The journey should feel like an experience and not a contract. Ensuring that the customer clearly understands your proposition, the key terms they must commit to, and the benefit they will receive is an essential part of the customer journey. When you are developing the setup customer journey, ensure that you understand and meet your GDPR obligations, which must be reflected within your T&Cs and Privacy Notice.
The design pattern for most Terms and Conditions and Privacy Notice experiences is:
- A link
- A tick box, and
- A legal document (accessed by actively clicking the link)
Set Up: T&Cs and Privacy NoticesSetting up a new service should be simple. The key terms around the use of personal data must be transparent and clearly set out in plain language in order to meet GDPR requirements.
|#||Key parameter of agreement||Description|
|1||Customer Outcome Statement||Here's what we aim to help you achieve by using this product or service.|
|2||Data Usage Statements||This is why we need your data.
This is how we will use (and limit the use of ) your data.
This is the way it will be handled if we share it with other parties including international transfers.
We will also confirm how long we use will store your data.
|3||Managing Your Data Statement||This is how you can manage your data and allow you to exercise your rights regarding your data (if applicable).|
|4||Business Monetisation Statement||This is how we make money.|
|5||Complaints Handling Process Statement||Here’s how you can get help.
How we and others will protect you if something goes wrong.
This is how you can complain to the ICO.
|6||Legal Basis Statement for processing data||This is the legal basis we rely upon to lawfully process your data.|
|7||Regulatory Compliance||This is how we are regulated.|
Set Up: Developing Effective Privacy NoticesA Privacy Notice is a legal requirement under GDPR that must be presented prior to any data processing. It is also a fundamental part of your value proposition, integral to the customer and brand experience and the creation of trust between customer and provider. Privacy Notices are primarily delivered statically, although sometimes they’re also delivered dynamically. Static Privacy Notices should be prioritised in your information architecture. They should be provided as appropriate at the times they’re needed most and in language that is easily understood. Dynamic notices should be delivered based on time or event triggers. They serve the purpose of giving people enough information to make an informed, active decision about how their data is used. Read the ICO Guidance on Privacy Notices and what must be included in a Privacy Notice.
Static Privacy Notices Your Static Privacy Notice should be prioritised in your information architecture. It should be easily accessible and easily understood by your customers and stakeholders. Refer to our guidance on comprehension, and particularly consider layering, using plain English and differentiating the form factor (video, visualisations, interactions and iconography) to support different audiences, learning styles and appetite for information. It needs to be relevant, meaningful and importantly transparent, with examples to make it relevant to customers. It should be part of your brand positioning. If this feels like a legal document, it may need more work. Think of this as an experience, not a contract.
Dynamic Privacy Notices Dynamic Privacy Notices are time or event based. They provide important information about the data, the data people are being asked to share and with whom, the protections in place and the potential consequences of doing so. They are deliberately designed to avoid points of friction. The ICO describes this approach as a Just in Time Notice. The ICO has provided helpful guidance on the different methods you can adopt when considering how to provide your Privacy Notice in the most effective way. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/the-right-to-be-informed/what-methods-can-we-use-to-provide-privacy-information/ The challenge is the fine line between valuable and value-less friction. If presented at the wrong time (or not at all), could amount to an breach of your obligations under GDPR via an ineffective form factor, they could detract from the focus of an action and result in abandonment. It’s therefore crucial that you provide notices when legally required to do so. The only way to develop an understanding of this is to put it to the test.