Are High-Security Checks Worth It?

by Florian Tanant
If your company uses Google Analytics, you have probably received a string of emails nudging you to update settings for the upcoming GDPR changes.
They look pretty serious.
Google is just one of the many online giants who have been rolling out new terms of services before the new regulation comes into effect. In this post, we’ll see how these changes will affect your businesses, with a special emphasis on your Risk Ops and multi-layered fraud prevention.
But first things first:
The General Data Protection Regulation (GDPR) is a law and data protection regulation designed for individuals within the European Union. It builds upon previous EU privacy measures, such as the PSD2 compliance, but is a lot more stringent in a number of ways:
If the layman explanation above doesn’t give you all the answers, please read the terms as directly quoted from the regulation documents. They provide fantastic clues as to what is clearly defined, and what gives room to interpretation.
Why the GDPR exists:
“The processing of personal data should be designed to serve mankind” – Recital 4
“The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities.” – Recital 6
“Natural persons should have control of their own personal data.” – Recital 7
How the GDPR defines personal data:
“Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” – Article 4 (1)
What are considered Online Identifiers:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” – Recital 30
One important concept is the GDPR is that of user consent. It is defined as follows:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to her” – Article 4 (11)
Finally, one of the most contentious points of the GDPR, is the idea that one legal basis for processing data is that of legitimate interest. This is how we get a better idea of what it means:
“legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.” – Recital 47
“The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” – Recital 47
However, there are a few caveats:
“provided that the interests or the fundamental rights and “freedoms of the data subject are not overriding”
“a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place” – Recital 47
Fraud detection and Risk Ops cannot exist without user data. Some legacy platforms have built their entire system on the ability to share fraudsters’ data to prevent their next actions. This is true whether you want to protect yourself from payment gateway fraud, or to avoid chargeback fraud.
In short, if you have yet to choose an anti fraud solution, you should seriously consider the following points:
How and why is the data collected:
We’re really talking about data quality here. Is it relevant – and justifiably so? Will your company get in trouble for sharing information with the fraud vendor if it is deemed necessary?
Are the terms of service clear and transparent:
Your company’s TOS need to be updated. But what about those of the fraud vendor? Do they take into account right of access without sacrificing efficiency?
What is the retention period:
In compliance with the “right to be forgotten”, the data cannot be kept indefinitely. Organizations must ensure information not directly related to fraud isn’t kept for longer than necessary.
How safe is the data:
Just because fraud detection falls under the umbrella of cybersecurity does not mean the company employs the best practices. Can they guarantee breach prevention as well?
At SEON, we have been fully aware of the GDPR and other regulations such as PSD2 since their inception. This has allowed us to plan accordingly, and to ensure our entire solution was designed around compliance to this new regulation.
Listed below are some of the FAQs we have answered for clients. Feel free to contact us for any additional information.
Absolutely. Our infrastructure including servers and databases are based in the EU (Dublin, Ireland), which we can confirm via certificate.
Yes. We are registered as a data processor at the Hungarian National Authority for Data Protection, and you’ll find that detecting fraud is a legal basis for processing data according to the GDPR.
We recommend your TOS should inform their clients about data processing for fraud management services. We are happy to help you draft this document as needed.
We make it very clear that our client data can be stored for up to 5 years, and can be easily purged upon request using our Erase API.
At SEON, we are proud to have an appointed Data Security Officer. The role oversees security and ensures only our Head of Engineering has access to the production database (through dedicated, whitelisted VPN and encrypted keys).
In the unlikely event that data is hacked, SEON’s standard agreement includes taking responsibility for data privacy, so you can use the platform with complete peace of mind.
While the GDPR would indeed seem to increase users’ online privacy, it inevitably raises a number of questions. Will it actually have a positive effect? Will it lengthen manual reviews? Make things harder for companies – especially small ones who may fall foul of EU regulators? And who will take to blame if data is breached between different data-sharing services?
Whatever the future holds, there is no doubt the GDPR will profoundly reshape the Internet and risk assessment as we know it. Companies in all verticals will need to rethink the way they operate on a daily basis, particularly advertisers, publishers and fraud vendors.
Hopefully, your solution has already taken every step to ensure compliance and will train fraud managers accordlingly – if not, we can only recommend you stay as educated about the GDPR as possible as it comes into effect.
Click here
Communication Specialist | Florian helps tech startups and global leaders organise their thoughts, find their voices, and connect with customers worldwide.
The top stories of the month delivered straight to your inbox