Trulioo GM: The Challenges Of GDPR’s Disappearing Data Act


As the age of GDPR dawns, consumers have the power to ask that their info be erased. Firms are ready or not, and Trulioo GM Zac Cohen weighs in on how fraud may find different conduits, where the bad guys, gains ill gotten, wipe the slate (and their tracks) literally clean. The challenge: how to verify the person making the request is the real McCoy?

Tomorrow marks a sea change in payments and commerce, and in data in general.

As the world – and likely (hopefully?) you – knows by now, the General Data Protection Regulation (GDPR) goes into effect on May 25.

The regulation, which traces its gestation to Europe, ushers in what might be seen as a new mindset – here, or to come – as companies deal with consumers’ data.

If the aim is to give EU-based consumers power over who has their information and how it is used, by giving them the choice to demand their information be deleted from corporate databases, the questions remain for companies: What happens when that demand to delete is, in fact, actually demanded?

And, how can companies make sure the one requesting the deletion is on the up and up? Identity theft is out there, in eCommerce and beyond, and GDPR throws light on another avenue for fraud.

In an interview with Karen Webster, Trulioo general manager Zac Cohen provided insight into how companies can authenticate users ahead of deleting data sets.

The mandate to delete brings with it a host of issues that may not have been front and center for firms, as they may not know where all the data resides within the confines of their operations. They may not know whether they can in fact delete that data for regulatory or compliance reasons (especially germane for financial institutions, amid KYC and AML regulations).

In seeking out and dealing with reams of information, or perhaps less than fulsome information – or when users simply want access to their data – GDPR becomes more relevant to the trajectory of businesses overall, said Cohen. Companies of all stripes and sizes, in all verticals, now have to grapple with verifying consumers’ identities when those requests come through.

Fraudsters, after all, can use someone’s data to make ill-gotten gains, and then simply request that the data be deleted – covering digital tracks, so to speak. Or perhaps there are malicious actors out there, spurring deletions just for the fun of it.

Of course, in the event of fraudulent deletion requests, it becomes nigh impossible to recover user profiles and information.

For the companies grappling with GDPR, infrastructure and proactivity are key, said Cohen, who cautioned firms to “do an appropriate screening before you ever get to that situation.”

He noted that part of the data battle may be waged through already familiar KYC and AML processes. But, he added, “now the wrinkle [firms] get thrown into is really the mosaic of identity, and how that is construed and deployed in the market.”

We’re past the point of making sure an individual’s name and ID match and leaving it at that, agreed Cohen and Webster. After all, data may be piecemeal, spanning an email address, perhaps, or a cell phone number, and maybe not much else – but regardless, companies have to be able to track it all down.

Asked by Webster whether companies are prepared as GDPR finally dawns, Cohen said the initial response from firms had been, and has been, to make sure they had been ready to comply with the initial request to be forgotten.

“Now it is coming full circle as the timeline draws imminent, as all of a sudden you have an immediate need to increase the robustness and proficiency of identification layers,” he said. That’s no easy task when companies collect varied data based on the goods or services they provide – and all enterprises want to avoid friction in transactions and the dreaded shopping cart abandonment.

The most basic common denominator is the mobile number, said Cohen, who mused that “I think mobile is the next gen” of identification. The other solutions that are likely to gain traction include document verification, where, say, an individual takes a selfie and it is matched up with a driver’s license photo.

Additional challenges loom when the customer says “forget me” to a business, desirous of being wiped from the database, yet downstream across any number of service companies and databases, the same actions must be underway, under the gaze of the initial organization that receives the request.

Verification can be difficult, said Cohen, as companies seek to ensure an individual is actually who they say they are, and they have not appropriated information from someone else. “So what we’re seeing are various steps depending on the complexity and the use case to leverage things like our mobile verification engines, and potentially map that to the name and email address as well, and then implement something like document verification,” he noted.

All of those measures, acting in tandem, can be used to enact a data deletion request, said Cohen.

“In the end, from the individual’s point of view, it really is a one-to-one relationship between the individual and the service provider that you are making a request to,” Cohen said, adding that “GDPR has provided greater transparency into that chain.”