In 2018, web professionals see May not so much as the proverbial month of delight but as the end date for the GDPR's transition period. In an effort to reach compliance, they seek last-minute legal advice and write extensive process documents. But is that the right approach?
This text has been co-authored with IT lawyer Baltasar Cevc; it was first published in German on the ["Nürnberg Web Week href: /2018/02/workshop-20180305-nuernberg-datenschutz-im-web/">upcoming workshop](http://nueww.de/blog/article/Post/show/herausforderung-dsgvo-ungeliebter-aufwand-oder-unternehmerische-gelegenheit-360/cebaf8ac47d72c5bf476e651dbcf728c/) on 5 March in Nuremberg.
To be precise, 25 May 2018 is not really a deadline, but marks a paradigm shift: the new legislation puts the user first, forcing businesses to adapt their mindset.
Enabling fair competition, but bearing significant risks
In everyday business practice, it is easily overseen that the GDPR (with unified applicability across Europe, and beyond) is not primarily a bureaucratic burden, but the EU lawmakers' effort to enable a competition framework where privacy-considerate concepts no longer face a disadvantage in the market. Coming May, everybody has to play according to the same rules - enabling all new opportunities.
A decisive factor for success is to not lock these new rules into silos. Whereas privacy affairs have traditionally been dealt with by one centralized department, the changing environment dictates that the topic takes center stage across all business units. The conventional case-by-case approach is hereby superseded by a holistic perspective. The new legal requirements lift users' privacy to a central position, calling for shared visions across business, product, design und development.
The new privacy rules bring along a range of new risks for entrepreneurs; these not only reside in the often cited high fines, but even more so in the fact that consumers, individually or through associations, can enforce authorities to activate, sue apparent violators, or claim damage compensation - ensnarl companies in complex lawsuits (DE). A major difficulty for the defence will be the line of argument, as the giving of evidence now rests extensively on the businesses, who need to document their data processing practices accordingly.
Conceptually weak privacy is hard to "fix" by legal means only
Where existing implementations in websites or online services are colliding with user privacy, efforts to "retrofit" them for GDPR compliance likely require significant compromises regarding user experience, or may antagonise users due to high consent requirements. The core messsage of the GDPR is that the processing of personal data must be fully transparent and user-controllable. The easiest way to achieve this is a responsible and comprehensible treatment of user data. Otherwise, the mandatory transparency can only be guaranteed by over-information: complex privacy banners with multi-step user dialogues, possibly in addition to the already unloved cookie banners.
The typical approach of including convoluted legal texts as a safeguard no longer helps here. Quite the contrary: privacy policies that are incomprehensible for laymen are in direct conflict with the GDPR as of May 25. Popular disclaimers like "we collect all kind of data to enhance your experience on our website" do not fulfil a single one of the requirements for specific and clear user information: they neither describe the precise purpose of or the legitimate interest for the data collection, nor do they specify what data is gathered and by whom - all explicit requirements by Art. 13 GDPR.
Efficient combination of legal risk management and privacy-sensitive design
This is where the symbiosis of privacy and design - of entrepreneurial risk management and creative product design - comes into play. Processes, implementations, even entire product concepts, have to be deconstructed and analysed to distill where personal data truly provides an added value for the customers: looking through the user's eye, eliminating the undesirable, making interrelations understandable. With the GDPR, the EU made clear that user data must only be processed under strict limitations. All this calls for a broad engagement with the goals of the GDPR and the requirements arising from it; this is the only route to sustainable risk management. In practice, it appears promising to combine a user- and a purpose-centred approach. Alternatively, when aiming to achieve compliance only by the means of legal instruments, the GDPR is likely to remain an unloved - and furthermore imprecise - catalogue of requirements.
When the individual benefit of data processing for the user is clearly defined, along with a minimalistic approach to data collection, the necessary comprehensible disclosure (DE) of these processes is not hard to achieve. Once only truly useful data is processed, the danger of noise and misinterpretations decreases, as does the potential for damage from data breaches. Once these thoughts have been structured, essentially as a by-product of the entrepreneurial strategy work, the skeleton of a resilient and GDPR-compliant documentation is already at hand.
Privacy in practice: competitive advantage under the GDPR
Since the GDPR obligates all data controllers, those playing fair can gain a competitive advantage from these rules of the game. Those ignoring the requirements will have to face consequences in the long term (DE). When approached correctly, the GDPR will therefore not be an obstacle for UX, but can - when reflected on deeply - lead to the design of solutions with hugely improved user experiences. This way the apparent obstacle turns into a lead and an advantage in the market. At the same time, the initially high bureaucratic demands become an investment into doing ethically sound business, which at the same time minimises unnecessary risks for the future.