The fraud risk underlying GDPR’s ‘right to be forgotten’
The build up to the GDPR deadline saw an inundation of speculations around whether companies within the EU would be ready to comply with the regulation.
But maybe it’s time to think beyond deadlines and fines, and move on to what a post-GDPR world looks like for customer identity security.
A key tenet of GDPR gives customers the right to be “forgotten”. But, in a cruel twist of fate, the very thing that was to give consumers’ power to demand privacy could lead to a new avenue for identity theft.
When a customer says “forget me”, organisations are faced with a new set of challenges.
Not only do firms have to confirm whether they can in fact delete that data for regulatory or compliance reasons, but they also have to be wary of potential fraudsters.
Once a Subject Access Request is submitted, companies have one month to respond by sharing a copy of all the personal data they hold on the individual. The sensitivity of the data they are being asked to share means that, before companies process deletion requests, they’ll need to ensure that they can effectively verify the identities of individuals who are requesting personal information.
Individuals can use someone else’s data to help them commit fraud, and then simply request that the data be deleted – covering their digital tracks, so to speak.
There is also the threat of malicious actors, spurring deletions perhaps to harm competitors.
Google is one company that has had to get to grips with data deletion requests already.
A key criteria in its process is the need to verify the identity of a person making the request, in order “to prevent fraudulent removal requests”. The potential seriousness of this issue, and particularly the widening impact after GDPR, means that companies need to tackle verification as a priority.
In order to effectively verify individuals, companies should use the multiple methods at their disposal, including mobile, biometrics, and document verification.
Data may be piecemeal, but companies must be able to track it all down and increase the robustness of identification layers.
Customers also deserve to know about the possible impact of their history being wiped. It potentially prevents them from having access to services because they will no longer be identifiable.
Also, when companies no longer have a record of an individual’s regular behaviour, deletion can seriously hinder the ability to spot signs of fraudulent activity on their accounts. Data analysis is the basis for modern fraud detection, and the deletion of data may leave individuals vulnerable.
Maintaining trust is critical. Companies also have the responsibility to ensure it is in fact the right customer making the request.