How to become a GDPR compliant Private Investigator within an unregulated industry has brought with it many challenges.
At Lateo Surveillance Ltd we firmly believe the implementation of the General Data Protection Regulation (GDPR) has been a good thing and welcomed by many professional private investigators within the industry.
The GDPR is incredibly important for all private investigators to understand and implement, given the information we process is generally classified by the regulation as sensitive data.
From the outset, we would like to thank The Association of British Investigators (ABI) of which the principal investigator of Lateo Surveillance Ltd is a full member. The ABI was quick off the blocks! encouraging its members to attend seminars across the country many months prior to the implementation of the regulation on the 25th May 2018. Their focus is for its members to become not only GDPR compliant private investigator‘s but industry leaders. They continue to provide its members with templates and assistance when required.
Unfortunately, although there has been an incredible amount of work carried out by those diligent enough to recognise its importance, there are still many who have completely ignored the regulation. Those found to be non-compliant whilst processing personal data risk sanctions being imposed by the information commissioners office alongside huge fines.
The most effective way to explain how to become a GDPR compliant Private Investigator is to break the process down into phases.
Phase One – Our process began with an internal data audit (IDA). The IDA focused on what data we had, where it came from, where it was stored and what we intended to do with it. All our data, personal and sensitive was stored on a standalone RAID system which is backed up and copies held securely off-site. The IDA forced us to review and ask ourselves, do we need to keep this data? if the answer was no, our clients were contacted and asked if they required a copy. If not it was securely deleted and destruction certificates were issued. This process allowed us to free up several terabytes of storage space. Importantly, it gave us a blank canvas ready for our data retention policy to be rewritten. Once our passwords were updated in accordance with our data processing policy we were ready to move onto phase two.
Phase Two – Began with a data protection impact assessment (DPIA) to identify our current procedures and processes. The DPIA focused on personal data, how it was collected used and stored. The process was a slight overlap with the IDA and worked well to ensure nothing was missed. It helped us to identify any organisational or legal risks and how we were to remain compliant; allowing solutions to be considered for any perceived risks that were identified.
The two main areas of concern (risk) were identified:
1. How clients were sharing data with us.
2. How our employees and contractors were handling and sharing information.
Phase Three – Once we were satisfied the IDA and DPIA were complete, it became clear in order to become GDPR Compliant we were required to rewrite the following documents:
Our data storage raids were upgraded with a new security feature. All our contractors were requested to re-sign new agreements and contracts were sent to our legal clients to be agreed, in every case, all were very happy to sign.
In order to become a GDPR compliant private investigator, you must become a master of risk mitigation.
The main areas of concern identified during the DPIA were the process of sharing information securely with our clients, employees and contractors and how that information was being handled or processed.
Lateo Surveillance has been instrumental in the design of a security and investigation management system ‘Vireo’ developed by Digital Assassins based in Hartlepool. The system has been in the making for nearly three years, the last 18 months has seen the GDPR at the forefront of development to ensure the system is fully compliant. Liaison with the ICO, security and investigation industry leading experts have allowed the system to go above and beyond ensuring anyone using it correctly will be compliant.
Some important, GDPR relevant features of Vireo:
Using Vireo has mitigated the risks identified during the DPIA. We understand nothing is 100% safe, however, if in the case of a data breach and GDPR audit we will be able to demonstrate we have made every effort to comply with the regulation.
As expected, in an unregulated industry there are some unprofessional investigators who appear to be blatantly ignoring the GDPR. Ignoring the regulation puts unsuspecting clients at risk of prosecution. Many appear to spend more time looking for loopholes than accepting and embracing the regulation. Thankfully, the new or clear legal liability placed on the Data Processor will see the investigator receiving the same level of fines as the Data Controller should a serious data breach occur. Once you become a GDPR compliant private investigator you will have demonstrated your understanding of the regulation and commitment to your business.
Lateo Surveillance Ltd will always assume ’via contract’ the shared responsibilities of a Data Controller, giving our clients the confidence, assurance and accountability, they need and deserve in order to remain GDPR Compliant.
Our clients can trust Lateo Surveillance to ensure all investigations are compliant, we provide advice, guidance and ensure the correct paperwork and contracts are in place prior to instructions being carried out.
See our previous post – GDPR compliant Private Investigator
Want to speak to a real person? Please call or text or you can leave a message and we can call you straight back : +44 (0) 797 4659 016
Have a question? please visit our Frequently Asked Questions page.