Have you ever downloaded an app on your phone and looked at the permissions that the app requests. I mean I just want to play Tetris, why do you need permission to access my contact list and messages, or know what I ate for dinner?
With the new the General Data Protection Regulation (“GDPR”), a move to the age of respecting users’ privacy, software developers that collect and process personal information need to re-think their relationship with privacy. Let’s look at how you can be compliant and develop a good relationship with this piece of legislation:
- Take what you need and no more.
When it comes to collecting data, less is more. Only collect data if you really need it and when you need it. The questions to ask yourself at this stage is why I need this data and why collecting this data is necessary to the functioning of my software.
- Be honest, omission is lying.
If you decide that my software requires access to a user’s location, then let the user know in plain simple language what the exact purpose of the data collection is for and how it benefits them.
- Ask first, be transparent, build trust.
Make sure that users say yes to you using their data. Don’t do this in a sneaky way like a pre-checked tick box or by placing small illegible terms and conditions in the far-right bottom corner typed in Arial 3pt. The GDPR requires informed and active consent. Remember consent needs to be specific and you cannot apply consent for one thing to all there is everything. There is no such thing as a blanket provision for consent.
- Making leaving easy.
So, the user decides that this is not working out and they never want to hear from you again. Make opting out easy. This is especially relevant if you engage in direct marketing. Do not require the user to fill out 300 forms like they are applying for divorce.
- Let them take their stuff with them.
Users should be able to request data that is collected by and it should be easy for them to take this data with them (data portability) and transfer it to whomever they see fit. What’s important to remember here is that what theirs is theirs. The data should also be in a format that users can comprehend for e.g. data in the form of an unintelligible string of code will not cut it.
Like in all relationships, developing trust and respecting each other is key. When designing software, it’s not enough to think about privacy as just a policy that requires the bare minimum. What is required is that privacy is viewed as a core principle that is embedded in the design process.