Following the ratification of the GDPR, some feared that certain tenants — such as the right to restrict data processing, the right to object to data collection, and the right to be forgotten — would give fraudsters a newfound advantage. Fortunately, the GDPR specifically calls out fraud prevention in the legitimate interest clause governing how subject companies process data and handle customer requests.
When the goal is to prevent fraud – a ‘legitimate interest,’ as defined by the GDPR – companies aren’t required to proactively gain consent to collect customers’ data, nor honor all requests for deletion of data.
This is bad news for fraudsters, but it could also be problematic for regular citizens. Some fraud-detection vendors might see the argument of legitimate interest as justification to sidestep consent requirements altogether — whether intentionally choosing to work around the regulation, or unintentionally ignoring the spirit of the GDPR.
Does legitimate interest apply? A three-part test.
Using legitimate interest as a basis for data processing brings extra responsibility for considering and protecting data subjects’ rights.
There are three key considerations when applying the legitimate interests clause:
- Identify your legitimate interest. In this case, it’s fighting fraud.
- Show that your data-collection process is necessary to achieve the legitimate interest — and that you cannot reasonably achieve the same result in a less intrusive way.
- Lastly, balance the legitimate interest of fighting fraud against the interests, rights, and freedoms of the people whose data you are collecting.
There are many different ways to prevent fraud. Some fraud prevention solutions require more personal data than others to perform.
Research the amount of personal data that your fraud-prevention vendor requires. They may fail the second part of the above test. If so, they could expose you to liability for non-compliance.
Fraud Fighting and Delighting Customers Under the GDPR
Adhering to the core principles of the EU GDPR and preventing fraud can go hand-in-hand. Minimizing the amount of personal data collected, pseudonymizing that data, and embracing privacy by design principles will not only ensure that your customers’ right to data privacy is upheld, but also help mitigate your risks under the GDPR.
- Data Minimization: Whether or not you lean on legitimate interest to acquire data, you should only collect the minimum data needed to achieve your objective. If you can fight fraud only with the barest amount of non-directly identifying information – as iovation does – so much the better. This will mean less data to secure later.
- Pseudonymization: Ensure that all data is protected using tokenization or encryption. In addition to increased security, a clear benefit is that mandatory breach reporting requirements are significantly lowered for pseudonymised data because the risk of harm befalling a data subject is greatly reduced, as long as the key is not compromised.
- Privacy by design: Make data privacy an integral part of your organization’s thought process at all levels. Get all departments in the habit of asking questions about what data you need, how you will protect it, and whether or not you need consent. Not to mention that a well thought out privacy strategy is likely to create a better user experience.
And don’t forget authentication! As we discussed in an earlier post, breached and stolen credentials are a real threat to your users’ data security. That threat vector makes stronger authentication an essential component in the fight against fraud and in the defense of your users’ right to data privacy.
The GDPR is revealing opportunities to make user experience a significant differentiator among competitors. Learn more about how you can turn GDPR compliance into an opportunity by checking out our webtalk, 4 Hacks to Mitigate Breach Risks Post GDPR.