Many months have been spent diligently preparing for the implementation of the General Data Protection Regulation (GDPR). If you need to find a GDPR Compliant Private Investigator, then look no further than Lateo Surveillance Ltd.
The Information Commissioners Office (ICO), who is responsible for the implementation of the GDPR have identified that personal data has become a valuable commodity in its own right. As more and more personal data is shared, the risk of serious data breaches increases. One of the main focuses of the GDPR is to force businesses to reduce this risk, therefore, protect the consumer. The definition of what the ICO considers to be a data breach can be found here. The new regulation brings with it the risk of huge fines should you be found to be non-compliant. In tandem with the threat of huge fines the ICO now also has a range of corrective powers and sanctions to impose the GDPR. These range from warnings to temporary or permanent bans on data processing i.e. stopping your business in its tracks.
Understanding the difference between the types of personal data being processed is also very important, as this will determine the levels of risk and measures required to protect it.
The ICO states sensitive data could include the following: Name, date of birth, address, medical or health information, religious information, race or ethnic origin, political opinions.
During the course of many investigations, both private and commercial investigators are exposed to and obtain sensitive data on a daily basis.
If you are data controller i.e. (business owner / legal professional) and share personal data with a private investigator who is not GDPR compliant, you are breaking the law, risk heavy fines and reputational damage to your business. Therefore, simply understanding some of the very basics will help protect both you and your business. Read on to see an example of one of the most common misconceptions within the industry, which could land you in serious trouble if you get it wrong!
Many of our legal and business clients who instruct us to carry out investigations are by law in accordance with the GDPR ‘data controllers’ there is, however, often confusion regarding roles and responsibilities of the data controller and data processor.
The GDPR states the following:
Data Controller: a data controller determines the purposes and means of processing personal data. If you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
This means you have a responsibility to ensure your investigator is not only competent but also compliant; the act also requires a written contract to be in place detailing those roles and responsibilities.
Data Processor: a data processor is responsible for processing personal data on behalf of a controller. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
Previous regulation has been somewhat ‘sketchy’ regarding the data processors legal liability, thankfully, the GDPR now makes this very clear!
Due to the nature of their work,“It is unlikely a private investigator would be a data processor. This is due to the high degree of independence, expertise, control and processing of personal information such as writing and retaining reports, obtaining photographic or video evidence”. Senior Policy Officer (Strategic Liaison)
For the avoidance of doubt the General Data Protection Regulation (EU) 2016/679 (GDPR) states the following:
The fact that one organisation provides a service to another organisation does not necessarily mean that it is acting as a data processor. It could be a data controller in its own right, depending on the degree of control it exercises over the processing operation. The document can be found here
There are many private investigators who vehemently disagree with the following example. However, the ICO’s position and guidance are clear. Many will now be forced to change their processes, accept more responsibility or risk prosecution.
Given the ICO’s general position (above), see the following example:
Example: – A solicitor or business owner instruct’s a private investigator to carry out a surveillance investigation in order to ascertain the subjects true levels of mobility.
Answer:
The solicitor or business owner – Assumes the legal responsibilities as a Data Controller.
The Private Investigator – Assumes the legal responsibilities as a Data Controller.
The reason the PI is a Data Controller and not, as many would assume and argue the Data Processor, is due to the high degree of independence, expertise, control and processing of personal information expected during this type of investigation. Deciding where to observe, record, photograph or write a report turns the processor into a data controller and as such a written contract must be in place between data controllers clearly detailing responsibilities.
Great news for the solicitor or business owner, not so great for the investigator!
Assuming shared Data Controller responsibilities is nothing whatsoever to do with the GDPR. This has been the case for many years in accordance with the Data Protection Act 1998. Many investigators either did not understand the previous regulation or simply chose to ignore it.
Lateo Surveillance Ltd will always assume ’via contract’ the shared responsibilities of a Data Controller, giving our clients the confidence, assurance and accountability, they need (And) deserve in order to remain GDPR Compliant.
Our clients can trust Lateo Surveillance to ensure all investigations are compliant, we provide advice, guidance and ensure the correct paperwork and contracts are in place prior to instructions being carried out.
See our next post – How to become a GDPR compliant Private Investigator.
Need some tips on employing a private investigator? See our previous post: How to employ a Private Investigator
For more information, please contact us below.
Want to speak to a real person? Please call or text or you can leave a message and we can call you straight back : +44 (0) 797 4659 016
Have a question? please visit our Frequently Asked Questions page.
Please contact us via the website contact us page, you can email direct at info@lateosurveillance.co.uk
For further information on Lateo Surveillance Ltd see our About us page.
Visit our homepage or get more info via Private Investigator Durham or Private Investigator Harrogate.
Need a covert camera fitted? See our covert cameras page.