The GDPR is a Design Challenge: An Open Letter to Designers and Agencies

Designers, agencies, consultants – allow me to interrupt your hectic lives for a moment.

I know, times are hard. Market dynamics, consumer appetites, and what we used to quaintly call “channel options” are changing at what seems like an exponential rate. Client expectations are growing faster than their budgets are shrinking. Competition for talent makes an Ultimate Fighter cage match look like a tea party with the Queen Mum.

Could it get any worse? Well, to be honest, yes it could, and it probably will. But it could also get much better, and in the short term – if you look in the right places.

Remember Y2K?

The confusion? The panic? The time bomb ticking down to one second after 12:59:59 pm on December 31, 1999?  And remember how it was a boon for firms that were well-positioned and well-staffed to help companies deal with the challenge? Gartner pegged the total spending on Y2K at $300-600 billion. In 1999! And yet almost all of that was IT spending, dedicated to updating or replacing legacy infrastructure.

How great would it be if something similar came along that benefited your firms and called for your expertise in areas like digital marketing, business process (re)design, and design thinking?

Welcome to the Y2K of Digital Marketing

That’s one accurate way to describe the EU’s General Data Protection Regulation (GDPR). It’s also been called “a paradigm change,” “a revolution,” and “a ticking time bomb.” Like Y2K, we know precisely when this bomb will go off: Enforcement (with fines up to €20 million or 4% of a firms global gross revenue) begins at 1:00:00 am on May 25, 2018. That’s about 200 working days from now. (And, don’t forget, it affects any and every company, worldwide, that “offers goods and services” in the EU.)

What the GDPR definitely is not is just another regulation, like Sarbanes-Oxley or HIPAA, that will be taken care of by the Compliance Department and IT.

GDPR = Genuine Design Prowess Required

Of course, IT and legal will play massive and essential roles in the response to the GDPR. But with all due respect to the lawyers and the developers, they’re not going to address GDPR challenges like:

  • Business process (re)design: Affected firms will have to carefully evaluate and most like either scrap or fundamentally redesign every business process that touches the personal data of EU residents in any way.
  • Rethinking digital marketing in the absence of third-party data: Given the new requirements for specific and unambiguous consent, the GDPR will radically restrict if not eradicate the use of third-party data – as well as third-party cookies.

  • New UX paradigms: Any website, mobile app, or other user-facing system that collects personal data will have to be thoroughly redesigned to prominently display “clear and concise” consent requests (and equally, the ability to withdraw consent), often with the use of “layered” consent notices. These can hardly be slapped on to existing interfaces and will require rethinking core elements of UX design.

  • Practicing privacy by design: The GDPR dictates that every affected firm must practice data protection by design (aka privacy by design). Ann Cavoukian, the “founder” of privacy by design, has stressed that this requires a design-thinking approach, which she characterizes as “a way of viewing the world and overcoming constraints that is at once holistic, interdisciplinary, integrative, innovative, and inspiring.”

In short, a “proper” response to the GDPR is virtually impossible without your expertise and experience as designers, digital marketers, and change consultants.

Party like it’s 1999

The GDPR has also been called “possibly the biggest challenge to business this decade.” Frankly, I would change possibly to certainly and extend it from this decade to this century.

Yes, that means it’s bigger than the Great Recession, because the GDPR is a fundamental change in the business environment that requires equally fundamental and system-level adaptations at every affected company.

My message for you is: The changes required by the GDPR represent the biggest business opportunity for digital and design agencies since (at least) the advent of the world wide web.

But it’s about far more than owning the water supply during fire season. The GDPR specifically aims to put consumers back in control of their personal data. Your design, creative, and innovation skills are indispensable in making this transition to trust-based relationships that create value for both buyers and sellers.

The IT guys had all the fun last time. Now it’s your chance to party like it’s 1999. Let’s talk.

Tim Walters, Ph.D.
Tim is a principal strategist and the privacy lead at The Content Advisory, as well as a partner at IOOI Group, and a founding partner of Digital Clarity Group. He is writing, advising, public speaking and aims to help both enterprises and solution providers come to terms with customer experience management (CEM) – while also respecting the privacy and personal data of consumers. For him, this means understanding the fundamental concepts – experience, customer journeys, the jobs to be done – and then designing and implementing the engagement strategies that deliver mutual benefit for both buyers and sellers. His publications include "The CEM Imperative,” an "Executive FAQ" about the General Data Protection Regulation (GDPR), and “Is Native Advertising the New Black?”. Prior to DCG, he was a Senior Analyst and Advisor at Forrester Research, and director of international marketing and strategy for FatWire Software. Earlier, he was a professor at the University of Rochester and New York University.
Tim Walters, Ph.D. on LinkedinTim Walters, Ph.D. on Twitter


Author: Tim Walters, Ph.D.
Tim is a principal strategist and the privacy lead at The Content Advisory, as well as a partner at IOOI Group, and a founding partner of Digital Clarity Group. He is writing, advising, public speaking and aims to help both enterprises and solution providers come to terms with customer experience management (CEM) – while also respecting the privacy and personal data of consumers. For him, this means understanding the fundamental concepts – experience, customer journeys, the jobs to be done – and then designing and implementing the engagement strategies that deliver mutual benefit for both buyers and sellers. His publications include "The CEM Imperative,” an "Executive FAQ" about the General Data Protection Regulation (GDPR), and “Is Native Advertising the New Black?”. Prior to DCG, he was a Senior Analyst and Advisor at Forrester Research, and director of international marketing and strategy for FatWire Software. Earlier, he was a professor at the University of Rochester and New York University.
  • Marcin Grabiński

    Great article. While companies are busy making their existing Apps compliant (are they, really?), most overlook the design aspect. And yet those who don’t, still miss one critical area. Application design is not only its UI, functionality, performance and security. When designing a new App, think how you are going to develop maintain it. And there it is critical to design data provisioning for tests. It’s so tempting to borrow data from real production databases. In the light of GDPR, do not even think of it. Think #TestDataPrivacy

    • Tim Walters

      Absolutely right, Marcin. This is why I often say that the response to the GDPR must be “system-level” — i.e., not only about design and technology but across the entire business process in everyday usage. You’re also right that using production data for testing has got to stop. At minimum, some kind of data masking has to be applied.