where and how you collect it, how you store it and above all how you use it. 

Becoming compliant with the GDPR means minimising the data you collect to only what you really need, and introducing more robust privacy policies. To do that, you need to know what your current practices are and to identify where you’re lagging.

UX, GDPR & Cyber-Duck

Introducing the GDPR into your business won’t be a walk in the park, but it stands as a great opportunity to reinvent your practices to create a better user experience. We’ve done exactly that with our brand new website – coming soon! – and we’re ready to bring that expertise to you.

If you’re just starting to make your business GDPR compliant, we’re here to help. Check out our GDPR compliance service now. Otherwise, contact Cyber-Duck today to see how we might be able to assist you with your digital transformation.

You can find out more about the GDPR and its basics on our dedicated microsite. Head there now to Navigate the GDPR Labyrinth!