Schlagwort: FDA

Navigating data privacy regulations in formative and summative usability testing: A comprehensive guide

Empower your usability testing activities starting by respecting your test persons.


In the ever-evolving landscape of professional usability testing, ensuring data privacy and security is more than a compliance necessity—it’s a commitment to trust and transparency.

Navigating privacy and data laws in usability testing can be complex due to the constant updates and legal jargon. What essential knowledge do usability professionals need to stay compliant?

This comprehensive guide will help you navigate the complexities of data privacy regulations like GDPR, CCPA, CPRA, and beyond, ensuring your formative and summative usability testing practices according to IEC-62366-1 and FDA Applying Human Factors and Usability Engineering to Medical Devices are not only compliant but also respectful of participant privacy.

We created this guide to help answer those questions. We’ll cover everything from:

  • The importance of data privacy and confidentiality in usability testing
  • Information about privacy regulations like GDPR, CCPA, and CPRA
  • Compliance tips for usability professionals
  • Additional resources on privacy and data laws

Ensure you consult your legal team to confirm that your usability testing practices comply with current laws. Use this guide as a reminder to handle user privacy and data with greater intention and care during your evaluation activities.

Why data privacy matters in the Usability Engineering Process

Privacy and confidentiality in usability testing are critical not just for compliance but for maintaining the trust of your participants. When participants feel their data is secure, they are more likely to engage openly, providing richer and more valuable insights or being open about root cause of occurred use errors during the test sessions. Effective usability testing relies on this trust, making it essential to prioritize data privacy from the outset.

Templates zitat

Importance of privacy in Usability Testing

Usability testing of medical technology often involve participants sharing personal data about themselves, and everyone has different expectations when it comes to privacy. For usability engineers, accommodating these varying privacy preferences while complying with privacy laws should always be a priority. Ensuring privacy in usability testing not only protects participants but also enhances the quality of the research and testing outcomes.

Privacy should be considered throughout the entire testing lifecycle—from recruitment to data storage post-evaluation. This proactive approach not only protects participant information but also upholds ethical standards. When participants trust that their data is handled with care and transparency, they are more likely to provide honest and comprehensive feedback, leading to more accurate and useful insights.

Here’s a graphic that outlines how GDPR affects usability testing during each phase of the project:


The role of privacy regulations

Several key privacy laws impact how usability experts handle participant data. Understanding these regulations is crucial for managing participant data responsibly and transparently. These regulations establish the legal framework for data protection, ensuring that personal data is collected, processed, and stored securely. By adhering to these regulations, usability engineers can protect participant privacy and avoid legal pitfalls.

Understanding key privacy regulations in the EU – General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a comprehensive data protection regulation that applies to organizations handling the data of EU residents. Implemented on May 25, 2018, GDPR mandates strict data handling practices and imposes significant penalties for non-compliance, including fines of up to 4% of annual global turnover or €20 million, whichever is higher.

Key GDPR Requirements for Usability Experts

  • Manual Opt-ins: Participants must actively opt-in for their data to be processed. Pre-checked boxes are not permitted.
  • Minimal data collection: Collect only the data that is essential for your evaluation scope.
  • Informed consent: Ensure participants understand what data you collect and why, using clear and concise language.
  • Data security: Implement robust security measures to protect participant data from unauthorized access and breaches.
  • Participant rights: Participants can request access to their data, corrections, and deletion.

Looking overseas – US & Canadian regulations

In the United States, there is no single, comprehensive federal regulation equivalent to the European Union’s General Data Protection Regulation (GDPR). Instead, data privacy and protection are governed by a complex patchwork of federal, state, and sector-specific laws, each targeting specific aspects of data privacy and protection. Businesses operating in the U.S. must navigate this intricate regulatory landscape and comply with relevant federal laws and the specific state laws where they operate or have customers. For businesses working internationally or with a significant presence in both the U.S. and EU, it is crucial to establish robust data privacy practices that can adapt to various regulatory requirements. Here is an overview of major regulations to be considered:

Federal regulations

  1. Health Insurance Portability and Accountability Act (HIPAA): Protects sensitive patient health information.
  2. Gramm-Leach-Bliley Act (GLBA): Protects consumers’ personal financial information.
  3. Children’s Online Privacy Protection Act (COPPA): Regulates the online collection of personal information from children under 13.
  4. Federal Trade Commission (FTC) Act: Prohibits unfair or deceptive business practices, which includes certain privacy and data security practices.
  5. Personal Information Protection and Electronic Documents Act (PIPEDA): Canadian law governing the collection, use, and disclosure of personal information in the course of commercial activities.

