I was delighted to find this blog post by Econsultancy's Ben Davis, in which he critically reviews recent examples of UX solutions for GDPR-compliant marketing consent. This is the kind of reviews designers concerned with privacy need, in order to generate an industry-wide debate about (slowly emerging) practices and work out optimal solutions over time.
Like Davis, I believe we should have a much broader debate, not only about internal legal compliance efforts, but about well-designed privacy controls that put the users in control of their data - be it consent, privacy policies, or other elements:
These examples are not rocket science, I know. It's the back-of-house stuff that represents the real challenge – how to keep records of all processing, all consent granted by users, how to enable users to take their data to another provider, and so on.
But, as companies should be looking to move towards compliance with the GDPR by 2018, the most visible part of this compliance – the UX of obtaining consent and letting the user know what they're in for – should be a priority soon.
The comment section is an equally great read - opening up a lot of the intricacies of the implementation details when designing for privacy.
PS: It is always great to see articles that highlight how consent is only one of various legal grounds for processing (this is the most-repeated mistake I witness in recent blog posts: complying with the GDPR does not necessarily mean "explicit consent"). At the same time, this is a UK-centred article (re: the references to PECR, a UK law), and in particular the part about marketing consent for non-profiling campaigns may differ under other legislations (as the new ePrivacy regulation, aiming to harmonize these, is delayed and national rules partially remain in force beyond May 25).