will GDPR help us have more insight into cybercrime?Help or Hinder Is No Longer the Question with GDPR
In the past two decades, the number of connected devices in an average EU household has increased exponentially. This was naturally followed by a proportionate increase in personal data amounts across various online channels.
And where there's data, there are data breaches. The WannaCry malware encrypted its victims' data, forcing them to pay for decryption. Had the aim instead been to leak said data, financial consequences could have been staggering.
So, does the legislation that mandates dedicated data protection officers and more transparency with regards to data breaches, and prescribes steep penalties as motivation for the organisations that fail to adhere to it, help or hinder cybersecurity?
GDPR: The Fraudster Angle
There are concerns that GDPR does indeed hinder cybersecurity. An organisation can detect fraud only if it authenticates its customers, using data to tell apart real identities from fake ones, as well as detect instances of account takeover.
However, if that same organisation is allowed to keep customer data only for a set amount of time before erasing it from its databases, in theory the same person might repeatedly commit fraud - and they may even request the data be deleted themselves, covering their tracks.
ADAPT AGAINST FRAUD, WITH GDPR
However, upholding a basic human right to privacy and preventing crime are not an either/or dilemma. For example, behaviour analytics and biometrics are being introduced to combat fraud without running into a metaphorical wall of data protection.
So far, most problems organisations have encountered are due to them not preparing sufficiently for GDPR's implementation rather than GDPR itself causing friction. As organisations adapt and update their security measures, these issues are expected to stop posing problems for both organisations and their customers.
CLOSE READING FOR CLARITY
Furthermore, the answer might also lie within PSD2 which contains a clearance clause which could prove very significant in fighting fraud: the section stating that EU countries can “…permit processing of personal data by payment systems and payment service providers when necessary to safeguard the prevention, investigation and detection of payment fraud”.
Of course, customers still need to be made aware of such rights. Also, these need to be clearly stated as another specific instance of processing a customer’s data when appearing as part of customer consent forms submitted to banks and financial institutions.