General Data Protection Regulation (GDPR) has been making waves since its launch in May 2018—especially within the field of design research. Designed as a means to protect data privacy and give control back to individuals, GDPR has changed everything from how we can engage research stakeholders, to the tools we can use, to the information we are allowed to capture during the research process.
While GDPR compliance is complex and requires expert legal advice, design teams should not view it as an impediment but rather an opportunity to improve and synchronize current processes and tools. At frog, we looked at these new GDPR constraints as a service design challenge, then used common design methods and principles to tackle it. In close collaboration with data privacy experts and our community of practitioners, we interpreted GDPR for the work we do at frog and translated it into actionable processes and tools. Rather than just trying to keep our head above the water, we looked at GDPR as an opportunity to streamline our internal processes and make the research experience more “user-friendly” for both our teams and our research participants.
Research Operations, or ‘ResearchOps’ as it’s also known, is all about designing research processes to improve research efforts and distribute research insights organization-wide in a repeatable, scalable and ethical way. This includes defining methodology, as well as providing training on tools and techniques related to research practices. Effective ResearchOps are a crucial part of the human-centered design process. However, data privacy is not a research problem only—it applies to all phases of design. Awareness of the basic principles makes us better designers of products, services and experiences.
You can surf the troubled waters of data privacy without wiping out. To help, here are our top five tips for navigating data privacy in design research.
Navigating data privacy is complex—and there’s no need to do it on your own. Assemble a team with diverse expertise in research, design, IT, legal and project management to make sure you’ve covered all your bases. Your IT and legal teams have likely invested a great deal of time implementing GDPR-compliant systems and policies, but they may not understand the nuances of design research and the realities in the field. Likewise, design teams may not appreciate the complexities of GDPR and the need for teams to conduct their work within the current IT infrastructure and legal processes. Stakeholder interviews and co-working sessions will ensure these different disciplines are considered and engaged.
Remember that even with all the right players involved, there is no one-size-fits-all approach to data privacy. Each organization will have its own specific data needs dependent on company structure, data storage and usage, partner contracts and business objectives. While there is no shortage of forms and templates you may want to reference, having a research team with diverse expertise will ensure you make decisions that support GDPR compliance and suit your organization’s unique needs.
With the organization’s specific needs in mind, make a service blueprint of the flow of data from collection through project closure. How will you find and communicate with participants, how will you record and store data, and thereafter who “touches” the data at any point. Know: Who will have access? How will the data be collected? Do you need to share the data with other business units or even externally? Will the data be shared with teams or clients in other countries?
Once you’ve made your map, imagine how you would handle challenges to the blueprint from research participants and stakeholders. For example, what would you do if a participant wants to know more about how their data will be used? What if a participant were to send an email asking you to delete their data? Or, what if they simply want to correct a piece of information? How do you implement a process whereby these requests are directed to the right teams and are responded to as required by GDPR? Anticipating these challenges will help you understand how to address data privacy concerns—and update your service blueprint—before they become pain points in the research process.
Treat safeguarding data privacy in your design research as you would any other design challenge. Build prototypes, then test and iterate accordingly. Make note of any pain points and experiment with solutions. This experimentation will help you understand the difference between a bad idea and a good idea with just questionable execution.
Remember that as much as you may like to, you can’t control everything. Issues will come up along the way, and you will have to work as a team to resolve them. To scale an operation, you’ll need to continue to get expert advice on GDPR compliance while offering your teams processes and guidance that is easy to use and understand. To keep everyone on the same page, keep the lines of communication open. Perform training on new tools, document any updates to your service blueprint and dedicate a Slack channel to Q&A. As questions arise about tools or processes, keep track of their answers in a FAQ for the team. This will keep the team learning from one another’s experiences.
Design your research for maximum usability by agreeing on process standards wherever you can, such as when defining folder structure or chains of command over data. Maintaining too many exceptions becomes unwieldy and is harder to enforce. That’s why it’s also critical to define a single source-of-truth for your design research infrastructure, complete with referenceable forms, reporting workflows, tool descriptions and templates. Creating a centralized repository with contextual guidance linking out to specific information is essential. To handle data securely, it should live in only one place with controlled access rights. Therefore, links are your best friend when discussing findings and referencing raw data points.
Establish standards for project outputs that are simple to reference and follow—and practice what you preach. Anonymize data from the start. Remove any unnecessary info right away, such as names, locations, etc. Pixelate or otherwise obscure photos and sensitive information before sharing to make sure there are no chances for data to be mishandled later in the research process.
Okay. So it might be hard to incorporate a “human element” into your research share-out without being able to show faces, share voices or offer much information about your participants. However, there are workarounds. For example, taking photos of people’s hands is a good way to document processes in a more natural way without revealing a persons identity. Similarly, taking photos of participants from behind will give you a window into what they are seeing, even if the photos can’t show their reactions. Other contextual photos, with people out-of-focus in the background, can also be quite powerful. Illustrations and stock photography are other clever workarounds when photos from the research are not an option to share.
It pays to design your research exercises in consideration of what outputs would have the most impact, without sharing personal participant data. For example, anonymized worksheets or outputs from co-creation can go a long way in getting your research story across, without the added complexity that comes with handling stories that contain personal data.
With a little creativity and plenty of consideration for the rights of your research participants, you will be able to gracefully ride that GDPR wave. By applying a design mindset of multidisciplinary work, curiosity, problem-solving and continuous improvement to this challenge, you’ll soon master the basics of safeguarding your research participants’ data privacy. Don’t be surprised if, like us, your attention to compliance will unlock opportunities to improve ResearchOps at every phase of your design process.