How You Can Use GDPR to Create Win-Win for Your Customers and Your Brand

Posted by Bob Berry on May 22, 2018

GDPR is coming. Are you ready? Do you know your risks and how to mitigate them? More importantly, do you know how to create and validate data privacy experiences that build brand loyalty? The only way to ensure you can rise above growing customer suspicion is to build the online trust that will set you apart.

woman-laptop-gdprThe new General Data Protection Regulations (GDPR) are for companies doing business in the EU and take effect May 2018. GDPR was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. [1]

If you’re selling anything in the EU, and monitoring or gathering user data from users in the EU, you must comply. But you have a clear opportunity to do more than be reactive. Don’t stop at compliance. Carefully think through the impact on your customers and users.

Download the full report

The AnswerLab Data Privacy User Study

With GDPR, the rubber meets the road with real users, real-time, interacting with the websites, apps, software, and other online systems you deploy.

To uncover user perspectives and behaviors about data privacy, learn how GDPR aligns with those attitudes, and establish best implementation approaches for companies and brands, AnswerLab conducted a study with a number of citizens across the U.S. to learn users’: 


Key Findings

  • Participants demonstrated a willingness to abandon apps and merchants, and online activity in general if they felt their privacy was at risk.
  • GDPR represents a significant opportunity to build brand loyalty by addressing the concerns of real users, above and beyond the specific requirements in the regulations. Users are learning, watching, and considering their own next steps carefully.

  • The consequences of poor privacy experiences will be lost customers, diminished brand loyalty, increased support costs, and potentially negative PR - as recent events have demonstrated.

  • Most companies are not getting this right today, and users recognize companies that do it well. Recent news reports significantly increase their awareness and therefore the urgency of acting.

  • Users’ power and responsibility in the online realm extends beyond simply being informed about data privacy and making the right choices in their privacy settings – consumers will vote with their purchasing power and their choices of apps, websites, merchants, etc.

  • The specific GDPR requirements align surprisingly well with the concerns, questions, and frustrations expressed by users in the AnswerLab study – and no users were aware of GDPR. (table below)

  • Many of our findings in this study, and many of the GDPR requirements, are focused on simplifying and streamlining. But the goal is not necessarily to make the privacy selection and control process fast for users. Brands need to create a user experience that builds confidence and helps people feel comfortable that they understand the impact of their choices.

The GDPR Regulation
User Interface and User Experience Considerations [1]


Detailed Findings

One size does not fit all. Users in our study fell into three categories, with the following characteristics:


What's New with GDPR and Your Risks and Opportunities

GDPR and data privacy requirements are not new. What has changed are the risks, consequences, and the opportunities for that win-win if you face the risks head-on with rigorous user testing:

  1. The size of the consequences has increased dramatically. Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million ($24.3M USD), whichever is greater. The best way to minimize those fines? Implement intelligently, then test to verify.  

  2. The likelihood that you are conducting business practices that can incur those consequences: personal profiling of users online has become far more complex and sophisticated, far easier to install and practice with new apps, software, metrics tools, etc. and therefore far more black-box to your company.

    This further increases your risks, because do you really know what you’re collecting and how you’re using it? The only way to know your risks and learn how to eliminate them is to test the systems, interfaces, and experiences you deploy to ensure they meet the GDPR requirements and users’ expectations.

  3. Increased sharing, selling, repurposing, and distribution of personal data - authorized and otherwise - significantly increases the risk that you can lose control of your data. This will put your fate in the hands of others who may not know or even care that you are the source of the data.

  4. The user population is waking up and paying attention, due to the increasing severity and frequency of data breaches and scandals. This further increases your risks due to the greater likelihood of user reporting. And in this case, perception is reality. You can do all the right things, but if users are confused by their user experience or suspicious of your intent, or if you obfuscate the process and the experience, your risks are the same - or greater. And what is the only way to know your risks and discover how to eliminate them? Test to ensure users understand and are confident in their personal data experience with you.

  5. Finally, customers, partners, and the press will want to know your stance on GDPR and how you’re addressing the new requirements. You’ll benefit from taking, acting on, implementing, and publicly stating a user-centric approach, and then demonstrating that commitment by actively and vigorously validating your efforts with real users.


How to achieve win-win for GDPR, Users, and Brands

To meet the GDPR requirements, enhance brands, and address the concerns of real users, companies and their developers must effectively execute on these points:


Brands can’t stop with the implementation of these points - they must test the results, for all three user types. These are complex and varied interactive experiences and without user testing, there’s no way to ensure that all user types will succeed and build the confidence they need to engage companies and brands.

AnswerLab is best positioned to provide the testing expertise and rigor to ensure companies can deliver the win-win for users, GDPR, and their brands. Our experience with major brands like Google, Facebook, Amazon, Walmart, and FedEx includes deep insights into their user populations and their business models that inform the testing process and best design approaches.

Need help navigating user privacy expectations? Let's talk.

[1] From the EU GDPR Information Portal at
Written by

Bob Berry

Bob Berry, a member of our AnswerLab Alumni, was a Principal UX Researcher at AnswerLab with over 20 years of experience in usability, user experience, customer experience, and a variety of market research disciplines. He has conducted thousands of user testing sessions, focus groups, and user experience research projects over many years, for online marketing services, e-commerce sites, email initiatives, call center systems, e-learning programs, promotional web sites, and much more. Bob holds a Bachelor of Science in Computer Science and Math from the University of Nebraska. Bob may not work with us any longer, but we'll always consider him an AnswerLabber at heart!

related insights

stay connected with AnswerLab

Keep up with the latest in UX research. Our monthly newsletter offers useful UX insights and tips, relevant research, and news from our team.