In retail banks and financial services, the upcoming data regulation review, GDPR, wouldn’t typically be associated with the word beautiful… for good reason! It’s a very strict piece of regulation. It is complex and hard to implement, especially for banks, who have collected and stored big data sets about their users for many years.
But, I predict that GDPR will become a thing of beauty. Not because it will give us as the general public a better understanding of how companies deal with our data. It is because these same companies will create far more compelling services in order for people to allow them to collect and use their data.
In early 2016, the EU Parliament approved the new regulation and agreed it would replace the existing Data Protection Directive 95/46/EC. It comes into effect and will be enforced from 25 May 2018. Organisations who do not comply have been warned they’ll face heavy fines.
The regulation has been created in response to the phenomenal amounts of data that have been created and are stored – about everything but specifically about individuals – since the original directive governing personal data in the EU was adopted way back in 1995. This original directive was designed to “regulate the processing of personal data, regardless of whether such processing is automated or not”.
Since companies now have to explicitly ask for our approval before collecting and using data in their business, companies can no longer be opportunistic by simply collecting everything and figuring out how to use it later. They have to be deliberate, focused and ensure they have consent for every use case. This will yield a fundamentally different user experience design in all the services that rely on data.
Whenever a person’s data is being used to personalise anything, they have to have given their prior consent. That means consent needs to be captured in a way where a person understands and falls in love with the idea, before it happens. This will drive a whole new breed of interaction and user experience design.
Companies have to sell the notion of a service and the value it brings, before they get the data they’ll use to make it useful.
A person previously had to agree to an endless end-user license agreement (EULA) and collection of virtually all data was simply buried and a person inherently accepted any use of it. This is no longer the case. Now, companies need to separate the EULA from the data capturing consents. The consent has to be explicit for its use case.
I predict we’ll see a whole new on-boarding process in most services. People will get more information about what data a company wants to collect and how it will be used. Services must in fact “sell” their services and a person needs to agree on the various elements.
We’ll probably see far more contextualised consents. Your soul doesn’t need to be sold during enrolment, but instead you’ll get customised offers to opt in to services as you progress.
We have become used to being asked for access to your contacts and allowing push notifications, etc. Now, we will get this type of experience throughout all service journeys. I think that is a good thing. Giving consent is easy and it’s important to understand what it is, you’re consenting to. That’s what GDPR is all about – protecting your data, so it only gets used for the specific things, by the specific companies, that you’ve knowingly allowed.
UX lead at Auka, Martin Braaten Grina, will elaborate on GDPR best practice when it comes to user experience and design in a subsequent blog post. Watch this space.
If you’d like to know more about GDPR in relation to mobile payments or financial services, please contact us.