The Fraud Examiner

5 Things Every Fraud Examiner Should Know About Data Privacy

Ron Cresswell, J.D., CFE
Research Specialist, Association of Certified Fraud Examiners                                 

It has been more than three years since the EU’s General Data Protection Regulation (GDPR) took effect. During that time, many jurisdictions have enacted their own data privacy laws. While the details of these laws vary by jurisdiction, their general requirements tend to be similar. Here are five things every fraud examiner should know about how data privacy laws affect fraud investigations.

1. You need a documented exception or lawful basis to collect or access personal information.

Generally, data privacy laws require organizations to provide notice to data subjects before collecting or accessing their personal information. This creates a problem for fraud examiners, who generally don’t want to provide notice since doing so would reveal that a fraud investigation is underway and could give suspects time to destroy evidence or otherwise interfere with the investigation. Fortunately, most data privacy laws contain exceptions to their notice requirements.

Under the California Consumer Privacy Act (CCPA), for example, personal information may be collected or accessed without notice to the data subject if the information:

  • Is necessary to exercise or defend legal claims (e.g., when investigating possible fraud or misconduct)
  • Is necessary to comply with the law (e.g., the fraud examiner works for the government or a public company and has a legal duty to investigate fraud)
  • Is necessary to cooperate with a government investigation
  • Is included in certain employment-related materials already in possession of the organization

Sign In

Not a member? Click here to Join Now and access the full page.