This design pattern is part of the LINC’s research initiative focusing on interface design. It comes from frequent proposals made by participants of the Data & Design workshops to implement the principle of transparency provided in the GDPR. It can be used and adapted to the specific context of your services and products. However, its reuse as such do not guarantee compliance with the GDPR in general and the principle of transparency in particular.
This pattern proposes to give examples of how personal data processing works to help understand it. These may include the type of data collected, security measures, sensitive processing aspects, legal elements or jargon. The examples help to illustrate the information on personal data protection and make it more tangible for individuals.
Using the pattern in the user journey
► When signing-up: this pattern is particularly well suited for an onboarding to provide transparent information to the person about their data and the parameters they choose. For example, each setting can be associated with concrete cases that explain it: who can see a profile if it is private, or which types of passwords are not strong.
► In a privacy policy: this pattern can be used to clarify certain sensitive, technical or legal points in the policy. It can be useful to illustrate the use of data for security purposes such as fraud detection: “We use your data to ensure the security of your account, for example by analysing logins to your account to identify anomalies such as the use of another device (computer or smartphone)”. However, care should be taken to ensure that the examples do not create confusion about the reality of the processing, especially regarding the data collected. For example, “We collect information, such as your IP address, to verify that you are connected” is not specific enough about the data collected for this purpose. Either the category of data processed (e.g. “We collect technical identification information, such as your IP address”) or the set of data used to verify the login to the account should be precisely stated.
► In case of a problem with the data or its use: this pattern can be found in an FAQ in addition to a privacy policy, thus giving an insight into concrete and often encountered cases, allowing people to better understand their own situation through examples. In the context of a social network, such Q&A could include a question about an employer finding its employees on the network (“How did my employer find my account?”), the answer to which would give different likely scenarios. One such scenario might be the network’s built-in means of finding accounts (“Your employer may have used our search function to find your account.”), indicating the information that can be entered for this purpose (“For example, he may have used your phone number, email address, first and last name, or nickname, if known, to search. “) and redirecting to the available way to stop appearing in search results (“If you want to stop appearing in search results, you can disable the feature in your account.”). Another scenario might involve a way external to the network to find the account: “Your employer may have used an external search engine, one of the results of which redirects to your account” and redirecting the person to the means of no longer appearing in the search engine results (“You can manage the visibility of your profile in your account.”).
► When setting one’s preferences: this pattern highlights the consequences of one’s choice when they enable or disable a setting. For example “By enabling geolocation you will see content based on your current location or the places you have been. For example, if you regularly visit a football stadium, we will send you content related to that activity such as information about upcoming football matches.”
Tips
► The examples should not give the impression that they are the only way to use the data, process it etc., if this is not the case.
► Examples should be objective. They should not minimise the extent of a data processing operation or present it in a particularly positive light.
► Examples are not a substitute for full information, use of plain language or definitions of technical terms
► This pattern can also be used in explanatory videos or a table
► The examples are useful in making people aware of processing that may not be visible at first glance.
► In the case of a service already in use, examples can be tailored to real-life situations. For example: “We have identified apparently fraudulent connection attempts from an IP other than the one you usually use” or “We are offering you an advertisement for shoes as a result of searches you have made using the term “shoe”.