7 Deadly GDPR Assumptions You Can’t Afford to Make
The General Data Protection Regulation (GDPR) seeks to create a harmonized data protection framework across the European Union (EU), protecting the personal data of consumers in the EU (or EU residents, but citizenship is irrelevant). The regulations give people greater control of their data, imposing strict rules on companies that host and process the information, and on the free movement of this data, within and outside the EU.
GDPR applies 1) to EU residents’ personal data processing by a controller or processor entity established in the EU, whether or not the processing takes place in the EU, and 2) to personal data processing by an entity outside the EU related to commerce involving EU residents, or monitoring behavior taking place within the EU.
GDPR was approved by the EU Parliament on April 14, 2016 with a two-year transition period. Full compliance with GDPR is required by May 25, 2018. With so little time before compliance is mandated, many businesses are still struggling to understand the implications of GDPR. While GDPR is a very comprehensive and complex legal regime, we’ve developed a brief list of some common misconceptions about GDPR that can provide insights on making key decisions around GDPR compliance.
1. I am a company incorporated in the United States. GDPR is a European Union regulation and it does not apply to me.
Unfortunately, many business executives want this to be true. The reality is much more sobering. If a company is based in the U.S. and has a digital online service that EU residents can log into — then be aware. Even as a U.S. company, GDPR applies to you. To prove that the company does not have any EU citizens, the customer relationship management (CRM) system must reflect that assertion. Remember, the burden is on the company that’s processing the personal data to demonstrate that it’s complying with GDPR.
2. I collect as much as I can to verify my customers to my online service. There is simply too much fraud for me to do otherwise.
Identity fraud is rampant now that customer information is available on the dark web. Even more fraud can be expected, as recent breaches of credit-reporting agencies have revealed consumers’ personal answers to Knowledge Based Authentication (KBA) questions. KBA, once the gold standard of identity verification and authentication, is commonly known to most consumers as a series of questions asked such as:
• What was the color of your first car?
• What is the first name of your childhood best friend?
• Where did you meet your spouse?
These questions are typically asked when a consumer has forgotten their password and requested a password reset online. It’s also used when they need to confirm information related to a credit-card application.
As if that’s not enough, the success of smart chips in preventing retail credit-card fraud has only shifted the focus to online Card Not Present (CNP) fraud. There’s simply no universal agreement on how to read the smart chips online because companies are hesitant to risk inconveniencing consumers with chip-reader hardware on their PCs or mobile devices.
You might think it’s prudent to collect as much information about a consumer in light of these fraud trends. However, companies are surprised by GDPR’s rule about the collection of identity data and data minimization. Here is the rule paraphrased:
During Customer Registration: Collects data only to verify the user against another data source during the session, but that data is not retained.
During Access: Once access is granted after the registration, the service may ask questions about being over or under an age, but not the date of birth, or the service may ask a general location, but not the actual address.
Companies will need to make sure they don’t overcompensate for fraud by collecting and storing large amounts of identity data, but rather the right data at the right time. Otherwise, you could be inviting potential GDPR compliance liability.
3. The information on my website isn’t sensitive so I really don’t need stronger authentication.
A lot of organizations seem to feel this way. However, without a risk assessment, especially a risk assessment targeted for online customer registrations and authentication, there’s really no way to know for sure. Take for example the exploitation of a well-known credit-reporting agency’s customer-complaint website. The purpose of the website was to allow customers who had an issue with their credit report to initiate an investigation. Consumers were required to input information into a web form to begin the process. There are no financial transactions conducted on the website.
Given these facts, most risk assessments would not consider this website as being high risk. Yet the very web form used by consumers to request a credit review was the very gateway used by the hackers to access dispute documents, and ultimately a database table with a large amount of personally identifiable information (PII).
Again, without a detailed risk assessment that outlines where and how PII information is used on a website, a company cannot be sure.
4. GDPR won’t affect me because I run a customer contact center. It’s really only for the online channel.
Not true at all. Even though online data security and privacy is a huge part of the GDPR law, call centers handle and store personal data such as e-mails, names, addresses, as well as transactional information. Remember assumption #2 and the need to minimize data collection? That’s why if a customer contact center is involved, there is huge GDPR risk when storing sensitive personal data for customer verification. The best way to mitigate this risk is to verify customers at the time of the call, thus reducing the usage of personal data at a call center.
5. I’m in the Collections business and I am compliant with Regulation E for digital payments. I don’t have to worry about GDPR.
While certainly similar with regard to obtaining consent to make payments electronically, there are other aspects of GDPR that may pose risks to collection agencies. Key provisions regarding GDPR include a data subject’s right to be forgotten, and collection systems that perform customer profiling will be subject to limitations based on a “Privacy by Design” rule.
Overall, under GDPR rules, collections will become more difficult and riskier using current systems and processes. To mitigate such risk, collections businesses may need to consider more authoritative sources of information, limiting the risk posed from third-party data sources that provide the information only at the moment of inquiry.
6. I have insurance to cover breaches. My insurance should cover the costs for breaches under GDPR.
Not necessarily. Breaches under GDPR can result in serious financial ramifications. While most insurance products provide coverage for customer notification, public relations, digital forensics and investigations, they may not protect against the fines that could be applied under GDPR.
Under GDPR, if a breach occurs and it is proven that the organization did not perform due diligence in complying with the regulations, a fine of up to 4% of the company’s annual revenue can be levied. To understand the significance of that number, take for example the fines applied to Hilton hotels when they had a breach between April-July 2015. The New York Attorney General fined Hilton $700,000, roughly $2 per record lost. Hilton’s revenue for 2014 was $10.5 billion dollars. If you take 4% of that amount, the fine would be an astounding $420 million, or roughly $1,200 per record. It’s highly unlikely insurance could cover this cost.
7. I don’t have to pay for GDPR fines because I am a U.S. company.
Think again. EU enforcement has been very successful historically with U.S. authorities, especially if the U.S. business has a physical or retail presence in the EU. And even when there is no physical presence in the EU, GDPR explicitly leverages International Law for enforcement purposes. There is also increasing collaboration between the U.S. and EU authorities regarding the negotiations behind the EU-U.S. Privacy Shield. While there is no explicit U.S.-to-EU civil enforcement mechanism yet, it is a foregone conclusion that EU fines are enforceable in the U.S.
To learn more about how to mitigate risks associated with GDPR, download Neustar’s free Multi-Factor Authentication Risk Assessment today.