“Data is the new oil,” is a phrase attributed to Clive Humby, a data science innovator in the UK who coined the term in 2006. Since then, the concept has been adopted by both business and economics communities -- even making it to the cover story of a May 2017 issue of the Economist: “The world’s most valuable resource is no longer oil, but data.” As we become a more connected society, thanks in part to the internet, our individual data footprints are also growing. Rules and regulations around data privacy, however, have been loose, to say the least. That is until earlier this year when the General Data Protection Regulation (GDPR) was passed--a significant step forward for data privacy.
Over the last few years alone, we’ve seen a number of high-profile data breach stories: Facebook exposing the accounts of 50 million users; the Equifax data breach that may have affected 143 million in the U.S.; and one of the most significant breaches yet, the Yahoo data breach that is said to have affected 3 billion customers. These stories illustrate that data privacy is a major issue as tech companies go from startup to growing up in front of our eyes.
As online security and user experience simultaneously become two of the most important topics for modern companies, GDPR compliance by companies is a must. There is an art to creating a high-quality user experience while also adhering to this new regulation, and it begins with design thinking.
Ashley Graham, a design researcher at a Fortune 500 tech company, explains the process as she approaches it in her job as a user experience (UX) designer:
“Design thinking is a practice that helps us move through a design process. It’s user-centered, and it’s a way to frame your strategy, your design, and your development around that user. Design thinking is also a way of democratizing decision making, so it helps us to bring more diverse ideas to the table. In a traditional meeting only a few people are talking--those with the most power--but in using design thinking we’re not speaking, we’re writing on Post-its and putting our ideas on a wall. We’re releasing them. They aren’t our ideas, we don’t own them, so it helps teams to think less about who said an idea; the idea is for the end user.”While the two concepts might be seemingly unrelated, data privacy and design thinking both require a customer-first approach. “I think the mindset around both is really similar,” notes Graham, along with a few important questions that she believes companies working with data should be asking themselves, “How do we provide value to this person in a way that is good for them and not just good for our company? How do we only take the information that we need from them to serve them and help them to solve a need? And how do we let the rest of the data go?
1. Only ask for the information that you need
Based on her experience, Graham notes that there is a temptation to ask for all the information that you could ever want. However, GDPR tells us no--only take the information that you need to create a quality experience for the user. 2. Make sure that the user knows what they are consenting to Some companies exist solely with the purpose of collecting and selling personal data. Therefore it’s more important now than ever before to be transparent with consumers on what they are agreeing to when signing up to use your product/service. 3. Use clear and concise language Another section of the regulation states that you must use clear terminology. “That’s design thinking 101 to create a good user experience,” says Graham. Everything you put in front of your user should be intuitive. “That includes whatever a person is consenting to in signing up for your product. Don’t use weird terminology, keep it simple. GDPR isn’t the first regulation to state this, however, because of its global implications, it’s helping us all to think about how to communicate more clearly to whoever we are designing for. “ 4. Education As with any new regulation that affects business, training and education are essential. It’s incredibly important for companies to train their staff and educate their consumers. “At my company, we went through hours of training on this. Companies need to be sure that their employees are informed,” says Graham. 5. Company Ethics Where does your company stand on data privacy? The implementation of GDPR creates the perfect opportunity to think through your company’s CSR strategy, and how it relates to data privacy. Work through the GDPR principles and see how you can integrate them into the ethics of your company.