GDPR Compliance and Private Investigation
How has the new Data Protection Regulation (GDPR) affected the way Investigation Agencies conduct their business?
So just what is GDPR?
GDPR is the acronym for General Data Protection Regulation which came into force on 25th May 2018.
How has it changed the way you conduct your business?
As an ethical and professional investigation agency, we can honestly say that it has changed Titan’s working practices very little. In essence, GDPR primarily regulates the storing of an individual’s personal data (PD) electronically, the destruction and the sharing. It has also affected the following stages of any new investigation.
GDPR – The Initial Instruction
When a client contacts Titan with an instruction we need to first confirm the objectives. Are they lawful first and foremost? If so, are our chosen methods and tactics employed to investigate this necessary and proportionate? We need to consider collateral intrusion which is the personal information gained from others not connected to the investigation. Could other methods be employed that are less intrusive? Titan’s call takers have always employed these thought processes, however now they are required to be recorded and documented formally in an initial impact assessment.
This process recently led to a potential client wanting “less talk and more action,” leading to a one star Google review.
Please bear with us during this process, we understand that in some instances that the instruction is time critical, however, we will try to conduct this process as expeditiously as possible. We need to ensure that we’re acting on behalf of a genuine client and that the instruction is legitimate, ethical and GDPR compliant to protect us all.
GDPR – The Investigation
The transferring of the operational information to our operatives will undoubtedly contain personal data which we need to ensure doesn’t fall into the wrong hands. As a result, Titan utilises encrypted emails which contain a further password protection to open the document attached and the password is sent via a different encrypted means. The investigation details and objectives are recorded on a case management system which is stored on a secure server and this document is also password protected. The personal data we gain throughout the duration of the investigation is logged and we then justify how long we store it for, the reasoning and/ or the destruction date. Our operatives also sign a declaration stating that once the investigation is complete and their data has been sent and received by the Titan case manager, that it has been destroyed. Once the client has received the report, we record this fact and destroy all traces unless there is justification to store it. Once again this will have a review date and be continually reassessed to justify the reasoning. In 99% of cases there is no justification to retain this information and it is destroyed.
GDPR – Subject Access Request
If a person is aware that they have been subject of an investigation, then they may wish to know what information we have regarding them. This may be because our surveillance has been disclosed in an employment tribunal, insurance claim or court trial. We very rarely store any personal data on any subjects after the successful conclusion of an investigation, however, if we do, then we will share this with you.
GDPR – Data Transfer
As we alluded to earlier, all of our data is sent via encrypted emails and doubly secure by having the document attached password protected with the password sent via an alternative encrypted method.
Do all Investigation Agencies work in this way?
In our experience, we would suggest that no, many don’t and as a result are not GDPR compliant.
How would we, a client, know if they are GDPR compliant or not?
Firstly, the company or the sole trader, if they are not a limited company, should be registered with the Information Commissioner’s Office (ICO). This is where an individual or company registers that they handle personal information and that they have trained data controllers in place. You can check by clicking on the below link:
ICO Data Protection Public Register – ico.org.uk/esdwebpages/Search
If they don’t appear on this register, then you can report them which will result in fining and we’d advise steering clear. It’s mind blowing how many investigation agencies who handle your data aren’t doing so legally.
The company should have a Data Protection Policy and also a Terms of Business. These should be easily visible on the website or email signature. Titan’s can be viewed clearly on our website or by clicking on the below links:
Terms of Business – www.titaninvestigations.co.uk/terms-of-business
Privacy & Data Protection Policy – www.titaninvestigations.co.uk/privacy-data-protection-policy
There are many other areas affected, however, in essence, the above is what affects you, the client and any professional company should be adhering to this new legislation.
GDPR – How do I contact Titan?
Titan Private Investigations Ltd can be accessed at one of our five branch offices or remotely throughout the UK at the client’s request. One of Titan’s private investigation dedicated team is awaiting your call which will be treated discreetly and with total confidentiality.
Private Investigation Derby (Head Office) – Call Titan 01332 650029
Private Investigation Nottingham Office – Call Titan 0115 824 2244
Private Investigation Leicester Office – Call Titan 0116 326 0777
Private Investigation Sheffield Office – Call Titan 0114 3032426
Private Investigation London Office – Call Titan 020 31371150
You are also able to email at enquiries@titaninvestigations.co.uk, direct using our confidential online contact form or online chat.