Changing the way businesses are regulated in accordance with GDPR
Zelocode is a SaaS-based data privacy management platform.
The platform helps companies and consumers to be clear about the new procedures and protocols that emerged with the GDPR (General Data Protection Regulation).
GDPR Compliance and Challenges
Level of familiarity of companies with the GDPR topic in Brazil in 2020
🙂 31% said they had made changes to the company structure to comply with the law.
💡 63% of the companies stated that they were aware of the GDPR but were still without an adequacy.
Companies were not in compliance with the general data protection regulations
Based on a survey conducted by Serasa Experian in 2020, only 39% of Brazilian companies were compliant with the General Data Protection Regulation (GDPR) that year. This means that the majority of companies still needed to take steps to comply with the requirements of GDPR.
In addition, a survey by the consulting firm ICTS Protiviti in 2021 showed that 75% of Brazilian companies were still not fully compliant with the GDPR. The survey also revealed that many companies still do not have a plan to comply with the GDPR, and the lack of investment in training and awareness of employees is one of the main obstacles to compliance with the GDPR.
For whom are we building?
Profile
IT professionals and IT managers, responsible for overseeing the company's IT infrastructure and ensuring that it complies with applicable standards and regulations.
Generally knowledgeable about the GDPR and its implications for the company, but are facing challenges to implement the changes needed to comply with the law. They have a small and limited team and resources, which makes it difficult to manage all aspects of GDPR compliance.
Because of all this, they need to find an affordable and easy-to-use solution that can help them implement the necessary changes and ensure that the company is compliant with the GDPR.
Goals
-
Conduct a data inventory: João needs to identify what personal data his company collects, processes, and stores, and where it is stored. This is a crucial step to ensure that the company complies with the LGPD's principles of purpose, necessity, and transparency. A compliance tool can help João create a comprehensive data inventory by automatically scanning the company's systems and databases to identify personal data.
-
Implement privacy policies and procedures: João needs to establish privacy policies and procedures that comply with the LGPD's requirements, such as obtaining consent, providing access and correction rights, and reporting data breaches. He also needs to ensure that his employees are trained on these policies and procedures. A compliance tool can provide João with templates and guidelines to create privacy policies and procedures that comply with the LGPD, and can also help him track employee training and awareness.
-
Monitor and manage data protection risks: João needs to monitor and manage the risks that his company faces in relation to personal data protection, such as unauthorized access, data breaches, and non-compliance. He needs to establish controls and measures to prevent and mitigate these risks. A compliance tool can help João monitor the company's data protection risks by providing alerts and reports on potential threats and vulnerabilities. It can also help him manage incidents and breaches by providing workflows and templates for incident response and reporting.
Concept creation
In this project, I chose to use the dynamic Blueprint Strategy to visualise and define the most important aspects of the challenge in creating a platform that could serve businesses in GDPR compliance.
This framework helped us to find, list and categorize in order of relevance, the main challenges, the company's aspirations regarding the proposed tool and the commercial focus areas so that we could better understand the user persona. In addition, we catalogued the guiding principles and objectives that we would like to achieve in the medium to long term.
Next, I suggested we use a group dynamics as well, called "Is, Isn't, Does, Doesn't".
This dynamics gave us a clearer view of the functionalities of the tool, implementation possibilities and the main thing, which was a clear understanding of the team about the limitations and tasks that this system was not meant to perform.
Finally, I created together with the Product Owner of the project, an applicability leveling of the functionalities for the MVP.
With this, we could write stories and epics for the development team to vote on in our first planning meeting.
Concept Validation - Maze
To validate the feasibility of a web platform with a workflow of GDPR compliance services.
In the script that we created, the user is required to log in, access a platform with a dashboard, upload documents inherent to sensitive user data, complete some steps of the compliance workflow, and send the execution confirmation via email.
The participants were chosen based on the proto-persona profile.
During the test session, participants were monitored to identify any difficulties or problems that could affect the expected results.
Since it is a simple tool, no major correction points were found within the service workflow that could impact business decisions.
The insights from the usability test guided us to iterate and improve the design in some points of the interface but without any major challenges.
Also tested were
• Completion rate
• Average completion time
• Steps to task completion
• Error rate and severity
• Satisfaction rates
These metrics served to highlight which tasks had the most trouble during usability testing, also helping us to track potential design redesigns.
Design and Handoff
We created a library of elements to establish minimum consistency and speed up the design delivery process for development.
It was created in accordance with the brand manual and defines basic styles such as typography, spacing and colour, and cross-platform components such as lists, tables and avatars.
Dashboards
The user experience was improved with a user-friendly couple of dashboards and simple-to-use tools.
Users have access to a SaaS platform on which they can find all the necessary tools simply in a side menu.
File upload
The file upload screens with sensitive data provide a sending history of the last files for quick consultation and viewing.
Implementation workflow
It was identified during the research that the steps of the task workflow would bring more confidence to the user with the feeling of a successfully executed task.
Design Sprint and insights
My solution was to create a simple to use platform that resembled a modern and fun visual identity.
After the survey responses and insights gathered in the Design Sprint, I was able to explain to the team and stakeholders the importance of implementing a cookie window aggregator on client websites
File upload
The file upload screens with sensitive data provide a sending history of the last files for quick consultation and viewing.
All in one
By also adding the platform's payment plans, we were able to implement an important request from the business team, which was identified in the Blueprint Strategy.
Closing notes
-
Discovering the Need for a Cookie Consent Banner:
One of the key takeaways was the discovery of the need for an effective cookie consent banner. We understood that users need to have control and transparency over the use of cookies on a website, and ensuring a clear and intuitive experience in this regard became a priority for the platform.
-
Educating Companies about Sensitive Data:
Another significant learning point was the creation of informative tutorials to educate companies about sensitive data and how to protect it properly. We realised that many organisations lacked sufficient knowledge about the topic, and through educational materials and clear guidance, we were able to promote awareness and engagement among companies regarding this crucial aspect of LGPD compliance.
-
Scaling Services in Collaboration with Law Firms:
During the project development, an interesting opportunity arose: the possibility of scaling the platform's services in collaboration with law firms. This strategic partnership allowed us to offer a more comprehensive and holistic approach to regularization, combining specialized legal expertise with the technological solutions provided by the platform.
-
User Experience Insights:
4.1. Identifying the Ideal User Profile:
Regarding user experience, the conducted research played a fundamental role in identifying the ideal user profile for the platform. Contrary to initial expectations, we discovered that the primary users were not necessarily business owners or CTOs, but rather professionals from the legal and compliance sectors. This insight was crucial in directing our design and usability efforts, ensuring that the platform met the needs and expectations of this specific audience.
4.2. The Role of the Data Protection Officer (DPO):
Additionally, a new role emerged during the process: the Data Protection Officer (DPO). We noticed that many companies were seeking professionals specialized in this role to ensure LGPD compliance. As a result, we adapted the platform to provide specific support for DPOs, including relevant features and guidance to aid them in performing their duties.
In summary, this UX journey enabled us to understand user needs regarding the regularisation of companies under the LGPD and apply effective solutions. From implementing the cookie consent banner to creating tutorials, partnering with law firms, and targeting legal and compliance professionals, we were able to provide a more personalised and tailored experience. The inclusion of the DPO role as a key audience also expanded our reach and impact on LGPD compliance. I am proud of all the learnings and achievements attained during this job.