State regulations

California Consumer Privacy Act (CCPA): The California Consumer Privacy Act (CCPA) offers similar protections to GDPR but is specific to California residents. It was signed into law in 2018 and aims to enhance privacy rights and consumer protection. Key CCPA requirements for usability professionals are:

  • Transparency: Clearly communicate data collection practices to participants, including what data is collected and how it will be used.
  • Opt-out Options: Provide easy mechanisms for participants to opt-out of data sharing and collection.
  • Data access and deletion: Allow participants to request access to their data and deletion upon request. Make this process straightforward and accessible.

California Privacy Rights Act (CPRA): The California Privacy Rights Act (CPRA), which took effect on January 1, 2023, expands upon CCPA, offering additional rights and protections. CPRA mandates more stringent data handling practices and greater transparency. Key CPRA Requirements for Usability Professionals:

  • Expanded rights: Participants can restrict the use and disclosure of sensitive information.
  • Opt-out consent: Ensure participants can easily opt-out of data collection, enhancing their control over personal information.

Virginia Consumer Data Protection Act (VCDPA): Provides similar rights to consumers as the CCPA.
Colorado Privacy Act: Another state-level regulation with consumer rights and business obligations akin to the CCPA.
New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act: Requires businesses to implement safeguards to protect the private information of New York residents.

We recommend consulting the guidance and resources provided by the European Commission and looking towards Great Britan the UK Information Commissioner’s Office for the most up-to-date and accurate best practices for GDPR/UK GDPR compliance.

Best practices for compliance6 Steps to ensuring GDPR compliance in usability tests

The GDPR is the most robust global privacy law in effect today, but it shouldn’t be scary! Designed to keep pace with how the world has changed, it helps people make sense of and control how their data is used. Understanding and sharing the experiences and perspectives of the people we learn from means processing a lot of personal data. So, understanding and complying with laws like GDPR is critical to ensuring safe, legal, and ethical research and usability testing. Here’s how to ensure your practices are GDPR compliant:

Step 1: Familiarize yourself with the basics

Get to know the GDPR requirements and principles to ensure you understand your obligations as a researcher or tester. The GDPR outlines specific rules around data protection, including consent, transparency, and data minimization. To help you get started, we’ve written a short guide to GDPR for User Research, introducing you to the principles, people’s rights, legal bases, and other general terms.

Step 2: Map your current data flows

Knowing what you are doing right now is an excellent place to start. Perform a data audit of your research and testing practices to understand what personal data you collect, how it is used, where it is stored, and who has access to it. A clear picture of your current practice will help you identify potential GDPR compliance issues and areas for improvement.

Because we often work in our own ways, doing this with your wider team can give you a clearer understanding of how data is handled across your team. We created a Data Mapping Workshop to help you run this remotely or in person. Once you’ve mapped out the types of data you collect, where they’re stored, and who has access to them, you can transfer this into one of the central documents to GDPR compliance – your Record of Processing Activities (ROPA).

The ROPA is a document that contains information about an organization’s processing of personal data. It provides:

  • A detailed description of the type of personal data being processed.
  • The purpose of the processing.
  • The categories of data subjects.
  • The recipients of the personal data.
  • Any cross-border transfers of personal data.

The ROPA is an essential tool for GDPR compliance, as it helps organizations demonstrate their accountability and transparency concerning their processing activities. Organizations are required to maintain an up-to-date ROPA and make it available to supervisory authorities upon request.

Step 3: Make friends with your DPO

The GDPR requires an organization to appoint a Data Protection Officer (DPO) if:

  • The organization is a public authority or body.
  • The organization’s core activities require large-scale, regular, and systematic monitoring of individuals (for example, online behavior tracking).
  • The core activities consist of large-scale processing of Special Category Data or data relating to criminal convictions and offenses.

The DPO’s job is to assist your organization to:

  • Monitor internal compliance.
  • Advise on your obligations under data protection laws.
  • Advise and guide you on Data Protection Impact Assessments (DPIAs).
  • Act as a point of contact for data subjects (in our context, your participants) and the data protection authorities.

If you have a DPO, this guide will help you start those conversations on the same page. Here are some questions you might want to ask:

  • Could you see the existing ROPA?
  • What is the current process for Data Protection Impact Assessments (DPIA)?
  • How do we currently handle Data Subject Rights requests?
  • How are incidents or breach management reported?
  • How does the DPO review processors?
  • How are cross-border transfer mechanisms handled?

