Is Your Bank GDPR Ready?

New privacy regulations from the European Union enacted this year have serious implications for how businesses collect, store, and track personal data. Financial institutions will be required to update or create entirely new systems with “Privacy by Design” in mind. General Data Protection Regulation is here. The question is — is your bank ready?

Yes, you will be affected by the GDPR Stateside

While the new rules are EU-mandated, that doesn’t mean you won’t be affected in the US. The user doesn’t have to bank with you, or even complete a single transaction with your company. Anyone visiting your web site or mobile app from the European Union falls under the umbrella of the GDPR.

No need to fear. The new privacy regulations actually provide a great framework for best practices, and simply put — most organizations find it easier to adopt a single user experience for all regions.

Privacy by Design

GDPR won’t prevent you from tracking or communicating with your users. However, you will have to make changes at every single one of your digital touch points with them. The new privacy standards have been enacted to empower users — and putting users at the center of the online experience is a hallmark of any successful organization.

A key approach in achieving GDPR compliance is employing a Design Thinking methodology that respects user privacy. Jakob Nielsen, user advocate and author of quintessential UX guide “10 Heuristics for User Interface Design” maintains “user control and freedom” at the number three spot on that list.

In short, if your online banking experience is user centric — it’s also privacy-centric.

Our Recommendations

Be Transparent

The GDPR requires all financial services companies to clearly communicate what user data is being stored, tracked, and how. Whenever you ask the user to provide information, such as their name or email address, it is imperative you provide a link to your privacy policies.

Your institution must also notify users more explicitly about your site’s use of cookies. A useful method to achieve transparency and comply with GDPR is implementing a pop-up that asks user’s consent for cookies. Particularly useful pop-ups may also include a short description of what type of behavior is being tracked. You may have noticed several websites utilizing this method as of late.

Don’t forgot to update your policies on your site — and notify your users about the change.

As your bank most likely already has data procedures and policies in place, it would be best to simply include the new regulations to current state and federal compliance practices for fair lending, data privacy, financial crime, and other regulatory matters.

Give Users Control

A vital first step to GDPR compliance in your online banking experience is asking permission. You should require the user’s unambiguous, affirmative consent. For example, a checkbox that states: “I agree to…”

This permission needs to be granular. Make sure to ask for separate consent for each item. For example: one checkbox to agree to you site policies, and a second to agree to sign up for the newsletter. These checkboxes need to be opt-in — unchecked by default.

Second, make it easy for users to leave. The GDPR recognizes that users have a right to manage and access their data, and a “right to be forgotten.” In practice, that means including a clear link to a page where users can micro-manage the frequency and type of communications and to unsubscribe. It also means having a process in place for users that request to be forgotten: to have all their data permanently deleted from your systems.

Think Beyond the Website

The privacy standards outlined by the GDPR reach far beyond your website. If your organization has a mobile app that collects user data, or accesses user data stored on the phone — these same principles apply. Don’t ask for data you don’t need for the experience. Does your app really need to know the user’s location at all times? Does it really need to access their contact list?

Your bank’s GDPR Check List

  • Update your privacy policy to describe what data is collected and stored and for how long, how it’s used, and how visitors are tracked
  • Include a link to privacy policy from all forms
  • Make all forms opt-in, not opt-out — No more pre-checked boxes for permissions
  • Implement discrete checkboxes for agreeing to policies vs. agreeing to be contacted
  • Implement a cookie dialogue or pop-up that explains what visitor info is tracked and include links to the privacy policy
  • Make it obvious and easy for the user to opt out/unsubscribe
  • If you store any user data, make sure it is secure
  • Communicate with your users about policy changes
  • Contact any users that you didn’t get affirmative consent from in the past, and ask them to permission
  • Develop a process to permanently delete user data upon request

Want More? Further Reading on the GDPR: