Design is a key player in the future of data privacy and data protection. The General Data Protection Regulation (GDPR) established by the European Union aims to rebalance the information asymmetry between the organizations that process personal data and the individuals to which that data refers. Machine-readable, standardized icons that present a “meaningful overview of the intended processing” are suggested by the law as a tool to enhance the transparency of information addressed to data subjects. However, no specific guidelines have been provided, and studies on privacy iconography are very few. This article describes research conducted on the creation and evaluation of icons representing data protection concepts. First, we introduce the methodology used to design the Data Protection Icon Set (DaPIS): participatory design methods combined with legal ontologies and machine-readable representations. Second, we discuss some of the challenges that have been faced in the development and evaluation of DaPIS and similar icon sets. Third, we provide some tentative responses and indicate a way forward for evaluation of the effectiveness of privacy icons and their widespread adoption.