GDPR Compliance in Fraud Detection – What You Need to Know

If your company uses Google Analytics, you have probably received a string of emails nudging you to update settings for the upcoming GDPR changes.

They look pretty serious.

Google is just one of the many online giants who have been rolling out new terms of services before the new regulation comes into effect. In this post, we’ll see how these changes will affect your businesses, with a special emphasis on your Risk Ops and multi-layered fraud prevention.

But first things first:

What Exactly is the GDPR?

The General Data Protection Regulation (GDPR) is a law and data protection regulation designed for individuals within the European Union. It builds upon previous EU privacy measures, such as the PSD2 compliance, but is a lot more stringent in a number of ways:

• Stronger emphasis on user consent: companies will need an explicit statement from users for their data to be collected. It will certainly mean a complete revamping of Terms of Service and the way users interact with your website.
• More transparency over collected data: users must be able to download all the data a company has gathered on them. This feature has already been rolled out by a number of companies such as Facebook or Google.
• Hefty penalty fines: set at 4% of a company’s global turnover (or $20 million – whichever is larger) a violation fine could completely sink a young startup, and put a big dent into an established firm’s net profits.
• Worldwide effect: technically speaking, the GDPR is only enforced for citizens of the European Union. But the global nature of data on the internet means everyone is likely to be affected.
• Hard deadline: While there has been a two year transition period since it was adopted, the GDPR comes into full effect on the 25th of May 2018.

What Can We Learn From Direct GDPR Quotes

If the layman explanation above doesn’t give you all the answers, please read the terms as directly quoted from the regulation documents. They provide fantastic clues as to what is clearly defined, and what gives room to interpretation.

Why the GDPR exists:

“The processing of personal data should be designed to serve mankind” – Recital 4

“The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities.” – Recital 6

“Natural persons should have control of their own personal data.” – Recital 7

How the GDPR defines personal data:

“Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” – Article 4 (1)

What are considered Online Identifiers:

“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” – Recital 30

One important concept is the GDPR is that of user consent. It is defined as follows:

“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to her” – Article 4 (11)

Finally, one of the most contentious points of the GDPR, is the idea that one legal basis for processing data is that of legitimate interest. This is how we get a better idea of what it means:

“legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.” – Recital 47

“The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” – Recital 47

However, there are a few caveats:

“provided that the interests or the fundamental rights and “freedoms of the data subject are not overriding”

“a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place” – Recital 47

How the GDPR Will Impact the Fraud Industry?

Fraud detection and Risk Ops cannot exist without user data. Some legacy platforms have built their entire system on the ability to share fraudsters’ data to prevent their next actions. This is true whether you want to protect yourself from payment gateway fraud, or to avoid chargeback fraud.

In short, if you have yet to choose an anti fraud solution, you should seriously consider the following points:

How and why is the data collected:
We’re really talking about data quality here. Is it relevant – and justifiably so? Will your company get in trouble for sharing information with the fraud vendor if it is deemed necessary?

Are the terms of service clear and transparent:
Your company’s TOS need to be updated. But what about those of the fraud vendor? Do they take into account right of access without sacrificing efficiency?

What is the retention period:
In compliance with the “right to be forgotten”, the data cannot be kept indefinitely. Organizations must ensure information not directly related to fraud isn’t kept for longer than necessary.

How safe is the data:
Just because fraud detection falls under the umbrella of cybersecurity does not mean the company employs the best practices. Can they guarantee breach prevention as well?

How SEON Complies With the GDPR

At SEON, we have been fully aware of the GDPR and other regulations such as PSD2 since their inception. This has allowed us to plan accordingly, and to ensure our entire solution was designed around compliance to this new regulation.

Listed below are some of the FAQs we have answered for clients. Feel free to contact us for any additional information.

Must SEON comply with the GDPR?

Absolutely. Our infrastructure including servers and databases are based in the EU (Dublin, Ireland), which we can confirm via certificate.

Can SEON legally process data?

Yes. We are registered as a data processor at the Hungarian National Authority for Data Protection, and you’ll find that detecting fraud is a legal basis for processing data according to the GDPR.

Can I share user data with SEON? 

We recommend your TOS should inform their clients about data processing for fraud management services. We are happy to help you draft this document as needed.

What is the data retention policy? 

We make it very clear that our client data can be stored for up to 5 years, and can be easily purged upon request using our Erase API.

How safe is the data I share with SEON? 

At SEON, we are proud to have an appointed Data Security Officer. The role oversees security and ensures only our Head of Engineering has access to the production database (through dedicated, whitelisted VPN and encrypted keys).

What happens if there is a breach?

In the unlikely event that data is hacked, SEON’s standard agreement includes taking responsibility for data privacy, so you can use the platform with complete peace of mind.

GDPR Compliance in Fraud Detection

While the GDPR would indeed seem to increase users’ online privacy, it inevitably raises a number of questions. Will it actually have a positive effect? Will it lengthen manual reviews? Make things harder for companies – especially small ones who may fall foul of EU regulators? And who will take to blame if data is breached between different data-sharing services?

Whatever the future holds, there is no doubt the GDPR will profoundly reshape the Internet and risk assessment as we know it. Companies in all verticals will need to rethink the way they operate on a daily basis, particularly advertisers, publishers and fraud vendors.

Hopefully, your solution has already taken every step to ensure compliance and will train fraud managers accordlingly – if not, we can only recommend you stay as educated about the GDPR as possible as it comes into effect.