GDPR: A New Ethical Framework for Fraud Examiners

GettyImages-949875562.jpg

Most likely, you’ve heard the phrase “leaving a carbon footprint.” We know that traveling, consuming food and even breathing are all activities that release trace amounts of carbon into the atmosphere. The same idea is applicable to a person’s digital footprint. Your digital footprint is the virtual impression of activities you are involved in. Liking your friend’s post on Facebook, purchasing a pair of shoes online, tweeting about how much you loved this year’s #fraudconf — all of these activities are tracked and logged, and combined they are your digital footprint. This is what the GDPR is concerned with: protecting that data.

“The very act of liking a page, the very act of saying ‘I love this,’ may seem arbitrary, but you are sharing information about yourself,” said Andreattah Chuma, compliance and ethics subject matter expert at Euroclear, in her Wednesday-morning session at the 29th Annual ACFE Global Fraud Conference.

The EU General Data Protection Regulation (GDPR) defines personal data as information relating to an identifiable individual, directly or indirectly. That word “indirectly” is important. By having indirect identification in scope, the regulation acknowledges that the traces one leaves behind online aren’t always the obvious descriptors like names and addresses. While this idea is difficult for many organizations to grasp, Chuma stressed that this new direction of data regulation is a good thing for fraud examiners.

GDPR is the ethical way to deal with personal data
Chuma reminded attendees that the ACFE Code of Professional Ethics establishes that “an ACFE member shall not engage in any illegal or unethical conduct...” She then challenged them not to view this new regulation as an inhibitor to their investigations. Rather, she advised that this is a new way to frame investigations with a more ethical perspective.

Many fraud examiners are accustomed to digging deeper into someone’s personal data than the average person. In fact, investigations often require that an examiner follow digital footprints to the truth, much like little breadcrumbs left behind by fraudsters. With this new regulation, fraud examiners should deal with a suspect’s data in a manner they would expect for themselves — in other words, in a way that respects their fundamental human rights.

However, we’re not protecting this data, Chuma reiterated several times, just because it’s a basic human right. We’re protecting it because malicious groups can use this data to harm others. If a hate group wants to target a group based on their race, religion or sexual orientation, they can do that if that data isn’t protected.

Chuma provided an insightful example to drive this point home. Many organizations monitor their clients or customers in order to provide a more personalized shopping experience. However, there should be rules around this process that protect an individual’s data. “I should not see you passing by my house after I’ve visited the grocery store saying, ‘Hi, Andreattah, I saw you had this at the store. I was wondering if you still wanted to buy it.’ ” What if you don’t want the neighbor to see what you’ve been purchasing? What if it’s dangerous for your neighbor to know? It’s the organization’s responsibility, now more than ever, to handle this data with the utmost care.

Chuma advised that fraud examiners should take this as another line of the ACFE Code of Ethics.

Key implications for fraud examiners
A member in the audience asked if he had a website that targets people in the U.S. and Latin America, but someone in Spain finds it and submits their email for a mailing list, does that organization have to comply with the regulation? Chuma very firmly replied that, yes, the organization is responsible for protecting that individual’s data. GDPR applies because the website owner hasn't made it more explicit that he's not targeting EU individuals by allowing them to sign up to the mailing list service. This could be achieved by making it clear on the website or by removing EU countries from the submission form. “The nature of the internet makes it so that we can’t say, ‘I wasn’t talking to you. Go away!’”

She took it further and shared how some websites, after GDPR went into effect, blocked IP addresses from the EU. That’s not a good look, Chuma said. “Is that the message you want to be sending? The cost of compliance is so high that I’m not even willing to do business with you.”

For fraud examiners, it should all come back to the individual and an examiner’s ethical responsibility to protect that individual.