What is GDPR?
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. It imposes obligations to organizations worldwide, so long as they target or collect data related to the EU residents. (source)
What counts as personal data? Personal data is any information that relates to an identified or identifiable individual. For example, names or addresses (identified individuals) or location, cookies or even pseudonymous data if easy to link to a specific person (identifiable individual).
In every case, you need a valid reason (legal basis) to process personal data. In the context of User Onboarding, it is almost exclusively unambiguous consent. The users must explicitly agree that their personal data is processed for the purpose of user onboarding.
Even when you receive explicit consent, the obligations do not end there. For example:
- You must collect only data absolutely necessary for the given purposes.
- You must store the data only for as long as necessary to fulfil their specified purpose. It might be necessary to implement a data retention policy and clean up no longer needed data.
- You must store the data in a way that ensures security, integrity and confidentiality. To achieve this, you might need a specific Data Protection Agreement with your non-EU vendor, or to ensure that all data remains stored and processed within the European Union.
How GDPR influences your user onboarding?
When implementing your User onboarding, there are a few places where GDPR will influence you.
User profile
Some solutions encourage you to build a comprehensive list of user profiles. These profiles can contain a deep understanding of a user (for example name, email address, but also amount of Twitter followers) and the previous user behaviour (first seen, last seen, or engagement in the past).
Keeping GDPR in mind, you must collect only data absolutely necessary to fulfil the purpose - user onboarding. For every variable stored or every user profile maintained, you must have a legit reason.
Having a deep understanding of a user can be handy when creating new campaigns. It is, however, very costly to maintain the list of user profiles risk-free. When choosing a solution, try to look at solutions designed around principles of zero-knowledge.
|
Example of user profiles |
Data location
When collecting information about your users, you usually become the Data Controller of such data. As a controller you are, simply put, accountable for which data is stored and how it is further processed by you internally, or by vendors you have chosen (
find out more).
When choosing a vendor for your user onboarding, you need to make sure that the data you share will be processed in accordance with the GDPR requirements:
- for non-EU vendors or vendors processing the data outside of the EU, you need to contractually ensure the data is safe. Usually, you will need to negotiate a Data Protection Agreement (DPA) as a part of your contract. (find out more)
- for EU vendors processing the data inside of the EU, your life is easier. These need to comply with GDPR by default.
By choosing an EU-based vendor processing the data within the EU you can reduce risks, decrease the time-to-market and save costs for legal reviews.
Usetiful - the European Digital Adoption Platform
Usetiful is a solution for every client that needs to comply with GDPR. We run from within the European Union (incorporated in Estonia) and process data of end-users on a data centre located in the EU.
Usetiful is designed to protect user data by default. The service is built to require a minimal amount of information to fulfil its tasks.
Zero-knowledge
When implementing
Smart Tips or Tours without workflow, Usetiful does not need to know anything about your users. We do not collect any personal information nor store any web cookie. The whole behaviour is triggered by an immediate user action on your site.
If you wish to implement Tours with workflows (for example: show only to new users) without sharing any identifiable user information with us, you can use the
User segmentation feature. That way you can share with us, for example, that the current user is "new" and we know which tour to run without collecting any further information.
User segmentation as zero-knowledge
Targeting larger segments, rather than individual users, is a good practice to personalize the service without disclosing any detailed user information. This way you can create a tailored onboarding experience for different locations, languages or user skill levels without compromising on personal data security.
To keep user segmentation in the "zero-knowledge" mode, it is necessary to design the segments in a way that prevent us from identifying a specific physical person by knowing the segment. If the segments are too small or too specific, the benefit can be diminished.
Web cookies
Sometimes Usetiful needs to remember past user behaviour - for example, to ensure a product tour is automatically started for the same user only once. For that purpose, Usetiful stores a cookie inside the user's device.
Please note that as a Data Controller, you need to have the consent of your users to store cookies on their devices for the purpose of user onboarding workflows.
User profile
Product walkthroughs operating on a list of user profiles is a great way of running user onboarding. It allows, for example, simple personalization of your tours.
It is, however, the most complicated approach when ensuring compliance with GDPR. At the moment Usetiful does not support the creation or maintenance of user profiles.
What is our strategy on this one? We design new features with data protection in mind. We expect to release the feature of the User profile in the future to enable better personalization, but only when we can ensure the highest level of security and compliance without throwing the legal burden on our clients.
(disclaimer: This article has no ambition to comment on full details of the GDPR, nor is in any way providing legal advice. We merely aim to highlight where GDPR usually impacts our clients when implementing the user onboarding.)