Assessing where the law, the brand and the customer meet
A poor privacy experience is more than just a potential fine
Fined for a poor privacy experience
When the French data protection authority (CNIL) fined Google €57m it was because Google had breached Article 6 (‘Lawfulness of processing’), Article 12 (‘Transparent information…’) and Article 13 (‘Information to be provided..’) of the GDPR.
These specific articles will be very familiar to privacy professionals across the world.
The CNIL came to its conclusions because of what they found in the Google Privacy Experience (PX). As the CNIL say from their deliberation’s – “the investigations correspond to the scenario chosen to carry out the online test, namely a user’s journey and the documents to which they could have access”
‘Online test’, “scenario’ and ‘user’s journey’ – The CNIL is also using language as familiar to any UX or CX professional as the contents of Recital 58 is to a privacy professional.
What is the privacy experience?
The PX is the result of all the privacy interactions between people – customers, prospects, regulators, activists or citizens – and a brand over the lifetime of their relationship.
What makes designing PX different from any CX is that it must also demonstrate compliance to the law, translate brand values into the alien privacy domain, and afford the customer ability to understand and decide about the use of their personal data.
This requires careful translation of legal, brand and customer requirements into strategy, principles journeys and blueprints
You have a privacy experience!
If you are processing personal data, you already have a PX.
The question is, how have you designed it and how are you managing it?
Where to start? An assessment.
You start by identifying, defining and describing your PX problems.
PEA has four lenses to assess a privacy experience:
- The User – does the privacy experience facilitate the achievement of privacy goals effectively, efficiently and with satisfaction?
- The Regulator – does the privacy
experience demonstrate compliance with the law - The Advocate – to what level does the privacy experience conform to a higher bar set by activists, academics and interest groups?
- The Brand – is the privacy experience consistent with values of the brand and principles which define the core CX?
Each of these four lenses allows the PX to be scrutinised from different angles. None can be completely ignored, but each has a different degree of importance to your business.
By which lenses will you assess your privacy experience?
Key Takeaways
- How you have designed your privacy experience is a source of risk to your business
- How you have designed your privacy experience must be a source of value to your business
- All privacy experiences must be designed with the law, the brand, the customer and wider stakeholders in mind.
- Assess your “as is” privacy experience to ensure it meets the difference criteria and requirements expected by customers, regulators, advocates and your brand
- Translate your privacy experience problems into indicators of compliance so they can be evaluated against a Rights delivery framework , balancing test, and risk levels.
Assessing Privacy Experience is at the core of what PEA does.
”PEA has developed a method which brings together UX investigation techniques, data protection risk assessment, rights balancing, and advocacy design principles in a process for evaluating the compliance and leadership of a privacy experience
Helen DixonData Protection Commissioner for Ireland. The Independent, 02/04/2017.
