GDPR and Identity Fraud

Spring has sprung, and with it, an eager expectation of the arrival of better weather, as well as the (perhaps more dependable) arrival of the court’s decision on Dreamvar UK Ltd vs Mishcon de Reya and P&P Property Limited vs Owen White & Catlin LLP, and of course the introduction of GDPR at the end of May (25th).

The two cases of Dreamvar and P & P Property, which the courts heard in February, concern property fraud. The deception underpinning them both is straightforward: a fraudster pretends to be a vendor in a conveyancing process, having no actual ownership of the property in question, and they ‘sell’ the property before disappearing with the proceeds. Such fraud is generally termed ‘identity fraud’, and legal firms make an attractive target for identity fraudsters, with vast sums sloshing through their client account in conveyancing matters. However, no business or individual is free from the risk of identity fraud, with attacks coming in many other guises. One example is a phishing scam reporting to derive from bona fide sources, another is a cloned email demanding ‘urgent payment’ from the Chief Executive, and others include fake social media profiles inviting its unwitting victim to become ‘friends’.

It appears reasonable to hope that the introduction of GDPR will do some good to counter identity fraud, with its stringent set of rules and the greater care that ‘data processors’ will now have to take when handling clients’ and customers’ personal information. However, businesses must not become complacent, particularly in the wake of two recent observations in the run-up to GDPR:

  1. The incident-detection agency SecBi alerted its client to suspicious activity on one of their employees’ devices. However, the client felt unable to pursue the case, since doing so may have amounted to a breach of their responsibilities concerning employee data-handling. It transpired that the employee’s union had used language from GDPR to prevent the employer from even looking at its employee’s personal information without ‘sufficient cause’. [Ref: Are you letting your GDPRs privacy rules trump security?, Michael Nadeau,, 23 March 2018]
  2. Instances where fraud is detected early have dramatically increased the chance of tracking down the fraudster, because of the availability of trace information left behind, such as associated domain names which lead to an identification and prosecution. With GDPR, the same information will be much more difficult to obtain, in the quest to identify the fraudster. [Ref: GDPR and WHOIS – winners & losers, Matt Serlin,, 05 April 2018]

We may conclude from the two observations that whilst GDPR might do some good in the fight against fraud in general, it may bring with it new opportunities for identity fraudsters to go undetected. This could foster an environment in which fraudsters feel safer to operate, which could in turn increase the number of attacks. Businesses cannot afford to let down their guard against fraud, and must ready themselves properly for GDPR. Fraudsters will no doubt be looking to do the same.

If you are concerned about identity fraud and how you or your business can counter it, please get in touch. We can provide advice, and even arrange a ‘Spring clean’ review of your fraud-preventative systems to help you ensure you are well-protected before and after the introduction of GDPR.

Please contact Hannah Farmborough or call on 0207 429 4147 to be put in contact with a member of our Forensics team.