How to become a GDPR compliant Private Investigator

How to become a GDPR compliant Private Investigator within an unregulated industry has brought with it many challenges.

GDPR Compliant private investigator

At Lateo Surveillance Ltd we firmly believe the implementation of the General Data Protection Regulation (GDPR) has been a good thing and welcomed by many professional private investigators within the industry.

The GDPR is incredibly important for all private investigators to understand and implement, given the information we process is generally classified by the regulation as sensitive data.

From the outset, we would like to thank The Association of British Investigators (ABI) of which the principal investigator of Lateo Surveillance Ltd is a full member.  The ABI was quick off the blocks! encouraging its members to attend seminars across the country many months prior to the implementation of the regulation on the 25th May 2018.  Their focus is for its members to become not only GDPR compliant private investigator‘s but industry leaders.  They continue to provide its members with templates and assistance when required.

Unfortunately, although there has been an incredible amount of work carried out by those diligent enough to recognise its importance, there are still many who have completely ignored the regulation.  Those found to be non-compliant whilst processing personal data risk sanctions being imposed by the information commissioners office alongside huge fines.

The most effective way to explain how to become a GDPR compliant Private Investigator is to break the process down into phases.


GDPR Compliant private investigatorPhase One – Our process began with an internal data audit (IDA).  The IDA focused on what data we had, where it came from, where it was stored and what we intended to do with it.  All our data, personal and sensitive was stored on a standalone RAID system which is backed up and copies held securely off-site.  The IDA forced us to review and ask ourselves, do we need to keep this data? if the answer was no, our clients were contacted and asked if they required a copy.  If not it was securely deleted and destruction certificates were issued.  This process allowed us to free up several terabytes of storage space.  Importantly, it gave us a blank canvas ready for our data retention policy to be rewritten. Once our passwords were updated in accordance with our data processing policy we were ready to move onto phase two.

Phase Two – Began with a data protection impact assessment (DPIA) to identify our current procedures and processes.  The DPIA focused on personal data, how it was collected used and stored.  The process was a slight overlap with the IDA and worked well to ensure nothing was missed.  It helped us to identify any organisational or legal risks and how we were to remain compliant; allowing solutions to be considered for any perceived risks that were identified.

The two main areas of concern (risk) were identified:

1. How clients were sharing data with us.

2. How our employees and contractors were handling and sharing information.


Phase Three – Once we were satisfied the IDA and DPIA were complete, it became clear in order to become GDPR Compliant we were required to rewrite the following documents:

  1. Website Privacy Notice
  2. Data Protection Policy
  3. Data Retention Policy
  4. Data Processing Policy
  5. Data Sharing Policy
  6. Data Sharing Contract (Client)
  7. Data Sharing Contract (Contractor)
  8. Privacy Impact Assessments
  9. Destruction Certificates

Our data storage raids were upgraded with a new security feature.  All our contractors were requested to re-sign new agreements and contracts were sent to our legal clients to be agreed, in every case, all were very happy to sign.

Mitigating RiskGDPR Compliant private investigator

In order to become a GDPR compliant private investigator, you must become a master of risk mitigation.

The main areas of concern identified during the DPIA were the process of sharing information securely with our clients, employees and contractors and how that information was being handled or processed.


GDPR Compliant private investigatorLateo Surveillance has been instrumental in the design of a security and investigation management system ‘Vireo’ developed by Digital Assassins based in Hartlepool.  The system has been in the making for nearly three years, the last 18 months has seen the GDPR at the forefront of development to ensure the system is fully compliant.   Liaison with the ICO, security and investigation industry leading experts have allowed the system to go above and beyond ensuring anyone using it correctly will be compliant. 

Some important, GDPR relevant features of Vireo:

  1. Inbuilt Secure Email System – Easy to use and allows us to securely share data with our clients and employees without the need for them to download new software, mitigating the risks identified during the DPIA.
  2. Copy Protection  –  This prevents employees or contractors from copying/stealing anything you decide is sensitive information or data it could be personal details or even company agreements, mitigating the risks identified during the DPIA.
  3. Audit Log – The GDPR requires Data Controllers and Processors to keep a detailed auditable log of all processing activities.  The system (at the push of a button) generates the report needed.
  4. Two-Factor Authentication – Can be switched on to ensure secure login.
  5. Agreement Generator – The GDPR encourages contracts and agreements to be signed.  The system generator allows agreements to be produced very quickly and easily signed.
  6. Destruction Certificates – Upon completion of an investigation, the system can run a destruction process, generating destruction agreements to be signed by your contractors and destruction certificates issued to your clients.
  7. Secure Upload – Securely upload sensitive reports.

Other Features:

  1. Quick links – To allow due diligence to be carried out on new clients and contractors.
  2. Financial – Quotation and invoice generator, online payment facility.
  3. Secure Brief Sheet – Allow operatives access to a secure brief sheet where they can read sensitive data. This area does not allow any form of a download of copying.
  4. CRM – Client management system.

Using Vireo has mitigated the risks identified during the DPIA.  We understand nothing is 100% safe, however, if in the case of a data breach and GDPR audit we will be able to demonstrate we have made every effort to comply with the regulation.

As expected, in an unregulated industry there are some unprofessional investigators who appear to be blatantly ignoring the GDPR.  Ignoring the regulation puts unsuspecting clients at risk of prosecution.  Many appear to spend more time looking for loopholes than accepting and embracing the regulation.  Thankfully, the new or clear legal liability placed on the Data Processor will see the investigator receiving the same level of fines as the Data Controller should a serious data breach occur.  Once you become a GDPR compliant private investigator you will have demonstrated your understanding of the regulation and commitment to your business. 

Our GDPR Promise

Lateo Surveillance Ltd will always assume ’via contract’ the shared responsibilities of a Data Controller, giving our clients the confidence, assurance and accountability, they need and deserve in order to remain GDPR Compliant.

Our clients can trust Lateo Surveillance to ensure all investigations are compliant, we provide advice, guidance and ensure the correct paperwork and contracts are in place prior to instructions being carried out.

See our previous post – GDPR compliant Private Investigator



GDPR Compliant private investigator
This post- How to become a GDPR Compliant Private Investigator was written by Lateo Surveillance Ltd


Want to speak to a real person? Please call or text or you can leave a message and we can call you straight back : +44 (0) 797 4659 016 

Have a question? please visit our Frequently Asked Questions page.

Please contact us via the website contact us page, you can email direct at

For further information on Lateo Surveillance Ltd see our About us page.

Visit our homepage or get more info via Private Investigator Durham or Private Investigator Harrogate.

Need a covert camera fitted?  See our covert cameras page.