GDPR Scams: Could New Data Protection Regulations Be Costing You Your Data Rather than Protecting It?
On Friday, May 25th, the EU General Data Protection Regulation (GDPR) comes into force across the European Union. Ostensibly, the new privacy rules are designed to give us greater control over the security of our personal information, but could they actually be doing more harm than good?
It can’t have escaped your attention that many of the organisations you come into contact with are making some big changes in the way they collect and process your personal data.
Without fail, every time you check your email you find yourself inundated with a slew of new messages, each one saying essentially the same thing:
GDPR is coming - and we need you to take action.
For the most part, said emails are likely to be from legitimate enterprises who really do need to let you know what’s going with regards to your data.
Yet for every legitimate email you receive, there are scores more coming from opportunistic fraudsters who see GDPR as the ideal chance to lure users into sophisticated phishing scams.
The result is that, without realising it, you could be handing over all kinds of personal information, up to and including your banking details.
Here, we look at why you’re suddenly being deluged with data privacy emails and what you need to know to keep you -and your data- safe.
Why Do I Keep Receiving Emails About Privacy and Data Protection?
Back at the tail end of 2016, a new EU-wide directive was introduced which replaces previous data protection laws (such as the UK Data Protection Act of 1998) and sets out to achieve three primary objectives:
- Harmonise data protection law across the European Union
- Give individuals greater authority over how businesses and organisations use their personal data
- Hold those businesses and organisations fully accountable for the way they collect, store, and use that data.
This last point is particularly important:
Those who fail to adhere to the new regulations face fines of up to £20 million, meaning they’ve little choice but to implement a series of new GDPR compliancy measures, including:
● Updating their privacy policies
● Gaining explicit consent from you to use your data in certain ways
● Being fully transparent about how they use your data
● Giving you the right -in certain circumstances- to have any data they hold about you erased.
Given the scope of these changes, businesses and organisations were given an 18-month headstart before the new rules were enforced, with a deadline to get their act together by May 25th, 2018.
As you’ve already gathered, many organisations have left it to the last minute to start letting you know about the changes they’ve been making, which is why you’ve been seeing more and more emails as of late.
GDPR: A Potential Goldmine for Fraudsters
Whilst the entire aim of this new regulation is to keep your data safer, in an increasing number of cases it is actually having the opposite effect.
Cybercriminals have been using the impending GDPR deadline as an opportunity to create elaborate phishing emails which may look like a legitimate GDPR notice but which, in actual fact, are being used to scam users out of their sensitive personal data.
How Do GDPR Scams Work?
These cybercriminals create emails that look almost exactly like an email from a genuine company. In most cases, these are so well put-together that it can be incredibly difficult -if not impossible- to tell them apart from the real thing.
Often, these emails may even be from companies and organisations you already deal with, making them seem even more authentic.
Typically, GDPR scam emails will contain links to websites which again look like the real deal which -again- are cleverly-designed fakes used to get your email address and, potentially, lots of other highly sensitive information.
How to Avoid a GDPR Scam
First things first, remember that even for something like this, no organisation -not even your actual bank- will ask you to enter your bank details as part of any GDPR exercise.
Even the most complicated GDPR exercises won’t ask you to enter this kind of data, so any time you see something that does, treat it as a red flag and avoid it.
Most genuine GDPR emails that you receive will simply be letting you know that a company has updated their privacy policy and inviting you to click a link to review the changes.
If you do want to look at the changes, err on the side of the caution. That link in the email will not be the only way you can view an updated privacy policy.
Instead, open up your web browser and visit the company’s website manually. You’ll typically find their privacy information at the bottom of their site.
Most importantly of all, if you’re not 100% certain that an email is genuine, contact the company directly to confirm whether or not it is, and what you might need to do about it. To contact them, use only the phone numbers or email addresses you find on their actual website and not the ones listed in the email itself, as these could well turn out to be just as fake.
Remember - it is always better to play it safe when it comes to protecting your personal data. Be vigilant, and ensure that any emails you do receive really are helping to keep your data under your control and not that of criminals.