Horwich Farrelly has warned insurers that the General Data Protection Regulation (GDPR), which will come into force in a year’s time on 25 May 2018, could have serious repercussions on counter fraud activities.
Rick Preston (pictured), head of intelligence services at Horwich Farrelly, believes there is a real danger that insurance fraud detection may be seriously hampered by the regulations if they are applied as currently drafted and says that significant parts of the regulations still require further guidance from the Government on their interpretation and application in the UK.
Preston said that while the current Data Protection Act contains provisions allowing insurers and law firms such as Horwich Farrelly to use personal data to investigate potential fraud without having to secure the permission of the individuals concerned, the GDPR is far more prescriptive.
Under GDPR, if challenged by the individual, the burden of proof is on insurers and lawyers to demonstrate legitimate grounds for storing and processing data. Aside from general policy and claim data, Horwich Farrelly believes insurers, law firms, counter fraud data aggregators and counter fraud industry forums that hold intelligence databases may have to implement separate storage, retention and deletion policies specific to the data which they hold.
As a result the Government may need to approve that companies are “competent authorities” in order to continue to undertake certain categories of civil investigation and intelligence sharing.
“In practical terms, insurers and law firms will have to firm up their policy wordings, processing notices and client care letters to be explicit as to the nature of their intentions in regard to counter fraud data sharing practices, seeking express authority to do so,” said Preston.
“For third party or non-client data the situation may be even more difficult.”
The law firm does however, believe, that there is a silver lining in the new regulations.
While the processing of personal data for direct marketing purposes may be regarded as being carried out for a legitimate interest, this is one particular area of adverse behaviour where the counter fraud sector could see a real benefit with the new regulations making claims farming much more difficult.
“Currently, direct marketing companies have relied upon ‘general consent’ to contact potential personal injury claimants,” said Preston.
“This consent is often obtained by an individual failing to opt out using a tick-box hidden in the small print of a website or form. However with the new regulations, customers will need to expressly provide consent and agree to the precise nature of what their data can be used for. It seems unlikely that individuals will consent to being bombarded by telephone calls and text messages in relation to their claim.”
Horwich Farrelly has said that its 200-strong counter fraud team is working closely with the Insurance Fraud Bureau and insurer clients to ensure they are ready for 25 May 2018.
“The GDPR provides considerably tougher penalties than the DPA with fines of up to 4% of annual global turnover or €20 million, whichever is greater”, added Preston.
“If the May deadline isn’t enough of an incentive, then the stiffer penalties should encourage firms to act now and prepare for regulatory changes.”