horwich farrelly

GDPR: What are the implications for fraud detection?

May, 26, 2017

In less than a year – 25 May 2018 – the General Data Protection Regulation (GDPR) will enter the statute books, at least until the scheduled withdrawal from the European Union in March 2019.

However, even at that point, both the current government and Information Commissioner’s Office (ICO) have stated their clear intention to retain the vast majority of the GDPR regulations in UK law, unless there is justification to repeal any part of it.

Finger pushing GDPR button on keyboard

GDPR comes into force on 25 May 2018

Whilst many of the regulations themselves will require further guidance as to their interpretation, there are industry wide concerns that significant changes to current practices will be required within the insurance claims and underwriting arena, particularly relating to fraud detection and prevention.

The fear is that the use of data may be far more restricted than at present and will make it more difficult for insurers and lawyers to process data on the basis of legal justification.

In recognition of the ways in which data processing has developed over the past 20 years, the GDPR goes beyond the scope of the Data Protection Act 1998 (DPA), both territorially and in terms of the type of data covered, the media in which it may be held and the duties of data controllers and processors. To reflect globalisation the GDPR will apply not only to data processing performed by organisations within the EU but also to those sited outside the EU but offering goods or services within the bloc.

In simple terms the GDPR will affect every organisation that processes EU residents’ personally identifiable information.

Personal Data

The GDPR provides a more detailed definition of ‘personal data’ than under the existing provisions, which impacts particularly on insurers and lawyers who are dependent on large volumes of such data, whether held electronically or manually. Organisations of this type must address, justify and document how they will collect and store data securely, how the data is managed to protect the rights of individuals, and how the data is used.

Among a number of onerous requirements under the GDPR are those to:

  • provide notification of any data breach within 72 hours;
  • expand rights of access for data subjects to increase transparency;
  • introduce data erasure or ‘the right to be forgotten’

This will mean that those charged with managing data processes (Data Protection Officers) will need to be experts in their field and fully conversant with the GDPR. They will also be required to react swiftly to signs that the UK approach to data protection will become more restrictive and to reassess the grounds for justifying the retention of data.

Illustration of data being processed

Data Protection Officers will need to be experts in their field and fully conversant with the GDPR

Impact on Counter Fraud Sector

In the counter fraud arena, there are potential changes to existing practice which, if not managed properly, may give rise to challenge or complaint.

Currently, under the DPA, in the course of investigating possible fraud in a civil context, we are used to regular exchanges of information without consent of the subject under the cover of Section 29 requests and disclosures.

How might the GDPR affect that? Notably the new regulations only provide such permission to “competent authorities” to be determined at national levels. Worryingly, indications are that this description may currently exclude organisations involved in counter fraud activities within the UK private sector.

The present Section 29 is silent as to whom it applies and this has given a degree of leeway for insurers and lawyers in the private sector to use it. Unless the next UK government takes steps to relax the impact of these provisions, they also potentially conflict with insurers’ wishes to be able to store claims histories and intelligence over a prolonged period, both to inform underwriting procedures and to detect fraud.

Wider Data Processing

In terms of processing of data more generally, Article 6(1) of the GDPR states that data processing shall be lawful only where at least one of the provisions at Article 6(1) (a)-(f) applies. Article 6(1)(f) applies where:

“processing is necessary for the purposes of the legitimate  interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.

There is some assistance from the recitals to the GDPR which provide examples of processing that could be necessary for the legitimate interest of a data controller.

These include Recital 47:

“processing for direct marketing purposes or preventing fraud” but the recital also states that “controllers should consider the expectations of data subjects when assessing whether their legitimate interests are outweighed by the interests of data subjects”.

The interests and fundamental rights of data subjects “could in particular override” that of the controller where data subjects “do not reasonably expect further processing”.

Where “legitimate interests” are relied on in relation to specific processing operations, this will now need to be set out in relevant information notices, by virtue of Article 13 (1)(d) and 14 (2)(b). Individuals are able to object to processing based on legitimate interests.

Practical Implications

In practical terms, insurers and law firms will have to firm up their policy wordings, processing notices and client care letters to be explicit as to the nature of their intentions in regard to counter fraud data sharing practices, seeking express authority to do so.

For third party or non-client data the situation may be even more difficult, the hope being that similar authority can be obtained via changes to the claim notification form (CNF) and other document wordings mutually agreed within the industry.

It will certainly be interesting to see how future law makers will interpret the balance between ‘fundamental rights’ and ‘legitimate interests’, when assessing counter fraud investigative procedures.

A Silver Lining?

Whilst the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest, this is one particular area of adverse behaviour where the counter fraud sector could see a real benefit.

Article 4(11) of the GDPR defines “consent of the data subject” as:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Recital 32 suggests that this may be signified by:

“ticking a box when visiting a website… or by any other statement or conduct which clearly indicates… the data subject’s acceptance of the proposed processing of their personal data. Silence, pre-ticked boxes or inactivity should therefore not constitute consent”.

What we have seen, particularly over the recent past, is a real frustration in relation to the direct marketing of prospective personal injury claimants often described as “claims farming”. Commonly, direct marketing companies have relied upon a ‘general consent’ to contact data subjects, which is often obtained via an individual failing to ‘opt out’, by way of a tick box, usually hidden within the small print of a website quotation or other application.   

The new regulations will remove this argument, requiring the data subjects to have expressly provided consent by their own actions and more importantly, agreed to the precise nature of what their data can be used for. Although it may not be so simple, it is inconceivable that individuals will consent to being bombarded by telephone calls and text messages in relation to “their claim”, which appears to be the status quo!

Woman annoyed by nuisance phone call

The new regulations could lead to a fall in consumers receiving unwanted or nuisance calls

Other Rights

There are also other rights that individuals are entitled to exercise under the GDPR such as the right to ‘erasure’ of their data in certain specified situations, effectively where the processing fails to satisfy the requirements of the GDPR.

This right can be exercised against controllers, who must respond without unreasonable delay (and in any event within one month). The grounds for this include (i) if the individual withdraws consent to processing (and if there is no other justification for processing) and (ii) where processing is based on legitimate interest, if the individual objects and the controller cannot demonstrate that there are overriding legitimate grounds for the processing.

Insurers and lawyers storing personal data must continually review the basis on which they may argue ‘legitimate grounds’ for its retention and processing. If challenged by the data subject, the burden of proof is on the data controller to demonstrate that the legitimate grounds override the interests of the data subject. The test would appear to be whether the data subject would reasonably expect their data to be processed in the way it has been, on the basis of the legitimate interests of the data controller or a relevant third party.

Actions and Sanctions

Aside from general policy and claim data, insurers, law firms, counter-fraud data aggregators and counter fraud industry forums that hold intelligence databases may have to implement separate storage, retention and deletion policies specific to the data which they hold.    

There is a final reason all of this should concern us and steps should be taken now to make sure we are ready for May 2018: the GDPR provides considerably tougher penalties than the DPA with fines of up to 4% of annual global turnover or €20 million, whichever is greater.

Contact us

If you would like further information about any of our specialists or the services we offer please get in touch.