If you don’t have a DPO at your organization, you’ll still need to complete the following steps. Not having a DPO doesn’t exempt you from GDPR compliance.

Step 4: Implement data protection by design and by default

The practice of Usability Ops is to develop systems and services that enable usability testing to happen within an organization. When designing those systems or services, we can use design principles to help us factor in these considerations.

The core ideas behind Data Protection by Design and Default are embodied in the seven fundamental principles of Privacy by Design:

  • Be proactive: Prevent privacy issues before they happen. Develop a culture of privacy awareness across your team.
  • Privacy by default: Protect participants’ data without requiring them to do anything.
  • Design with data protection in mind: Consider data protection from the start.
  • Avoid trade-offs: Incorporate all legitimate objectives while complying with obligations.
  • Implement robust security measures: Use access controls, encryption, and pseudonymization.
  • Transparency: Be clear with participants about what data you collect and how you use it.
  • Prioritize participants’ interests: Give them control and appropriate notice if things change.

Data protection by design ensures that you comply with the fundamental principles and requirements of the GDPR and forms part of the focus on accountability.

One way to implement data protection by design and default into your usability testing practice is by using Data Protection Impact Assessments (DPIAs). You’ll need to do a DPIA whenever you plan to:

  • Embark on a new project involving the collection of personal data.
  • Introduce new IT systems for storing and accessing personal information.
  • Participate in a new data-sharing initiative with other organizations.
  • Initiate actions based on a policy of identifying particular demographics.
  • Use existing data for a “new and unexpected or more intrusive purpose.”
  • Review or audit an existing system or activity.

Article 35(1) states that you must do a DPIA where processing operations are likely to result in a high risk to the rights and freedoms of individuals.

Step 5: Obtain valid consent

Ensure that you have obtained valid and informed consent from research and testing participants, clearly and understandably. Participants should have the right to withdraw their consent at any time. During the process of obtaining consent, you’ll need to evidence:

  • The information disclosed to your participant at the point of obtaining consent.
  • Precisely how your participant was asked for consent.
  • When your participant gave their consent.

Consider the participant’s experience during this phase. Ensure the format is accessible and in plain language. Make sure information is disclosed in the participant’s first language.

Step 6: Implement appropriate security measures

It’s essential to make sure that personal data is safe and secure throughout the evaluation process. This may include pseudonymization, encryption, and access controls to protect against unauthorized access, loss, or theft of personal data. Your data map from step 2 should highlight the security measures you have in place across your usability testing workflow. Some quick wins that can dramatically improve your security are:

  • Use a password manager or Single Sign On (SSO) for account management.
  • Enable 2 Factor Authentication (2FA) on all accounts holding your participant’s data.
  • Use dedicated tools with encryption and access controls for larger data sets, such as your participant database or research repository.

Cross-border transfers

Cross-border transfers in GDPR involve moving personal information from the EU or EEA to a third country. The GDPR has strict rules to protect people’s personal information during these transfers. Although personal information can be transferred for valid reasons like business or legal purposes, it must comply with GDPR rules to protect people’s rights and ensure it’s protected.

The GDPR requires that the data controller or processor transferring personal data outside the EU/EEA must ensure an adequate level of protection for the data. This might mean:

  • Obtaining explicit consent from the data subjects.
  • Signing a data processing agreement with the recipient.
  • Relying on specific legal mechanisms, such as standard contractual clauses or binding corporate rules.

Implementing compliance in usability testing

Practical tips for GDPR, CCPA and CPRA compliance

  • Informed Consent: Develop detailed consent forms that are easy to understand and separate from other agreements. These forms should clearly explain what data will be collected, how it will be used, and participants’ rights.
  • Data processing awareness: Understand your organization’s role in data processing, whether as a controller or a processor. Ensure that all third-party tools and services used comply with GDPR requirements.
  • Participant control: Implement systems that allow participants to access, correct, and delete their data easily. This includes setting up processes for responding to data requests promptly.
  • Sensitive data caution: Justify the need for collecting sensitive data and ensure additional safeguards are in place to protect this information. Regularly review and update data protection measures.
  • Documentation and record keeping: Maintain thorough records of all data processing activities, including consent forms, data audits, DPIAs, and any data breaches. This documentation demonstrates compliance and provides a clear trail for auditing purposes.
  • Minimal data processing: Process only the most necessary personal information for your research and testing purposes. Avoid collecting excessive data that does not serve a clear purpose.
  • Updated privacy policies: Regularly update your privacy policies and notices to reflect any changes in data collection practices or regulatory requirements. Ensure that these documents are easily accessible to participants.
  • Data retention policies: Establish clear policies for data retention, outlining the types of data collected, their purposes, and the duration for which they will be stored. Regularly review and delete data that is no longer needed.
  • Breach prevention: Implement robust security measures to prevent data breaches, such as single sign-on (SSO), two-factor authentication (2FA), and complex password requirements. Regularly conduct security audits and updates.
  • Opt-out Options: Make it easy for participants to opt-out of data collection or limit the sharing of their information. Provide clear instructions and options in your consent forms and privacy policies.

