SME organizations transitioning to GDPR compliance

NIXZ GDPR Compliance Dashboard

During my graduation period, I conducted research and designed a tool to support SME organizations in their transition to becoming GDPR compliant.

Client Eonics, View NIXZ

Tasks Research, Concepting, Interaction Design, Prototype, Testing

Problem

The problem is that many private organizations are not yet GDPR compliant. Organizations don't know what they need to do to become GDPR compliant, or it costs too much time and money. As a result, organizations risk receiving high fines.

GDPR Compliance for SME Organizations
Step-by-step plan for GDPR compliance, for SME

Approach

First, research was conducted to understand the users' problem and to find out when SME organizations comply with GDPR. The main research question was: "Can a tool support organizations in their transition to GDPR compliance and how?" To answer this question, sub-questions were formulated to structure the research. I used various techniques and methods. First, desk research was used to understand what GDPR entails and when SME organizations are GDPR compliant. Then I defined the user group. Goals and needs were also researched through expert and user interviews.

From the user group, I created personas and user needs. These provide guidelines for the concept and ultimately the design. A competitive analysis was also conducted to discover a new market. Below you can see the personas.

Data Protection Officer Persona
Data Protection Officer Persona
SME Organization Persona
SME Persona

Research Insights

Can a tool support organizations in their transition to GDPR compliance and how?

Yes, a NIXZ tool could provide online support by automating the process of becoming GDPR compliant in a simple way. By having a checklist, step-by-step plan, or flowchart integrated into the website flow, users can be guided through the process. One of the required processes to become GDPR compliant is a processing register. This helps create awareness of personal data processing within the organization. The tool could be expanded in the future with other processes, such as privacy assessments, data breach reporting, etc.

Key Findings:

  • Clear and Organized It has become clear that organizations find it difficult to know when they are GDPR compliant. They don't know exactly when they comply and what documents they need to have. Hiring someone costs too much money and figuring it out themselves takes too much time. My research showed that organizations want a checklist, step-by-step plan, or flowchart. They can follow this for their transition to GDPR compliance.
  • Accessible It's important that the tool becomes accessible to employees and the person responsible for GDPR. This can be achieved by, for example, managing documents in one place and determining who can access them.
  • Insightful According to the SME user group, GDPR is difficult to understand and often takes a lot of time. By explaining GDPR as simply as possible and helping the user in the process, it takes less time to understand everything and become GDPR compliant.
  • Creating Awareness Research has shown that many SME organizations are not always aware of what personal data processing they deal with and where this is all stored. For example, it has emerged that software is used that management or directors are not aware of. A processing register is mandatory according to GDPR and can help with awareness within an organization. The register shows, for example, which systems are used, who the processor is, where personal data is stored and with whom or what it is shared.
Design Criteria Overview
Design Criteria

Concept Phase

Based on insights from the research report, ideas can be conceived. Through various brainstorming sessions, insights can be formed into design choices and concepts. In total, I used three brainstorming sessions. I conducted the brainstorming sessions using the 6-3-5 method. The 6-3-5 method involves 6 participants, each writing three ideas on paper. They pass this paper to the next participant. Each respondent adds three new ideas again. These can also be iterations on the neighbor's ideas. After this is repeated 5 times until the sheets are full, it's time to discuss and evaluate the ideas and solutions. Due to COVID-19, I chose to do the brainstorming sessions online. For this, I used the Miro tool. On this platform, online post-its can be placed. Participants can work together in a project group. Based on brainstorming sessions, a concept was conceived.

Brainstorming Session Results
6-3-5 brainstorming session method

Product Journey

After the final concept was approved by the client, a structure was conceived for the prototype. For this, a product journey was made to clearly outline the navigation structure. This is the structure that users will follow during their process.

Product Journey Flow
Product Journey

Result

Based on the Product Journey, I started sketching and developed a paper prototype from these. The paper prototype is a low-threshold way to test with users. Expert reviews were conducted on the paper prototype with UX Designers and GDPR experts. After the test, I incorporated the insights into the final design.

Dashboard Interface
Screen - Dashboard
Training Module Interface
Screen - Training
Training Details Interface
Screen - Training Details
Document Management Interface
Screen - Documents
System Scanning Interface
Screen - System Scanning