This design pattern is part of the LINC’s research initiative focusing on interface design. It comes from frequent proposals made by participants of the Data & Design workshops to implement the principle of transparency provided in the GDPR. It can be used and adapted to the specific context of your services and products. However, its reuse as such do not guarantee compliance with the GDPR in general and the principle of transparency in particular.
Using several layers of information within a service facilitates the prioritisation of information required by the GDPR. This makes it possible to progressively inform individuals about the processing of their personal data and avoid overwhelming them with too much information, while respecting the obligation to provide complete and accurate information.
This way of structuring the information offers a more progressive reading flow, allowing for a better assimilation of the information by the reader. Elements are prioritised from the most relevant for people to the most specific and precise. They are also adapted to the user’s expectations according to their context. A user registering for a new service will desire to start using it as soon as possible and will be reluctant to read a long information notices: information limited to the most important aspects of data processing is then relevant. Conversely, a user who takes the step of consulting the privacy policy is more likely to accept a detailed explanation of processing.
Using the pattern in the user journey
► When signing-up: this pattern is very relevant to use at the time of registration as it provides a first level of information to individuals about the processing of their personal data. This pattern is particularly crucial when the person sets their choices, for example by giving or not their consent. It is also crucial when collecting sensitive data, such as health or payment card data. In addition to the first level of information provided, a link to the privacy policy must be available so that the individual can easily access the details of the processing
► In a privacy policy: for this pattern, the privacy policy is generally considered to be the second level of information. It provides a detailed and comprehensive view of the processing that complements the first level of information received. As such, the policy should always be easy to access. If the privacy policy covers different services, it is recommended to provide a third level of information detailing, for each service, the relevant information (data, purposes, duration, accessors, etc.).
► When using the service: this pattern can be used to provide a concise information at the right place and time when using the service. This contextual information is particularly effective in making the person understand a specific aspect of the processing of their personal data by linking it to a concrete use of the service. A common example is the “remember me” checkbox, which can be accompanied by information on the associated data processing appearing on mouse-over with the text “a cookie will be set to remember this information”.
► In case of a problem with the data or its use: this pattern may be particularly relevant where an individual does not understand why some of their data is collected or used. By highlighting the reasons, i.e. the purposes, for which their data is processed, it enables individuals to understand how a processing operation works, which may answer all or part of their question.
Tips
► With this pattern it is necessary to be careful not to multiply the layers, which would make the information difficult to access as it would require many clicks to find certain information or perform certain actions. A two or three layer architecture should be sufficient.
► For a first level of information, the information considered as priority (fr) is: the use of the data (purposes), the identity of the entity implementing the processing (controller) and on how to control its data (exercise of rights). A clickable link from this first level to the second is mandatory
► Excessive fragmentation of information in different places, especially those dealing with the same subject, can compromise people’s access to information, which would potentially not allow them to be properly informed.
► If the information is presented through an information centre with several pages and levels, the use of a breadcrumb trail makes it easier to locate and return to the first level.
Examples
Possible approach
Attention point
Related patterns