Practical application of GDPR in Usability Testing: Key Takeaways

Collecting and processing information on users and their behavior is essential for making informed decisions in user research and usability testing. Here are five key takeaways for applying GDPR in your practices:

  • Understanding personal data: GDPR defines personal data as any information that can identify a person, directly or indirectly. This includes names, contact numbers, addresses, social media handles, and combinations of data points like cultural or social identity, economic background, job title, and location.
  • Ownership and collection of data: The ‘owner’ of personal data is always the individual (the participant). GDPR ensures individuals have control and ownership of their data, allowing them to retract or edit it as needed. Data ‘controllers’ are responsible for determining what data to collect and how it will be processed.
  • Recording consent: Consent must be recorded accurately, capturing who consented, when they consented, what information was given, and how they consented. This ensures transparency and protection for all parties involved.
  • Data storage duration: While there is no maximum time limit for storing personal data, it is advised to store it only as long as necessary for the project. Anonymized data, which cannot be traced back to an individual, can be stored longer and used for creating research tools like user archetypes and personas.
  • User control over data: Under GDPR, data ‘owners’ have the right to erasure (the ‘right to be forgotten’), allowing them to request deletion or editing of their data. Anonymized data, however, falls outside this jurisdiction.


Navigating data privacy regulations can seem daunting, but with the right approach and understanding, it becomes a manageable part of the usability testing process. By prioritizing transparency, consent, and data security, researchers and testers can ensure compliance while building trust with participants.

Call to Action

Ready to take your usability testing to the next level? Start implementing these best practices today and ensure your research and testing is compliant, ethical, and trustworthy. Join us on this journey to better usability testing practices that respect and protect participant privacy.

By following this guide usability testers can navigate the complex world of data privacy regulations with confidence, ensuring that their research and testing practices are both compliant and respectful of participant privacy.


By following this guide, UX researchers and usability testers can navigate the complex world of data privacy regulations with confidence, ensuring that their research and testing practices are both compliant and respectful of participant privacy.

Human Factors & Usability Engineering for Medical Products

With usability and user interface evaluations for user-centered medical devices

Since the introduction of the Medical Device Regulation (MDR), the examination of usability has become a focus for manufacturers of medical devices. At the heart of the so-called human factors or usability engineering process are user interface evaluations of medical products with medical professionals.

Medical progress and the innovative power of medical technology developers lead to an increasing number of interaction processes between people and technical, stationary, as well as ambulatory systems; from the perspective of the medical user as well as the treated patient. Here, the patient is usually not the user of the device, which is why medical devices typically have two interfaces to people. This interaction relationship represents the human-machine system, in which the system elements patient, doctor (or nurse), and machine are related to each other through interactions.

Usability-Engineering Schema zur medizintechnischen Mensch-Maschinen-Interaktion
Basic scheme of medical human-machine interaction

Due to the increasing use of innovative technical systems, new requirements arise from the user’s point of view in terms of safe, effective, efficient, and satisfactory operation of medical technology. The collection, implementation, and validation of these so-called usage requirements, alongside the design of user interfaces (User Interfaces) and their evaluation, are the focus of the “Usability Engineering Process”. In the development of medical devices, in addition to these components known from “User Centered Design,” the risk management of use-related risks (Use-related Risk Assessment) is an essential aspect.

Regulatory and standard requirements of the Usability Engineering Process

The establishment and implementation of a Usability Engineering Process and the documentation of all activities in a Human Factors or Usability Engineering File are part of the regulatory requirements for manufacturers of medical devices in the context of medical device approval. The normative references for usability engineering form, from a German perspective, DIN EN 62366-1:2021 and IEC/TR 62366-2:2016. The American Food and Drug Administration (FDA) raises additional regulatory requirements and presents them in its guideline document FDA-2011-D-0469 (Applying Human Factors and Usability Engineering to Medical Devices). Further requirements apply for China and the UK.

