Article

Guidelines for GDPR Compliant User Stories

GDPR_userstory-01

The GDPR law enforces a number of rules and regulations that dictate how organizations should handle the users’ personal information. We recently wrote a post about how to prepare for GDPR that provides a checklist that can help organizations be more compliant.

A key aspect of GDPR implementation is to understand what actually needs to be built. This article provides a list of user stories that can help product managers, designers, and developers design and implement GDPR compliant features into digital products and services.

Business Owners

As a Business Owner, I need to obtain clear consent from the consumer of my product or service so that I can keep record of informed consent to process personal data.

As a Business Owner, I need to ensure that I obtain only the bare minimum information from users so that I can effectively deliver my services and follow compliance standards.

Consumers

As a of a product or service, I need to submit a request to rectify, erase or transfer personal data so that I can protect my personal identity.

As a Consumer of a product or service, I need to download all my personal information in a common format such as CSV so that I can retrieve all my personal information from the product or service.

As a Consumer of a product or service, I need to restrict how the product/service uses my personal information so that I can keep control over when and how my personal information is used.

As a Consumer of a product or service, I need to own the right to be forgotten by being able to permanently delete my personal information from the product or service so that I can protect my personal identity.

As a Consumer of a product or service, I need to view clearly defined data policy in plain language so that I can understand why, how and who processes my personal information.

Families

As a Child under the age of 16, I need to obtain parental consent so that I can get parental consent to use a product or service.

As a Parent of a child under the age of 16, I need to formally consent my child’s usage of a product or service so that I can protect my child from convoluted data policies.

Ensure Your Designs Are GDPR Compliant

Because GDPR limits how personal data is collected, stored, shared, and made available, it’s important to rethink how we craft user stories to ensure compliance. With hefty fines for non-compliance, the value of strategically designed user stories cannot be understated.

As you think about how to design in light of these new rules and regulations, feel free to reach out to Fresh for guidance!

Aravind Ravi

Aravind Ravi

Aravind Ravi is a well-rounded UX Design Lead skilled at user research, information architecture, interaction design, visual design and usability testing. He has worked for global clients such as Citi, Epiq Systems, Virgin Media on large-scale Enterprise systems dealing with ambiguous business requirements and complex technical architecture. He thrives on bringing order to chaos and structure to complexity through a research-driven design process.

Aravind has a Masters degree in Human Centered Design & Engineering from University of Washington and strives for an empathetic understanding of human psychology in crafting useful, usable and desirable products.