GDPR and Fraud Prevention: Impact of Compliance Regulations

When the General Data Protection Regulation (GDPR) went into effect in 2018, many industries found themselves struggling to comply with the new requirements. Data is fundamental to business operations, with companies using it to provide better customer experiences and predict trends. 

Fraud prevention presents a unique use case because both the company and the customer benefit from the data collection. As a company, you have a vested financial interest in mitigating fraud risk. On the other hand, your fraud prevention practices also protect customers by helping them detect potential identity theft and reducing the impact it has on them. 

Since fraud prevention uses personal data as defined under the GDPR, you need to understand the impact the law has on your activities to stay compliant and mitigate risks arising from fines. 

What is the General Data Protection Regulation?

The European Union (EU) General Data Protection Regulation (GDPR) is a data privacy law focused on giving data subjects control over their information. The law created an extraterritorial jurisdiction requirement, meaning that companies outside the EU who collect data from European residents or citizens can be held accountable. 

Why Is GDPR Compliance a Requirement?

GDPR compliance is a requirement because noncompliance can lead to fines and penalties. At their most severe, GDPR fines can be as much as 4% of a company’s annual global turnover or €20 million, defaulting to the larger amount. For less severe violations, companies can pay up to 2% of their annual worldwide turnover or €10 million, again defaulting to the larger amount. 

In addition, a violation can lead to the revocation of the company’s GDPR certification. 

Principles of GDPR Compliance

When you understand the fundamental principles of GDPR compliance, you can more adequately assess how they overlap with the data collected as part of fraud risk mitigation. 

The GDPR consists of the following key principles:

• Accuracy: Personal data should remain accurate and up-to-date based on the stated purpose with the ability to erase or fix any errors upon request.
• Data Minimization: Collection and processing should be adequate, relevant, and limited to stated purposes. 
• Data Security: All processing must ensure appropriate security against unauthorized or unlawful processing
• Legitimate Interest (LI): Data can only be collected and processed for a specific, explicit, and legitimate purpose. 
• Retention: Information that identifies a data subject should be stored no longer than necessary for the stated data processing purposes. 
• Transparency: Purpose for collecting and processing should be clear to the data subject. 

What Does GDPR Mean for the Fraud Industry?

As part of fraud investigations, companies collect and process personal information related to financial transactions. Then, they share the information with insurance companies or law enforcement. 

To remain GDPR compliant, you need to understand the types of protected information that you collect and process so that you can implement controls and provide appropriate data subject notifications.

Types of Data the Fraud Industry Gathers

The GDPR defines personal data as information relating to an identified or identifiable natural person, including:

• Name
• Location data
• Online identifiers
• One or more factors related to physiological, genetic, mental, economic, cultural or social identity

Best practices for mitigating fraud risk include collecting information like:

• Person’s name 
• Email addresses
• Purchase statistics
• Shipping location 
• IP address 
• Payment card/account data

In some cases, like capturing the person’s name, the data alone is enough to meet the GDPR requirements. In other cases, like capturing purchase history, you’re collecting information combined with other factors, requiring GDPR controls for the complete data set. 

GDPR Regulations Applicable to Fraud Prevention Industry

As part of your fraud prevention strategies, you need to understand where the data collection and processing fits into the overall GDPR framework. 

Legitimate Interest

Before you can collect, process, or store personal data, you need to have a legitimate interest. A legitimate interest means that you have a legal basis for processing without compromising the data subject’s fundamental rights and freedoms. In Recital 47, the GDPR explains that data controllers have a legitimate interest in processing personal data to prevent fraud. 

Data Subject Consent

Legitimate interest means you can collect and process the data. However, you still need to make sure that you provide the appropriate data subject notifications. Before collecting the personal data, you need the customer’s consent. Your data processing notification needs to include fraud processing so that people know how you plan to use the information. 

Profiling and Automation

In Article 22, the GDPR protects data subjects from decisions solely based on “automated processing, including profiling, which produces legal effects.” Fraud prevention technologies typically use a person’s data to create a baseline of “normal” purchasing behavior so that they can look for abnormal activities that indicate fraud. 