From the uss specification to user requirements engineering to use risk analysis

The specification of the application (Use Specification) represents the starting point of the Usability Engineering Process. This includes, among other things, the intended medical indication, the specification of user groups (User Profile), and the specification of all relevant usage environments. The specification of the application (Use Specification) already influences the later evaluation activities, for example, in the selection of representative test participants or test environments for the summative usability evaluation. The identification of user tasks and requirements in empirical studies of the usage context (User Research & Workflow Analyses) forms the bridge to the subsequent steps of use risk (Use-related Risk Assessment) and user requirements management (User Requirements Engineering). In the risk management process, use-related risks are analyzed and assessed based on task models. In the requirements management, the requirements necessary for the design of the human-machine interface (User Interfaces) are derived from the needs.


„Risk and requirements management processes represent the collaborative processes of usability engineering. If a close interlocking is achieved here, many synergistic effects for the medical device development process can be achieved. Do you want to align your medical device development process user-centrically? Our experienced experts are happy to support you.“

User Interface Design

The subsequent phases of design and evaluation are based on risk and requirement considerations. In the User Interface Design phase, all human-product interfaces (User Interfaces) are specified within the User Interface Specification and designed using prototyping methods. Depending on the nature of the medical device to be developed, various prototyping methods can be used. For example, 3D printing and laser cutting methods are suitable. The assurance of usability (Usability) of the developed User Interface prototypes is done using targeted usability evaluation methods.

User Interface / Usability Evaluationen

Usability evaluations form the heart of the Usability Engineering Process and must be planned early on. Here, the scope, type, and timing of the evaluation methods must be adapted to the complexity of the medical device to be evaluated, not only to prove the regulatory obligation of safe and effective handling but also to enable the actual added value, the desired optimization of human-product interaction. Usability evaluation methods can be divided into inspection and user test methods.

Inspection methods are carried out by usability professionals and mostly involve checking compliance with heuristics or design guidelines. Here, experienced experts check the user interfaces of the medical device for conformity or deviation with existing and recognized guidelines. In the context of medical device development, thinking through operating procedures (Cognitive Walkthrough) is also used as an inspection method.

In contrast, the second group of methods, the user test methods, follows an empirical, user-based approach. For this purpose, it is necessary to simulate the usage context sufficiently in the usability lab and to carry out observations and interviews with users representative of the respective medical device. The gold standard test method is the Usability Test, an evaluation of usability with users based on simulated task scenarios (Test Cases), usually with participant observation.

Medizintechnischer Usability-Test
Observation and documentation of a medical usability test

In the Usability Engineering Process for medical devices, methods from both groups are described in the normative references. Since inspection methods involve less implementation effort, they are recommended for early phases when the user interface is not yet sufficiently concrete for a Usability Test. When which method is used must be determined in the User Interface Evaluation Plan at the beginning of the design activities. Crucial are the early planning and methodically correct implementation of the evaluations.


„For usability tests, there are numerous methodological aspects that can be varied (e.g., remote-inhouse / synchronous-asynchronous), so that in principle ‘the standard usability test’ does not exist, but an individual test plan must be made depending on the specifics of the medical device to be tested. Are you facing the challenge of planning a medical usability test? Our experienced experts are happy to support you.“

If evaluations are carried out accompanying development, they are called formative evaluations. Here, the focus is on identifying optimization potentials of the human-medical product interaction and their design-technical reflection in the development process. The normative references recommend conducting several formative evaluations. Depending on the complexity, novelty, and risk profile of the user interface, two to three formative evaluations are advised.

At the end of the medical device development process, manufacturers are obliged to prove the safe and effective use of their medical device. This is done within the framework of summative usability validation or evaluation. The summative evaluation includes a normatively determined type of planning (Evaluation Plan) and documentation (Evaluation Report).


Medical Human Factors & Usability Engineering serves both to meet regulatory requirements and to identify market-differentiating optimization potentials. In this respect, the interlocking of usability evaluations with the application specification (Use Specification), risk management (Use-related Risk Assessment), and requirements management (User Requirements Engineering) is of the utmost importance and should be anchored interdisciplinary in the entire development team to maximize the benefits.

Do you need support in implementing your medical usability activities? Our USE-Ing. experts are ready for you.

Standards & References