This design pattern is part of the LINC’s research initiative focusing on interface design. It comes from frequent proposals made by participants of the Data & Design workshops to implement the principle of transparency provided in the GDPR. It can be used and adapted to the specific context of your services and products. However, its reuse as such do not guarantee compliance with the GDPR in general and the principle of transparency in particular.
This pattern proposes to structure the information related to the processing of personal data by responding to different typologies of questions such as:
- “who“: e.g. “who processes my data”, “who has access to my data”, etc.
- “what“: e.g. “what data are processed?
- “where“: e.g. “where is my data transferred”, “where is my data stored”.
- “when“: e.g. “when is my data collected”, “how long is my data kept”, etc.
- “how“: e.g. “how secure is my data”
- “how many“: e.g. “how many third parties can access my data”, “how can I control my data”.
- “why“: e.g. “why is my data being processed”, etc.
Formulating questions helps to frame the content clearly, making it more accessible. This approach might provide a good match with users’ expectations. It allows people to quickly identify the contents in the sections and to quickly find information about the processing of their data.
Using the pattern in the user journey
► When using the service: this pattern can be used to systematically provide information about certain features of the site. In this way, people get a situated understanding of the processing of their personal data. For example, the following set of questions could be associated with the different features of the service: “What is this feature?”, “What is it used for?”, “What data is used?”, “Who has access to the data?” and “How to disable this feature”.
► When setting one’s preferences: this pattern can be useful to highlight the consequences of the user’s choice when activating or deactivating a setting, etc. For example, when the user sets the use of geolocation in a service, it is possible to explain the use of the data (“Why use this data?”), by whom it can be seen and used (“Who can use this data?”) and the frequency with which it is collected (“When is it collected?”)
► Some data processing is particularly complex and this approach may not capture all aspects of the processing or may be redundant. In this case, this pattern can be used to provide a first level of information leading to more specific and detailed information.
► This pattern is particularly suitable for providing a first level of information. However, care must be taken to ensure that this first level is not vague and is not simply a communication object on the protection of personal data and privacy.
► The different information required by the RGPD might be translated as follows:
|Information required by the GDPR||Question typology||Sample wordin|
|Data controller||Who?||Who is responsible for the use of your data?|
|Recipients||Who?||With whom is your data shared?|
|Data collected||What?||What data do we collect?|
|Purposes||Why?||What do we do with your data?|
|Legal basis||Why?||What are the legal basis?|
|Storage duration||When? / How long?||How long will your data be kept?|
|Transfers outside of EU||Where?||Where is your data stored?|
|Data subjects rights||How?||How to control your data and exercise your rights?|
|DPO contact details||How?||How to control your data and exercise your rights?|