Law firm Horwich Farrelly is warning insurers that the General Data Protection Regulation (GDPR) which will come into force in one year’s time (25th May 2018) could have serious repercussions on counter fraud activities. In particular, significant parts of the regulations still require further guidance from the government on their interpretation and application in the UK.
Until this guidance is forthcoming, Rick Preston, Head of Intelligence Services at Horwich Farrelly, believes there is a real danger that insurance fraud detection may be seriously hampered by the regulations if they are applied as currently drafted.
“Whilst the current Data Protection Act contains provisions allowing insurers and firms to use personal data to investigate potential fraud without having to secure the permission of the individuals concerned, the GDPR is far more prescriptive. Under the new legislation, the government may need to approve that companies are ‘competent authorities’ in order to continue to undertake certain categories of civil investigation and intelligence sharing.
“In practical terms, insurers and law firms will have to ‘firm up’ their policy wordings, processing notices and client care letters to be explicit as to the nature of their intentions in regard to counter fraud data sharing practices, seeking express authority to do so. For third party or non-client data the situation may be even more difficult.
“Horwich Farrelly is, however, lobbying hard for similar authority to be obtained if the industry can mutually agree to changes to the CNF (claim notification form) and other document wordings.”
Under GDPR, if challenged by the individual, the burden of proof is on insurers and lawyers to demonstrate ‘legitimate grounds’ for storing and processing data. Aside from general policy and claim data, Horwich Farrelly believes insurers, law firms, counter fraud data aggregators and counter fraud industry forums that hold ‘intelligence databases’ may have to implement separate storage, retention and deletion policies specific to the data which they hold.
The law firm does however, believe, that there is a silver lining in the new regulations.
Whilst the processing of personal data for direct marketing purposes may be regarded as being carried out for a legitimate interest, this is one particular area of adverse behaviour where the counter fraud sector could see a real benefit with the new regulations making ‘claims farming’ much more difficult.
“Currently, direct marketing companies have relied upon ‘general consent’ to contact potential personal injury claimants,” continues Rick Preston. “This consent is often obtained by an individual failing to ‘opt out’ using a tick-box hidden in the small print of a website or form. However, with the new regulations, customers will need to expressly provide consent and agree to the precise nature of what their data can be used for. It seems unlikely that individuals will consent to being bombarded by telephone calls and text messages in relation to their claim!”