On 22nd August 2019, Eva Schlehahn represented the SPECIAL project, conducting a focus group workshop on GDPR-compliant dynamic consent management and UI design This workshop was facilitated in collaboration with Simone Fischer-Hübner, Patrick Murmann and Farzaneh Karegar, who were representatives of the projects Privacy&Us and PAPAYA at the 2019 IFIP Summer School on Privacy and Identity Management.
The workshop, addressing GDPR-compliant dynamic consent management, presented a novel way to inform and communicate with the data subject. During the workshop, participants took the role of the data subject installing a new app providing an event recommendation service. The objective was to see whether the presented UI design for the app installation gives the data subjects sufficient understanding that a digital profile of their preferences will be dynamically created over time and to which data processing they are consenting.
Since SPECIAL as project aims at getting away from rather long and incomprehensible privacy policies and consent requests, a layered UI approach was presented for the app installation to communicate relevant information about the intended processing more effectively and understandably. This UI design provides enhanced control for the data subject and features a possible long-term communication channel to the data subject.
The research objective was to find out whether participants understand:
- the design and modality possibilities (adapted to mobile screens) to manage the user’s consent. This especially applied to the question whether the design presented at the workshop contributed to a sufficient awareness of the data subject to make informed decisions;
- in the moments when consent was being asked, the corresponding data sources, the processing purpose(s) and the context;
- that a user profile would be built up/customized over a longer period of time to accommodate additional services provided by the same data controller. This included a possible re-purposing of personal information collected by other services of the same provider in order to enrich the event recommendation interest profile of the app user.
The workshop was a great success. Workshop attendees with expertise from a range of different professional domains (legal, technical, social) scrutinized the presented UI designs and had lots of creative improvement ideas to eventually be incorporated. Nonetheless, the participants overall welcomed the different approach to obtain user consent, as well as to provide transparency about the intended personal data processing. They strongly encouraged the workshop facilitators to continue their work order to contribute to more GDPR compliant and data subject centric consent management approaches.