Return brief and domain research

In addition to the spec document I received, I did a lot of reading on the legislation, interviewed a Data Protection Officer (DPO) and looked at the limited competitor product offering. I also did an audit of Rex CRM to understand the impacts of customer consent on workflows. We needed to:
  • Provide customers a way to give, withdraw or decline consent to be sent emails, letters or called by a representative of the business.
  • Provide customers a way to ask for personal data deletion, request a copy of the data being kept by a business or update their contact details.
  • Give DPOs a way to apply rules that would determine when a certain person's data would be archived and/or deleted.
  • Give DPOs a way to see when consent is expiring and request renewal.
  • Allow DPOs to view and manage multiple instances of a person's data and consent profiles (when a company is multi-entity).
  • Allow Rex CRM users to search the GDPR App (from inside Rex) for existing consent profiles in their parent company.
  • Give Rex CRM users visibility of a person's consent status when sending communications (emails, mail merges etc.) and request consent.
understanding the problem

Touchpoints and data flow

With touch points identified, I visualised the system and channels that would push and pull data from what I thought of as the three interfaces: GDPR App (for DPOs), Customer Dashboard (for end-users, customers) and Source Apps (Rex and other connected apps or accounts)


Within GDPR App, we organised the navigation around distinct DPO workflows:
  • Customer Requests – a place to see requests for data deletion, update and retrieval.
  • Review List – customers whose consent is expiring soon or data is due for archiving.
  • Consent Settings – storing Privacy Policy (and versions, creating data deletion rules and more.
  • Customer Profiles – a collation of each instance, or 'Identity', of a person in connected apps.
  • Archive – Customer Profiles with expired data periods.
  • Admin – facilities for user management.
Customer Request list: Requests are sent by customers and received in this list to be categorised, linked to a Customer Profile and processed.
Uncategorised Customer Request: A user progresses by categorising and can view notes and activity in the left pane.
Categorised request: Once categorised, in this case as a Deletion Request, the user must 'Start Processing', allowing the app to begin deletion in all connected apps.
Review List: Customer Identities can be extended for another set duration or 'held' for a short period before Archiving.
Review List: If a Customer's consent is expiring, a user can send a request to renew or manually override.
Expiry Rules: This is a crucial part of setup for users, helping to inform how long a Customer's data can be retained.
Consent Types: These are groups of mailing lists or particular types of communication that a Customer gives (or declines) consent to. A DPO can manage them here and determine how long they're valid for and when they should be notified.
Customer Profiles: A collection of key information about a Customer and a collation of the consent and data in multiple connected Source Apps.

Customer Dashboard

In line with the GDPR legislation, Customers must be given provision to:
  • Request a copy of the data held by a business (Subject Access Request).
  • Request the deletion of their data.
  • Request an update to their data ie. phone number, name, email address and phone number.
A first pass wireframe of the Customer Dashboard home screen


Any source app connected to GDPR App would have it's own way of communicating and capacity to input and output information. In the case of Rex CRM, the following workflows were designed to make it easy for users to view, request and act on consent (or lack of).
Linking and viewing a Consent Record in Rex CRM.
Manually updating a Consent Record status.

So fresh, so risky

This project was great exposure to the end-to-end conception and holistic design of a web app. It was particularly fulfilling to work with our UI designer on a new system that would be flexible and reusable within our design team.
On the challenging side; writing the microcopy for the GDPR app was a valuable exercise in finding an appropriate (and important) level of detail without overwhelming a user. The function of the app and the legal / business implications of it's workflows are huge, so testing and iteration were crucial.