How Can Product Managers Handle User Privacy
With all the hype around Big Data, personalisation, better ad targeting and customised user experience, data has tremendous value in today’s economy. Every product manager wants to understand their customers better. Amidst all this, privacy is often an afterthought. Product Managers focus on how best to collect and exploit user data before creating a system to protect user privacy or write a privacy policy. Privacy protections are a late addition, added on to an app, program, or website only to comply with legal requirements or to satisfy user concerns. This is changing now, thanks to laws such as GDPR.
GDPR in Brief
GDPR is aiming to give citizens more control over their data. It uniforms all data privacy laws across Europe. These are rules and regulations that tell companies how to do data privacy the right way. Europe is making the first step here. The rest of the world will follow with similar laws.
Good UX and product practice means making privacy policies accessible, and this is what the GDPR now makes legally binding. If the GDPR states that we need to make our consent forms and privacy notices clearer, that means bringing them closer to the user, making them easier to read, and more enjoyable to interact with. What it means is that privacy, data protection and UX are now tied at the hip: there is no room to gloss over the user experience of privacy policies.
Privacy by Design Framework
An approach that Product Managers can take is to adopt the privacy-first best-practice framework (PbD). The PbD framework was first drawn up in Canada in the 1990s. This framework, known as Privacy by Design (PbD), is about anticipating, managing and preventing privacy issues before a single line of code is written. The best way to mitigate privacy risks, according to the PbD philosophy, is not to create them in the first place.
For Product Managers, PbD compliance means factoring in data privacy by default:
- at a product’s initial design stage,
- throughout its lifecycle,
- throughout the user’s engagement with the product,
- after the user’s engagement has ended and the product is phased out.
Design Stage
- Review contracts with partners and third parties to ensure the data you pass on to them is being processed in accordance with PbD and GDPR.
- Don’t require unnecessary product permissions, especially those that imply privacy invasion, such as access to contacts.
- Security of the product should be an important part of non functional requirements as well as the QA cycle.
- Have a consistent, repeatable and scalable data collection process in place that allows you to easily interpret and use it for decision making.
Lifecycle
- Minimize the amount of collected data as well as those shared with third parties. Be transparent and be explicit about what are you capturing, for what purpose, and for how long
- You can the protect the data privacy of your customers and still perform critical trends analysis. One way that this anonymization can be accomplished is by encrypting data elements that personally identify someone.
- Revisit contact forms, sign-up pages and customer-service entry points. There are two concepts of privacy policy/notice UX that you can look at: Layering allows users to access easy-to-understand information and then delve more deeply if required. While in case of Just-in-time privacy notice, when the user engages with a data field, relevant information is displayed at that time with a pop-up style hint.
- Enable the regular deletion of data created through these processes.
- Invest in high quality and secure data storage to safely store customer data.
User Engagement
- Develop user-centric privacy controls to give customers control. Make it easy for users to view, download, or delete their data.
- Embed granular opt-ins throughout those notices.
- Exercise care when integrating social media registrations, logins or sharing.
- Separate consent for essential third-party data sharing from consent for analytics and advertising.
End of Engagement
- Periodically remind users to review and refresh their privacy settings.
- Allow users to download and delete old data.
- Delete the data of users who have closed their accounts. Removing stale or dated data can help decrease costs and limit the opportunity for misuse, accidents, or exploitation.
- Delete all user data when the app’s life comes to an end.
- If historical data may be helpful in the future, consider aggregating, distilling, and analyzing the data and storing the results instead of the original data.
Efficient Data Organization
The good thing is that the key points of GDPR and PbD also include ways to better organise data. So in a way it is also helpful for product managers in finding more efficient ways for data organisation.
Know what you have and why
You need to know very well which data you are collecting and have good reasons for it. This makes you think about which data you probably don’t need.
Know who is responsible
You need to know who in your company has access to data and why. Too many data breaches happened in the past because of this. People had access rights going way beyond their needs. Sometimes they are not even aware of it. Cut these risks.
Know your data structure
This will help companies ask the right questions about data organisation and structure. Where does data flow in? Where is it stored? Where can it go from there? What are all the applied security and encryption layers.
Encrypt data
Encryption means that only people and systems that should be able to read your data can read it. If outsiders get access, they won’t be able to make sense of what they are seeing. — I hope that made sense.
Companies need to encrypt all personal data. There are common technologies. A lot of companies already use them. They work and are not hard to implement. There are two ways you could access data.
- When we are transmitting data through the internet.
- When we store it somewhere.
Technologies like SSL for transmission and RSA or AES for storing it are good to look into at the beginning. There are external service providers that can do penetration testing. These teams try to hack into your company data and show you after how they did it.
Conclusion
Collecting high quality and relevant data about your customers can be considered gold in the eyes of product managers. Successful and engaging products are built on the insights found in user data. However, with consumers becoming increasingly concerned about how and what information is being collected, product managers need to follow online data collection best practices to ensure they do not risk losing the trust of users, negatively impacting their brand or becoming subject to liability litigation.
