The Fraud Examiner
5 Things Every Fraud Examiner Should Know About Data Privacy
Ron Cresswell, J.D., CFE
Research Specialist, Association of Certified Fraud Examiners
It has been more than three years since the EU’s General Data Protection Regulation (GDPR) took effect. During that time, many jurisdictions have enacted their own data privacy laws. While the details of these laws vary by jurisdiction, their general
requirements tend to be similar. Here are five things every fraud examiner should know about how data privacy laws affect fraud investigations.
1. You need a documented exception or
lawful basis to collect or access personal information.
Generally, data privacy laws require organizations to provide notice to data subjects before collecting or accessing their personal information. This creates a problem for fraud examiners, who generally don’t want to provide notice since doing so would
reveal that a fraud investigation is underway and could give suspects time to destroy evidence or otherwise interfere with the investigation. Fortunately, most data privacy laws contain exceptions to their notice requirements.
Under the California Consumer Privacy Act (CCPA), for example, personal information may be collected or accessed without notice
to the data subject if the information:
Not a member? Click here to Join Now and access the full page.
- Is necessary to exercise or defend
legal claims (e.g., when investigating possible fraud or misconduct)
- Is necessary to comply with the law (e.g., the fraud examiner works for the government or a public company and has a legal duty to investigate fraud)
- Is necessary to cooperate with a government
- Is included in certain employment-related
materials already in possession of the organization