Skip to content
City PM
  • Germany
  • France
  • Europe
  • Markets
  • Business
  • Opinion
  • DE
  • Germany
  • France
  • Europe
  • Markets
  • Business
  • Opinion
  • DE
Thursday 14 June 2018 3:04 pm

The fraud risk underlying GDPR’s ‘right to be forgotten’

By: Zac Cohen

Add as a preferred source on Google

The build up to the GDPR deadline saw an inundation of speculations around whether companies within the EU would be ready to comply with the regulation.

But maybe it’s time to think beyond deadlines and fines, and move on to what a post-GDPR world looks like for customer identity security.

A key tenet of GDPR gives customers the right to be “forgotten”. But, in a cruel twist of fate, the very thing that was to give consumers’ power to demand privacy could lead to a new avenue for identity theft.

When a customer says “forget me”, organisations are faced with a new set of challenges.

Not only do firms have to confirm whether they can in fact delete that data for regulatory or compliance reasons, but they also have to be wary of potential fraudsters.

Once a Subject Access Request is submitted, companies have one month to respond by sharing a copy of all the personal data they hold on the individual. The sensitivity of the data they are being asked to share means that, before companies process deletion requests, they’ll need to ensure that they can effectively verify the identities of individuals who are requesting personal information.

Individuals can use someone else’s data to help them commit fraud, and then simply request that the data be deleted – covering their digital tracks, so to speak.

There is also the threat of malicious actors, spurring deletions perhaps to harm competitors.

Google is one company that has had to get to grips with data deletion requests already.

A key criteria in its process is the need to verify the identity of a person making the request, in order “to prevent fraudulent removal requests”. The potential seriousness of this issue, and particularly the widening impact after GDPR, means that companies need to tackle verification as a priority.

In order to effectively verify individuals, companies should use the multiple methods at their disposal, including mobile, biometrics, and document verification.

Data may be piecemeal, but companies must be able to track it all down and increase the robustness of identification layers.

Customers also deserve to know about the possible impact of their history being wiped. It potentially prevents them from having access to services because they will no longer be identifiable.

Also, when companies no longer have a record of an individual’s regular behaviour, deletion can seriously hinder the ability to spot signs of fraudulent activity on their accounts. Data analysis is the basis for modern fraud detection, and the deletion of data may leave individuals vulnerable.

Maintaining trust is critical. Companies also have the responsibility to ensure it is in fact the right customer making the request.

 

Share this article

  • Facebook
  • X
  • LinkedIn
  • WhatsApp
  • Email

Similarly tagged content:

Sections

  • News

Categories

  • Business

Trending Articles

  • Billionaire Easyjet founder in line for £800m payday from takeover

  • The former African gold miner taking on the billionaire Issa brothers

  • Tesco ‘in talks’ to exit eastern Europe

  • Pension pressure to help swell UK debt to three times size of economy

  • As it happened: FTSE 100 slump as oil soars; Trump says Iran will be ‘hit hard’ tonight

More from City PM

  • Yoti boss warns social media ban needs tougher age-check standards

    Tech
    Getty Images logo on a digital screen, symbolizing media and photography industry presence in news and business contexts
  • Social media ban may push children to ‘darker corners of the internet,’ lawyers warn

    Legal
    Australia's policy, which came into force in December and bars children under 16 from major platforms including Tiktok, Instagram, Snapchat and X.
  • Manago AI, Formerly SALESmanago, Unveils New Identity and Agentic AI Capabilities to Help Brands Move Faster and Make Powerful Marketing Feel Simple

    Business Wire
  • Legado and Amiqus Partner to Streamline Regulated Onboarding in UK Financial Services Sector

    Business Wire
  • Nex Playground Officially Hits Store Shelves in the United Kingdom and Republic of Ireland, Introducing New U.K. Activations & Game Experiences

    Business Wire
  • Kore.ai Partners With Atos to Deliver Sovereign Agentic AI for UK Enterprise

    Business Wire
  • Incode Acquires Identiq to Expand Its Privacy-First Architecture for Identity and Fraud Prevention

    Business Wire
  • Survey: Nearly All European Organisations Feel Pressure to Scale AI for Customer Experience, Yet Only 38% Have a Clear Approach to Governance

    Business Wire

City PM — European politics, business and analysis.

Europe

  • Germany
  • France
  • Europe
  • UK & Ireland

Topics

  • Business
  • Markets
  • AI
  • Technology
  • Opinion
  • Energy

More

  • Politics
  • Economics
  • Fintech
  • Legal
  • Sport
  • Life

Company

  • About City PM
  • Editorial Policy
  • Corrections
  • Contact
  • Terms of Use
  • Privacy Policy
  • Cookie Policy
© 2026 City PM · Published by CityPM Media, Bahnhofstrasse 65, 8001 Zürich, Switzerland
About · Editorial Policy · Corrections · Contact · Privacy · Facebook