As a practicing investigator in the private sector your core activity will involve the processing of personal data.
Regardless of how much you feel this piece of bureaucracy helps those with ill intent more than it does to protect the public, or how ever much you attempt to disguise the activity, it is an absolute certainty that your methodologies and business practice is caught by the privacy laws now embedded world-wide in the General Data Protection Regulation (GDPR).
Yes it is global and not just in the EU.
And yes the regulation enacted in British law in The Data Protection Act 2018 has no bearing on your job description but what and how you do your work.
You could easily be overwhelmed when reading the ABI material and ‘Compliance Documents’ prior to or, as some have done, in lieu of attending the one-day training workshop. Without the explanation and practical application demonstrated at the workshops, they are difficult to comprehend fully or even relate to your daily business activity.
It would be easy to fall into the trap in thinking that such detailed attention to compliance for every single person that pings up on your screen, during your research, is unnecessary, but if it is a piece of personal data appertaining to a living soul then the owner of that detail has the protection of the GDPR and you must process the information in accordance with this law.
So imagine - every time you carryout a database search, whilst having satisfied your-self on the legitimate interest to search the name and/or address, the result inevitably throws up other names, family members and previous occupants for example. So far that is fine, BUT if you save that search result or worse record the unrelated or any of the names electronically, BINGO you have processed the personal data of a person who is entitled that you handle that data within the terms of GDPR. That means recording what and why you have done so, where it came from and where you sent it and when you will destroy it, etc etc etc. It is a massive task even for the simplest or low paid projects.
And if you try to be clever by not saving the search result but printing it, then remember, your printer too has a built in hard drive and so technically you have still processed the data with which comes the same burden of responsibility.
And let’s not forgot the hoard of data stored in your hard drives and memory sticks for the simple purpose to satisfy your ego about the power you have over the populace at your finger-tips. You keep it then you’re processing all those people’s personal data continually and so you must justify it, protect it, log it and record the destruction date, etc etc etc.
“Don’t be ridiculous” I hear cry out from the seasoned 20-a-day searching agents.
“Those people will never know the search has been made, let alone saved. There is no trail that could possibly lead one of those remote individuals to point a Subject Access Request (SAR) in my direction”.
But hold on, how many times do our Reports end up being shared? In litigation the other side will have a right to it during Disclosure, or as we old enough to know what the original “20-a-day” term meant, would call the exchange of relevant documents, Discovery.
In domestic cases there is nothing more likely than a scorned spouse waving the Report in the face of the errant party.
How about a vindictive former client disgruntled with you for some reason, tips off a person vaguely mentioned in your Report. No matter how innocent the references are, any one of them could present you with a SAR.
And chances are you will respond to such a SAR with a negative, because you or your Case Management System will not recognize the name.
Following that heart stopping knock on your door and the dreaded sound “Step back from your computer”, the Information Commissioner’s Office (ICO) investigating officer following up on a SAR complaint will quickly find the offending processing on your hard drive.
OK no big deal, you may well think, but an offence non-the-less and exposure to a fine and perhaps a career ending conviction.
Wait, is there more?
Well the data subject who will undoubtedly have ‘freaked out’ and hyper-ventilated on learning their name features in a PI’s Report will, like any green-eyed victim, quickly find a law firm hungry for instructions to sue for the ‘distress’ caused by the breach in the Data Protection Act.
For the Doubting Thomas’s among you enter in a search engine the words "If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation", and then doubt no more.
It will be slow to start but this market for compensation claims will gather pace and if you are not working within a fully compliant environment now you are exposing your business and hard built empire to the worst the civil rights movement can inflict.
There is no time to sit back to see what unfolds because these claims are happening now and will be hitting the PI sector in the not too distant future.
We have always been the low hanging fruit, ripe for picking, when it comes to setting an example on privacy matters.
Do what you have to do to be and remain compliant and start doing it now.
The ABI holds regular GDPR dedicated Workshops, check the ABI Academy pages for the next available slot and book early.
You are never too old or too clever to learn. Don’t learn the hard way.
Source: Tony Imossi, ABI Secretariat