Target Data Discovery

UX Design | Enterprise UX | Desktop Design

My design allows users to set up data and system integrations, to fetch data automatically from the integrations, and edit and share data reports with consumers. 

Time Frame

Three-week design sprint in July 2019

My Role in Project

User research, Design and Prototype, Usability Testing

Project Background

Target data discovery is the much needed automation for privacy laws 

It started with the privacy law requirements for GDPR from European Union and CCPA  from California, United States. There is a type of data request from both GDPR and California (CCPA) for data access.

For Consumers: Under CCPA and GDPR, consumers have the chance to request and see what data categories and specific data points a business stores about them and subsequently require deletion of the data.

For businesses: It has been a challenge for businesses to respond to the regulatory requirements and to detect exactly where consumer data exists, in order to access, port, delete it, or comply with these laws. As a result, many of our enterprise customers need a way to gather data reports from a number of external systems, and combine these data points into a report and send it to the data subject. 

Project Goals

With launch of CCPA, we want users to have a fully automated, beginner friendly and secure data discovery feature. 

Before the launch of California’s CCPA law requirement in Jan. 2020, we received a large number of customer requests to include data discovery features  within Onetrust platform. The goal is to help automate the data retrieval and fulfillment process from around 50 to 200 data systems for consumer data access and deletion requests. Our clients need a way to compile these data so that they can provide results to the consumer. 

Goal #1

Full Process Automation

Targeted Data Discovery needs to provide automation to discover, delete, redact, opt out and process access, deletion, or CCPA opt-out requests – retrieving a consumer’s information in relevant systems only.

Goal #2

User Friendly Interaction

Our user does not have to know much about IT or data science to set up automation and retrieve information. The interaction needs to be easy and in plain languages. 

Goal #3

High Level of Data Security

Our clients are dealing with private personal identifiable information, such as name, address and social security number. We need to ensure that this information is protected and can be redacted if possible.    

Product Demo

Final Product 

Final product includes a number of features, such as selecting data identifiers to further narrow down hundreds of thousands of records, edit and reorder data report and sharing reports with the consumers. 

Automate Key Steps Including Identity Verification and Exception Processes

Look up additional identifiers that may be used in other business systems. Check databases and systems for legal holds or other exception triggers.

Redact data to protect the privacy of the consumers 

Leverage data redaction to hide sensitive personal identifiable information from sharing with other parties. 

Fully automate the fulfillment process of consumer rights requests

Automate each manual step used to process consumer rights and opt-out of sale requests leveraging flexible Integration Workflows.

Communicate and share request deliverables with consumers and data subjects via a secure messaging portal.

User Research and Discovery

At the start of the project, I had nothing but a full text of CCPA laws and abstract ideas from clients. Because I did not have specific goals for clear missions for the data discovery experience, I scheduled observation sessions as well as focus group discussions with clients of different sizes to understand a few questions. 

    What does data discovery mean for our clients?

    • Who:   In order to fulfill a data request, who / what roles are involved from start to finish?
    • When: At what stages of the workflows, do each of the personas or roles are involved in setting up, retrieving and compiling data report?
    • How:   How many systems do enterprise users and admins need to process for a single request? What formats are these data?

    From the three observation sessions, we can get a glimpse of handling data requests and data discovery in organizations of varying sizes. Interestingly enough, there are as much variance as similarities in their expectations for this new feature. We based our initial findings heavily on this user research.    

    Finding #1

    Across the organizations, subtask assignees will be the main personas to interact with data discovery.

    However, a number of supporting personas and roles will assist subtask assignee from setting up data discovery to final legal reviews. Sketching out personas and roles will be the first step in defining tasks and use cases, but because of the time limit and the resources limit for MVP, the focus will be on subtask assignee workflows. Other priorities will be given to 1. DSAR admin, 2. Legal consultants and 3. Request approver. 

    Finding #2

    Narrowing down the use cases for the main and supporting personas, there are four high level requests: edit, review, redact and share. 

    To build upon the task analysis, I gathered and synthesized a list of more detailed use cases from the persona and roles. The MVP will be focused on four high level features: to edit the data returned from the system subtasks, to redact sensitive information, to review the report internally among supporting roles and finally to share with data subjects. 

    Finding #3

    The slowness of current workflows is not only due to the absence of data discovery feature, but also a results of a few pain points. 

    And the pain points are pretty self evident in these observation sessions and discussions, mostly around data security, data sharing and overall slowness in handling requests. I summarized them into the design guidelines for the subsequent ideation and design phase.  

