Personal data and design: tips and examples for creating GDPR-proof software and websites

The CNIL (French Data Protection Authority), through its Laboratorie d'Innovation de la CNIL (known as LINC) has launched the platform Données&Design, which aims to become a reference point for all professionals who design interfaces, software and digital products that meet GDPR standards and protect data subjects' rights.

The aim is to develop a platform that creates collaboration opportunities, encourages the sharing of experiences and opinions among DPOs, developers, designers and lawyers, with the aim of spreading the culture of personal data protection and integrating it into the everyday work of designing computer tools.

KEY CONCEPTS OF GDPR

The platform has three sections that present practical design solutions, which are in line with the principles of lawfulness and correctness of the processing of personal data, and can improve the user's experience.

1. Information for data subjects

The CNIL suggests how to ensure that the Privacy Policy is easily available and that on each page of an application where personal data is requested, the information and indications on the processing are specific and easily accessible.

The part dedicated to the language to be used within privacy policies is also noteworthy. Article 12(1) of the GDPR states that the information provided by the Data Controller to the data subject must be provided: "[...] in a concise, transparent, intelligible and easily accessible form, using clear and plain language [...]". Wording that is too technical, or too "legal", does not comply with this provision and does not truly make information accessible to all (Tab. 1).

2. Expression of consent

This section shows some technical applications that ensure a proper acquisition of consent, for example through the control of "mandatory" checkboxes, which may be used for acceptance of the general conditions of a contract, but not for further processing purposes. The section also tackles the configuration of chatbots, which should be able to contact the user only in case of actual interaction and not automatically.
The obligation to keep separate the different processing purposes for which consent is asked, is also reminded. (Fig. 1).




3. Exercise of data subjects’ rights

According to the new approach of the GDPR, the Data Controller should make it as easy as possible for data subjects to exercise their rights. The first step, of course, is to provide users with information about their rights as soon as they subscribe or register for a service. Subsequently, in order to truly engage data subjects, to make them aware of the processing of their personal data and its lawfulness, to allow them to have control over the personal data that concerns them, the Data Controller must respond to the data subjects by taking charge of their request and must allow them, where possible, to have account of the progress of their requests.

Particularly interesting is the idea of developing approaches that are more in line with the principle of transparency, that provide specific explanations on the different rights, and that automate the request system, without simply making a contact point available (Fig. 2).

A PLACE FOR EXCHANGING OPINIONS AND EXPERIENCES

The part of the platform dedicated to the exchange of experiences and opinions is very interesting, within which there are different sections for different purposes:

1. Veille, chat dedicated to sharing measures, articles, news and useful information to stay constantly updated.
2. Événements, chat dedicated to the reporting of events dedicated to the processing of personal data, especially in the context of the web and digital interfaces.
3. Retours, assistance chat to ask questions about the tools provided by the LINC;
4. Général, chat for the exchange of opinions in general.
5. Étude de cas, chat dedicated to sharing concrete cases (with attached images) on which opinions are asked of other users. This last page represents, in the opinion of the writer, the strength of this discussion platform.

Stefanelli&Stefanelli law firm has decided to become part of the community, to observe the practices that are used, the strategies adopted in order to create effective digital designs that allows at the same time a lawful and correct processing of personal data. The aim is to constantly monitor innovative and privacy-compliant solutions coming from across the Alps and from the rest of Europe.