In this case, Recital 71 provides a bit more information noting that “decision-making based on such processing, including profiling, should be allowed where expressly authorized… including for fraud and tax-evasion monitoring.” However, Recital 71 also explains that you still need to put suitable safeguards in place, including providing the data subject: 

• Notice of processing
• Right to obtain human intervention
• Opportunity to express their point of view
• Ability to obtain an explanation of the decision
• Ability to challenge the decision

Third-party Data Processors

Since you’re the one collecting the customer data, you are the data controller. Any third-party fraud prevention vendor is your data processor. Under Article 30, you are responsible for using “only processors providing sufficient guarantees to implement appropriate technical and organizational measures” that comply with the GDPR. 

When using fraud prevention automation, you need to understand the vendor’s security and GDPR compliance postures. If the processor experiences a data breach, you can be held responsible for the customer’s privacy being compromised. 

Right to Object

When it comes to fraud prevention, a data subject’s request to have information removed becomes a problem. Data subjects can object to process, including profiling, at any time. However, Article 21 also notes that a controller can demonstrate compelling legal grounds for continuing to process information, including for the “establishment, exercise, or defense of legal claims.” Since fraud is illegal, you may be able to assert this to mitigate the risk that fraudsters can use the GDPR to cover their tracks and evade criminal prosecution.

How Can the Fraud Prevention Industry Remain GDPR Compliant?

Mitigating fraud risk protects you and your customers, so you can’t just stop monitoring for fraud. Simultaneously, you need to ensure that you stay GDPR compliant. 

1. Use GDPR Compliant Software

In a digital world, you need digital fraud monitoring solutions. When you engage in due diligence, you need to ensure that your data processors are GDPR compliant. You need to know that they maintain appropriate technical and administrative security and privacy controls. You also need to ensure that the way they collect and process data aligns with GDPR principles. 

To start, you should review whether the vendor has a GDPR certification that enables you to assess their compliance posture. You should also look at how the vendor’s solution mitigates the risk. For example, a bot detection software can block sources to prevent fraud, and by blocking them rather than collecting the data builds data privacy in cybersecurity. 

2. Plan for Data Breaches and Data Leaks

80% of security incidents resulted in personal data exposures that can lead to identity theft. To prevent data leaks, you need a fraud risk management solution that provides a full set of professional services. In an online world, fraud risk is more than just looking for abnormal purchases. You need to know whether cybercriminals are targeting your industry seeking to steal account information so they can continue to perpetrate fraud. You need to protect customer data to prevent fraudsters from using your company’s data. 

3. Provide Privacy Notices

To comply with the GDPR, you need to have clear privacy notices that enable customers to make informed decisions about their data. Your privacy notices should include fraud prevention and monitoring so that they know you’re collecting and processing this data before they do business with you. 

4. Evaluate Your Data Collection Requirements

Data minimization is often the most challenging part of GDPR compliance. Before you deploy a fraud prevention technology, you need to ensure that it collects the least amount of customer data possible while still mitigating risk. You should know exactly what information you need to collect to detect fraud so that you collect and process only that data. 

5. Ensure Your Website is GDPR Compliant

If you collect payments online, then you also need to ensure that your website is GDPR compliant. The GDPR incorporated the terms “privacy by design and by default.” To ensure that you build a website with privacy by design, you need to ensure that you protect personal data and document your activities. To build privacy by default, you need to apply the strictest possible privacy setting automatically. 

Comply with GDPR Regulations with DataDome

Managing GDPR compliance and fraud prevention can feel challenging. The technologies that protect customer data often lack the ability to prevent fraud. Meanwhile, the technologies that mitigate fraud risk often collect too much customer data. 

DataDome enables you to manage both fraud prevention and GDPR compliance by providing a powerful security layer against all malicious bots. Our integrated CAPTCHA solution is GDPR compliant, user friendly, and reinforced by our machine learning bot and fraud detection technologies. With DataDome, you can reduce fraudulent transactions to almost zero, protecting against fake account creation, card fraud, account takeover, and credential stuffing. 

Our bot detection solution protects your business and customers, mitigating risk to personal data and preventing bot-driven online fraud.