When online marketing first came about, consumers gave away personal information without thinking twice. Vendors knew their customer’s names, addresses, phone numbers, email IDs and more. The idea was that this data would make it easier for vendors to reach out to customers.
Seeing an opportunity, fraudsters soon began misusing this data – causing privacy concerns and ultimately contributing to the evolution of the General Data Protection Regulation (GDPR). Now customers have regained control over their data. This is great for the individual but presents a number of compliance and fraud challenges for enterprises worldwide.
What Is GDPR?
The GDPR was designed to protect customers’ rights over their personal data. It allows customers to obtain information on when their data is being collected and for how long it will be stored. Consumers now also have the right to rectify data about themselves and to be forgotten, amongst other things.
This means that customers can request all information about themselves be erased at any point in time. While GDPR may have given customers more control over the use of their personal data, it does pose a problem for companies like insurance agencies and financial services firms that rely on retaining customer data to investigate fraudulent activity.
Thus, the implementation of GDPR raises a number of questions on fraud prevention. How will insurers protect themselves against ghost brokering rings? How can financial institutions fight fraud without impacting the customer experience? If individuals object to personal data being used, how do organizations check his/her background? If data that is shared by two or more data-sharing companies is compromised, who takes responsibility?
Just as a burglar finds a way to break locks, fraudsters will find ways to circumvent GDPR regulations. Therefore, companies cannot afford to become complacent in their efforts to remain GDPR compliant and fraud-aware.
How to Protect Data from Fraudsters Post GDPR
So how can organizations fight fraud in the GDPR-driven world? GDPR requires the ability to pinpoint every single record pertaining to EU customers across databases and applications – a daunting level of precision in today’s global enterprise, but an issue that can be readily addressed by today’s global intelligence tools. These tools are critical to helping data managers balance their fear with the realities of the condition of their data. Below are several tips to fight fraud:
1) Maintain a single customer view
The ability to locate all versions of any EU resident’s record quickly and thoroughly is compromised by the complexities of data matching. Even simple errors, such as James vs Jim, can result in a costly compliance failure and potential fraud. Before GDPR, these match errors could be dismissed as minor mistakes with limited negative business impact, such as duplicate marketing messages or a slight skew in analytics. All this changes dramatically with GDPR requirements, such as its Right to Erasure. You cannot erase or protect what you cannot find.
2) Data Minimization
When a person shops for something, they don’t buy everything just because it’s available. They buy what they need. Similarly, when asking for a customer’s personal data, a company should collect only the information necessary. If the company is a fashion retailer, is information like the customer’s mother’s maiden name, type of car they own and family size relevant? Data should be collected only when a company cannot achieve the same results without access to the personal data requested. If there is a way to reach out to a customer without storing their personal data, try that first.
Minimizing the amount of personal data stored reduces the likelihood that customers will object to providing their data. It also makes it easier to keep the data secure.
Since the dawn of time, information that needed to be kept secret was put into code. During wars between countries, spies carried coded messages from one location to another. This was how armies learned of enemy positions without ever actually coming face to face with their adversaries. Scientists write their initial discoveries in code to protect their findings. Today, we can hide data in code that is much more complex than block ciphers and reversed alphabets.
Any data collected from customers must be encrypted or tokenized to make misuse of that data more difficult. Even if someone does manage to steal customer data, it would be quite useless without the encryption key.
Each department within the organization should constantly ask themselves: what data do we need, why do we need it, how can we benefit from it and of course, how can we secure it? Understand whether consent is required or not.
Stolen credentials or data breaches are real issues, even in the GDPR world. Since companies have the customer’s consent to store and use their personal data, it is the company’s responsibility to keep the data safe.
It’s a lot like banks. When a customer deposits his/her money, the bank is responsible for its safekeeping. Thus, they must design an authorization system wherein the data cannot be accessed by everyone.
Within companies that store personal data, employees should be given access only to the specific information required to do their jobs. Data segregation is an important aspect of maintaining authentication. If the customer data is stored in different baskets, conditional access is easier to provide.
For example, the marketing team may need to know the customer’s age and geographic location to create a marketing strategy. On the other hand, the design team may not need this information so they should not have access to it. Instead, they may need other details such as the customer’s size and color preferences.
For companies, a strong authorization system helps fight against fraud and the misuse of personal data. It also defends their customer’s right to data privacy.
6) Educating Teams on GDPR Compliance
A company may have designed the most efficient way to secure personal data but, if employees within the company do not understand the nuances of GDPR, there is a high risk that the data could be misused. Thus, it is important for all members of a team, especially those who might need to work with this data, to understand the security measures that have been put in place.
For insurance and financial companies, the right to be forgotten poses a huge fraud risk. Customers can submit fraudulent claims and then request their data be forgotten. In such cases, there is little stopping them from filing other false claims. Until legislation is passed to mitigate this risk, organizations need to be transparent about the purpose for which the data is being collected. If high levels of transparency are maintained, consumers will be less likely to refuse to provide data when it is requested.
GDPR is more than a regulation to follow – it requires smart, all-encompassing data management that features attention to privacy and clean data. Global intelligence tools and services are critical to these efforts, cleansing and enhancing data in real-time and ensuring compliance and fraud prevention are woven into enterprise operations.