     

    Step Two: Design and Prototype

    After communicating with users and clients on use cases, I moved forward to narrowing down scope based on the timeline product manager gave me. My plan was to produce a MVP version of the design and gather feedback to iterate on enhancement. 

    On high level, priority was given to:

    Design Goal #1

    Need a way to review targeted data discovery results into a single view.

    Design Goal #4

    Need a way to identify the sources of the results. 

    Design Goal #2

    Results should be shown in a user-friendly format not JSON.

    Design Goal #5

    Need a way to export redacted results into CSV or PDF format. 

    Design Goal #3

    Need a way to redact information from the result set.  

    design Goal #6

    Need a way to share the redacted results with consumer. 

    Technical Flowchart

    The ideation and design process starts with a high level technical flowchart to involve the devs into the UX process.

    This target data discovery project is a little different, as this design involves a lot of backend integrations and technical requirements, I worked with the developers to draft a high level flowchart of the whole service process. This was a way I usually involved developers into my design process, and this has been working well for me to inform the team on my design processes and raise UX awareness for the whole team.

    User Flowchart

    Since I have already established a detailed design system and component library for DSAR, only detailed flowcharts and key screen wireframes were needed. 

    These flowcharts were used to guide myself through the user journey for different use cases. The key screen wireframes also worked well to establish the look and feel of the data editor. It also helped me understand if I cramped too much information and elements into one page – something I tried hard to avoid and to have a clean interface. Here I assumed that the users, whether it would be subtask assignee or other secondary roles and personas, would not have used similar data processing or discovery tools before. 

    Flow for Setting Up Data Discovery

    Flow for Configuring Data Discovery Report

    MVP Final Designs

    MVP designs were created to gather further feedbacks for enhancements and iterations. 

    The plan was to have MVP designs ready for SUS and heuristics evaluations. Further enhancements will be built upon the MVP. 

    Onboarding

    To socialize users with the new feature, a banner is shown on the top of the dashboard. If users have not yet purchased the feature, they can submit interests. If they have already installed the new feature, they can start by setting up a new data discovery automation.  

    Exclude Data from Reports

    Users can exclude results and remove these unwanted data rows into excluded group. 

    Redact Data from Report

    Some of the data involves sensitive personal information, and needs to be removed or redacted to protect identity. Our system allows redaction for any data points. 

    Share Reports

    The last step of data processing will be sharing relevant data and data report with the consumers. 

    Step Three: Feedback and Iterations

    Through a SUS scale questionnaire with clients, we had a score of around 85, slightly above the 70% percentage ranking. There were a mix of comments for good designs and bad points that needs improvements. We also conducted a follow-up focus group for more detailed feedback for future release iterations. Overall, we received the following feedback:

    We also iterated based on the customer feedback:

    Enhancement #1: As the approver of a request (or a system), I need a way to combine the manual subtask results with the automatically fetched data so that I can share all the information at once with the consumer.

    I updated the attachment modal to accomendate including local and online attachments in reports. 

    BEFORE: Only data discovery reports are available, not able to include other relevant files. 

    NOW: Users can upload local files and combine local and online attachments and share. 

    Enhancement #2: As the approver of a request, I want to reorder the data fields within each results group and share the reports with this order. 

    I added a new flow and feature to reorder the data rows in a group and across groups. 

    BEFORE: Old design did not support reordering of data elements and rows. 

    NOW: Users can reorder in same data groups and reorder across groups. 

    Enhancement #3: As the reviewer of a request, given that the system has automatically completed a look up to find all internal identifiers associated with the requestor, I need a review screen/modal from which I can review the related identifiers AND choose 1-N identifiers with which the system should run subsequent data retrieval or data deletion tasks.

    BEFORE: Old design do not provide a further lookup among thousands of data rows and elements. 

    NOW: Users review and select identifiers to reduce the data volume. 

    Design Outcomes and Takeaways

    This was a very exciting project to work on because of its close connection with the clients and involved a lot of research. Through multiple iterations, we have arrived at a good solution for now. There are a few takeaways I will apply for future iterations in terms of products and research processes.

    Researching and defining MVP is the first step to a good product. 

    All projects will be limited by time frame and resources. A true MVP and a good scope to start will save time, energy and eliminate distractions. It is also good to involve frontend and backend developers into the design process, so I know beforehand the features that are simply not shippable.

    Always fight for good UX. 

    As mentioned previously, having the support from the product owners and developers helps me a lot. But that also brings strict technical constraints. It is important to stand my ground as an advocate for user experience in the organization, and persuade all parties to not sacrifice good UX.