Set Up

The journey should feel like an experience and not a contract. Ensuring that the customer clearly understands your proposition, the key terms they must commit to, and the benefit they will receive is an essential part of the customer journey.  When you are developing the setup customer journey, ensure that you understand and meet your GDPR obligations, which  must be reflected within your T&Cs and Privacy Notice.
The design pattern for most Terms and Conditions and Privacy Notice  experiences is:
  • A link
  • A tick box, and
  • A legal document (accessed by actively clicking the link)
Current research consistently showcases that the majority of people do skip a careful reading of these terms and conditions, can misunderstand if these are not clearly presented to them, and as a result, are poorly informed at the point of agreement (i.e. a decision to sign up for a new product or service). By actively designing terms and conditions experiences to inform and empower your customers they are better able to make an active and informed choice. This guidance is intended to help you deliver a simple, actionable and meaningful disclosure experience to customers.

Set Up: T&Cs and Privacy Notices

Setting up a new service should be simple. The key terms around the use of personal data must be transparent and clearly set out in plain language in order to meet GDPR requirements.   
#Key parameter of agreementDescription
1Customer Outcome StatementHere's what we aim to help you achieve by using this product or service.
2Data Usage StatementsThis is why we need your data.
This is how we will use (and limit the use of ) your data.
This is the way it will be handled if we share it with other parties including international transfers.
We will also confirm how long we use will store your data.
3Managing Your Data StatementThis is how you can manage your data and allow you to exercise your rights regarding your data (if applicable).
4Business Monetisation StatementThis is how we make money.
5Complaints Handling Process StatementHere’s how you can get help.
How we and others will protect you if something goes wrong.
This is how you can complain to the ICO.
6Legal Basis Statement for processing dataThis is the legal basis we rely upon to lawfully process your data.
7Regulatory Compliance
This is how we are regulated.
 

Set Up: Developing Effective Privacy Notices

A Privacy Notice is a legal requirement under GDPR that must be presented prior to any data processing. It is also a fundamental part of your value proposition,  integral to the customer and brand experience and the creation of trust between customer and provider. Privacy Notices are primarily delivered statically, although sometimes they’re also delivered dynamically. Static Privacy Notices should be prioritised in your information architecture. They should be provided as appropriate at the times they’re needed most and in language that is easily understood. Dynamic notices should be delivered based on time or event triggers. They serve the purpose of giving people enough information to make an informed, active decision about how their data is used. Read the ICO Guidance on Privacy Notices and what must be included in a Privacy Notice.
Static Privacy Notices Your Static Privacy Notice should be prioritised in your information architecture. It should be easily accessible and easily understood  by your customers and stakeholders. Refer to our guidance on comprehension, and particularly consider layering, using plain English and differentiating the form factor (video, visualisations, interactions and iconography) to support different audiences, learning styles and appetite for information. It needs to be relevant, meaningful and importantly transparent, with examples to make it relevant to customers. It should be part of your brand positioning. If this feels like a legal document, it may need more work. Think of this as an experience, not a contract.
Dynamic Privacy Notices Dynamic Privacy Notices are time or event based. They provide important information about the data, the data people are being asked to share and with whom, the protections in place and the potential consequences of doing so. They are deliberately designed to avoid points of friction. The ICO describes this approach as a Just in Time Notice.  The ICO has provided helpful guidance on the different methods you can adopt when considering how to provide your Privacy Notice in the most effective way. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/the-right-to-be-informed/what-methods-can-we-use-to-provide-privacy-information/ The challenge is the fine line between valuable and value-less friction. If presented at the wrong time (or not at all), could amount to an breach of your obligations under GDPR via an ineffective form factor, they could detract from the focus of an action and result in abandonment. It’s therefore crucial that you provide notices when legally required to do so. The only way to develop an understanding of this is to put it to the test.