This is the first operational step of the methodology (vade-mecum pdf) recommended by the CNIL: mapping. In the case of Spade, we are a web agency, the main data processing takes place around our main display, our website.
We are asked by our customers to explain some of the treatments induced by the site we have developed for them.
When someone implements a web site, very quickly, in the pile of technical components, the question arises of the data processing and the justification of these processing operations.
- Web server logs (Apache, Ngnix, IIS) collect IP addresses and page views.
- The web server or application can set language, preference, tracking cookies…
- Forms collect data to ensure contact, feed a CRM, allow a subscription to a newsletter.
What is made of this data? How are they collected? What are they treated for? By who?
You must explain this and ask the user for his agreement or at least justify a recognized reason to ensure this treatment.
Because the user's consent is not the only way to justify data processing. There are legal obligations, legitimate interest, data made public… For a full list of justifications see Article 6 of the Regulation.
How do others do it?
Here are 2 examples of what is already being done and who are considering the GDPR in their consent requests.
Philips and cookies
Philips specifies from the first screen how cookies are used on their site and proposes to precisely set the type of data that cookies may contain.
This choice is made via a slider between 4 levels of follow-up. Operating cookies cannot be avoided.
bpost and the forms
BPOST is less clear on its intentions when it comes to using a form to provide access to a white paper on direct marketing in the PRDM era.
You don't know exactly what you are committing to, since your data can be disseminated to almost any type of company…
It is the UX treatment of a legal imperative that stimulates us in our thinking as web designers. This will be the subject of our next article.