Case Study

WIP I / Not my work

GDPR Compliance by 25 May 2018

In the months leading up to the General Data Protection Regulation, the tech industry was sweating.

The new regulation would mean more power to the people. Control over our own information. Finally!

But the big question everyone was asking themselves; how do we comply with GDPR when your business model is dependant on user consents?

Timeline: February - May 2018
Role: UX Designer
Team: 2 UX Researchers, 1 UX Designer (me), Tech Lead, Developer and Product Manager, 1 Lawyer, and 1 Copywriter

Disclaimer: I’m not a lawyer and this is by no means an example of GDPR compliance. This is a white label case study, meaning details and visuals are not disclosed. Contact me for more details.


Everyone that worked on GDPR read through the 48.000-word document. Written by lawyers for lawyers. A painful experience to say the least.

The regulation document states what, but not how. That means everything is up for interpretation. Everyone is going to have their own opinion. There’s no real right or wrong answer.

During the months leading up to the GDPR implementation deadline, we set out to source all the information we could find. Only a few businesses with enough resources was able to do prominent testing and form a solid conclusion of how to comply with GDPR (or in retrospect, balance GDPR with existing business models.)

Unable to comply would mean a fine up to 10 million euros and the end of the business and hundreds of jobs.

GDPR Initial Version Flow Mockups
Initial Version Flow Mockups

Initial Version

Based on what we knew from reading through the GDPR regulation document, we set out to implement our initial prototype. It is serious business, so until we knew more, we implement our “safest” interpretation.

We went for an onboarding type of experience where we taught what GDPR meant for the user. Our reasoning was that we should do the safest possible solution to ensure 100% compliance with GDPR.

Guerilla testing was conducted on the streets using our design prototypes using InVision. Our goal was to understand peoples first reaction and if this was something they would like.

To our surprise, a vast majority didn’t like this at all. It interrupted their intent and they weren’t looking to get a lesson about GDPR. Too tedious and long.

GDPR First Iteration Flow Mockups
Iterated flow based on insight from first version

First Iteration

Using the insight from our guerilla testing lead us to a more simplified version. We still needed consent from users in order to do business. And we still needed to comply with GDPR.

This time we tested it live with 2000 users to gather new insight.

A true aha moment. Less than 20% continued through the onboarding process (not even counting the consents.) This would mean the end of the business.

GDPR Scond Iteration Flow Mockups
A completely new approach

Second Iteration

The insight we gained from our first ideation led us to completely re-think our approach. How do we actually interpret the new regulation? By now word had spread that “everyone is moving towards a grey zone.” Which meant an informative notification with the option to give consent or to learn more about it.

We tested our completely new approach and got a much better (in terms of business) result.

The biggest question now was; are we compliance?

Unexpected Obstacle

On top of our uncertainty, it was made clear that Google is part of The Coalition for Better Ads. SEO is the main traffic source and potentially hurting our stance with Google would be devastating.

The Coalition for Better Ads states that sticky bars could not exceed 30% of the screen real estate. Beyond that Google could punish your ranking or worse, as rumored in near future, Chrome would warn of usage (similar so SSL.)

This meant we had to create the same experience with fewer words and visuals. A challenge for our lawyers and copywriters.

GDPR Final Solution
The final solution

GDPR Notice

We ended up with a solution to notify the user about the new GDPR regulation and give an option to consent or access settings. Settings we’re basically the onboarding experience, with an option to regulate what data you’d want to share.

At this point, I stopped working on the project and a variation of this was implemented live.


25th of May 2018 ended up as “privacy awareness day”. The whole point of the regulation is so that companies such as Facebook and Google would not spin out of control. A good thing. As well as getting rid of the malicious sharing of personal data.

However, many businesses rely on consents, otherwise, it would mean the end. Until they change their business model there will be a grey area.

We need GDPR to remind us of our privacy. The general consensus is that doing something is better than doing nothing. Unless you’re big and profit hugely on “selling” data.

Back to Work