Key Tension Points and Design Guidelines for GDPR Compliance: Designing for a News Service Application

Abstract: Digitization poses a threat to the fundamental rights of individuals' personal sphere. This is due to deficiency within the current bylaws to protect data subjects' privacy and the lack of social codes for handling privacy in the virtual space. Colossal amount of implicit data processing, takes away data subject's control over their personal data. In order to protect data subjects from this treacherous relationship, between stakeholders and data subjects, the European Union has issued the new General Data Protection Regulation that was enforced in May 2018. Companies operating within EU thereby face substantive legislative reform in data protection. However, there are no current guidelines for how to acclimatize to the new regulation of processing personal data, especially for subsidiary companies. This study therefore addresses this gap by detailing the design process of attaining GDPR compliance for a subsidiary news service application. From this process, nine key tension points were identified and reformulated into five design guidelines more broadly applicable to design for privacy. In addition, two boundary objects and a transparency-layer strategy were formulated.