Making GDPR Usable: A Model to Support Usability Evaluations of Privacy
share
We introduce a new perspective on the evaluation of privacy, where rights of the data subjects, privacy principles, and usability criteria are intertwined. This new perspective is visually represented through a cube where each of its three axes of variability captures, respectively: principles, rights, and usability criteria. In this way, our model, called Usable Privacy Cube (or UP Cube), brings out two perspectives on privacy: that of the data subjects and that of the controllers/processors. In the long run, the UP Cube is meant to be the model behind a new certification methodology capable of evaluating the usability of privacy. Our research builds on the criteria proposed by the EuroPriSe certification scheme by adding usability criteria to their evaluation. We slightly reorganize the criteria of EuroPriSe to fit with the UP Cube model, i.e., we show how the EuroPriSe can be viewed as a combination of only principles and rights, forming the basis of the UP Cube. Usability criteria are defined based on goals that we extract from the data protection regulations, at the same time considering the needs, goals and characteristics of different types of users and their context of use. The criteria are designed to produce measurements of the level of usability with which the privacy goals of the data protection are reached. Considering usability criteria allows for greater business differentiation beyond GDPR compliance.
READ FULL TEXT