Companies are being warned to ensure they put in place strong measures to ensure that one of the key tenets of GDPR – the right to erasure – does not result in a huge uplift of identity fraud and spark a new practice of malicious data hacking.
The warning comes just days after the fraud prevention service Cifas reported that ID fraud is at its highest ever level, up 125% over the course of a decade; there were 174,523 cases in 2017 alone.
According to research carried out by Wilmington Millennium, many organisations still do not have procedures in place to verify the identity of the person making the request for erasure.
With GDPR not specifying how consumers should make a valid erasure request, an individual could ask to be forgotten verbally or in writing. It could be made to any part of an organisation and does not have to be to a specific person or contact point.
In its GDPR guidance, the Information Commissioner’s Office recommends creating a policy for recording details of the requests received, particularly those made by telephone or in person, but it is not compulsory for compliance.
This lack of verification protocol has led to fears that criminals could latch on to this loophole and use the right to erasure to facilitate ID fraud by requesting a deletion and then setting up new accounts in the name of the person used for the erasure request.
If legitimate records are deleted it will provide a clean slate for fraudsters to exploit. Additionally, it could be used maliciously by individuals who might imitate someone they know and ask an organisation for the deletion of ‘their’ personal data, which could lead to significant problems for that person in the future.
Wilmington Millennium product director Karen Pritchard said: “Despite the early and continued misgivings about GDPR the new regulation is going to be positive in the long term for marketers at it will strengthen customer relationships.
“However, this has highlighted an issue that needs consideration. Identity fraud is already a huge problem – one that is growing – and our research among ex-offenders shows that criminals consider it an easy crime. Organisations are required to take erasure requests at face value, but they may be deleting legitimate records on the behest of someone else entirely.”
One month until GDPR D-Day: SMEs demand leniency
One month until GDPR D-Day: brands still fear future
Data deletion tsunami claims blown out of the water
Fears grow as ‘millions plan to delete data under GDPR’
Firms face bombardment of data requests under GDPR
Up to 10 million eye GDPR data compensation pay-out