Mediaburst GDPR compliance and UX

Compliance without a whimper (from users, at least)

1 June 2018

So, GDPR happened. It’s so good to be able to say that in a past tense. I know, ‘GDPR never ends’, but the May 2018 deadline was a deadline. And unlike loads of organisations, we were determined to be as ready as we could be. Which wasn’t easy.

We had to apply GDPR to all our business SMS apps and processes, while collecting from both new and existing users all the information we need to provide a service and communicate.

And all done with minimum user friction, without a re-write of everything, and while retaining the integrity of our very short, straightforward and barrier-free sign up process.

Requirements

This was a complex project. GDPR itself if a big subject – and I took my time to really understand the regulation – but we also added in other requirements on top. And it had to work across all our apps.

Communication preferences

For GDPR compliance we had to ditch our old lists and replace with new ones with specific lawful basis for processing. For marketing lists, we needed to:

get specific, positive consent for opt-in to our marketing lists, from:
- new sign ups,
- existing users,
- invited users;
provide a way in each app for users to self-administer their opt-ins.

Terms and conditions acceptance

For GDPR compliance we needed to update our privacy policy, terms and conditions, data processing agreement and data retention policy, we needed to:

get specific, positive acceptance of account terms and privacy policy, from:
- new sign ups,
- existing users,
- invited users;
combine and version our various legal documents to make acceptance easy across apps;
create an audit trail of legal document changes and acceptances.

Other considerations

As well as basic compliance, we also needed to collect some additional information for other purposes (in GDPR compliant ways, of course):

have new account sign-ups tell us their company name (to help us verify account authenticity and deter spammers)
have new account sign-ups tell us their country (to help verify authenticity, and to help us provide assistance around our recently released UK-only signups feature
invite new account sign-ups to request a call back from our support team. Our objective is to create an opportunity to discuss rates, volumes, up-sell and cross-sell.

Process

As with most projects, only a thorough understanding of the subject will cut it. So I learned GDPR. I read a lot. And re-read it several times. And worked though umpteen practical examples, user stories, technical conversations, wireframes and role-plays to really interrogate what we could do within the law, what we should do within the spirit of it, and what was the best thing to do for our users and brand.

And applying everything I know about simplicity.

What came out of the was elegant and deceptively straightforward.

We’re proud of how straightforward our sign up process is. It’s the simplest in the market. Just a handful of fields, a quick verification email and you’re straight into the app. While we needed to collect a lot more information, we didn’t want to spoil what we already had.

The solution was to keep the leave the sign up form largely untouched (just a new terms and privacy policy acceptance checkbox) and instead introduce a new onboarding flow to gather the additional information.

clockwork welcome email — Revised two-step authentication email. Original message was ‘click to verfiy’, new one ‘welcome, now click’ – which is much friendlier and brings the perceived end of account creation much further forward in the process.

Textburst onboarding step 1 — Onboarding step 1: Capture company name (consent) and country based in (contract) to help us verify legitimacy of account and provide information about region specific options.

Textburst onboarding step 2 — Onboarding step 2: Unambiguous consent for call back with clear description about what we’ll use their number for, followed by marketing opt-ins with carefully phrased checkbox labels.

When the form is submitted, users are taken to the app’s front page as per the existing set up.

If they requested a call back, their number isn’t stored in the database with the rest of the info – it’s sent as a ticket to our CRM using their API for customer services to pick up. Also, if they selected anything other than the United Kingdom on step 1, the phrasing of the call back request label changes to be more about discussing international sending.

Existing user reconsents

With the old email lists now assigned to the scrap heap, we needed to get as many re-subscriptions as possible. We also needed to get formal acceptance of the new terms and privacy policy from existing users.

The solution was to do it at next log in, taking users through a similar two-step process to onboarding. For this, step 1 is a brief explanation of why we’re going it (GDPR, blah, blah) with terms checkbox, followed by step two, which is the marketing opt-ins. Quick and simple:

Clockwork GDPR reconsent step 1 — Existing users reconsent step 1: terms and privacy policy acceptance.

Clockwork GDPR reconsent step 2 — Existing users reconsent step 2: marketing preferences opt-ins with carefully phrased checkbox labels.

With the old list now scrapped, we could create the new separate email list of all valid account users, exported directly from our user database. We then sent everyone an email giving a heads up to what will happen next time they log in.

Managing communication preferences

For GDPR compliance – and because it’s a good thing to do – we created a new communication preferences view in the apps, so users can self-administer their marketing preferences. In Textburst, it made sense to combine it with some of the existing app notification preferences.

Textburst communication preferences view — Textburst communication preferences, incorporating new marketing opt-ins and existing notification features.

Creating an audit trail

Getting user consents and terms acceptances is all good, but we also needed to ensure we have a proper audit trail in case we need to prove what was agreed to and when. Which, given the extra risk exposure of GDPR, is perhaps commercially as important as getting the consents in the first place.

To make acceptance and auditing easier, we combined legal documents and moved them onto a new microsite.

legal.mediaburst.co.uk terms microsite homepage — The new legal information microsite contained versioned and permalinked copies of all our legal documents.

Every change to each document is versioned on a major.minor.patch basis and the whole site is managed with restricted GitHub access and merge permissions.

In hand with that, when a user agrees terms we store on their account an audit log of the document name and version number and when they agreed to it. The same goes for when they opt-in or out of the various email lists.

NB: It’s worth mentioning that, having such a thorough understanding of the regulation and how we applied it to the UI and user experience of the apps, I was the best placed person to write the new privacy policy. Which I did. And which was signed off by our legal department with little fuss.

A decent result

What we ended up with was a solution that appeared to users as though little had changed. All the hard work was done by us.

We sent a email to existing users – like everyone else, but a few working days after the big rush on GDPR Day – and with the onboarding pages we briefly interrupted their next log in to ask a few easy questions.
New sign ups are asked few extra questions in an unobtrusive way.
The only noticeable change in the apps themselves is the new communication preferences page.
We got an excellent re-opt-in up rate on the marketing lists and a much higher than expected take up on the cross-selling list.
We didn’t see any negative blips on sign up conversions or existing user log-ins and interactions.

There were no reported issues from users.

And we were ready on time.