Why GDPR Matters for Security Companies
Security companies handle significant amounts of personal data — from guard employment records and SIA licence details to incident reports containing witness information, CCTV footage, and client contact details. Under the UK GDPR and Data Protection Act 2018, you have legal obligations around how this data is collected, stored, processed, and shared.
Non-compliance isn’t just a theoretical risk. The ICO (Information Commissioner’s Office) has the power to issue fines of up to £17.5 million or 4% of annual turnover. More practically, data breaches damage client trust and can cost you contracts.
Key Data You’re Processing
Security companies typically process these categories of personal data:
- Employee data — names, addresses, bank details, SIA licence numbers, right-to-work documents
- Client data — contact details, site information, contract terms
- Incident data — descriptions of events involving identifiable individuals, witness statements
- CCTV and body-cam footage — visual recordings of identifiable people
- GPS and location data — guard location tracking during shifts
- Visitor logs — names and times of site visitors
Your Core GDPR Obligations
Lawful Basis for Processing
You need a lawful basis for each type of data you process. For security companies, the most common bases are:
- Contract performance — processing employee and client data to fulfil your contractual obligations
- Legal obligation — maintaining SIA licence records, right-to-work checks, health and safety records
- Legitimate interests — GPS tracking for operational management, CCTV for security purposes
Consent is rarely the appropriate basis for employment-related data processing, as the power imbalance between employer and employee means consent isn’t freely given.
Data Minimisation
Only collect what you need. If your incident report form asks for a witness’s date of birth when you only need their name and contact details, you’re collecting unnecessary data.
Storage Limitation
Don’t keep data longer than necessary. Define retention periods for each data type:
- CCTV footage — typically 30 days unless related to an incident
- Incident reports — duration of the contract plus a reasonable period for legal claims
- Former employee records — HMRC requires some records for 6 years
- Visitor logs — 30-90 days depending on site requirements
Security Measures
You must implement “appropriate technical and organisational measures” to protect personal data. For security companies, this means:
- Encrypted storage for digital records
- Role-based access controls — guards shouldn’t see other guards’ personal data
- Secure transmission of incident reports and footage
- Regular access reviews to remove leavers promptly
- Staff training on data protection
Subject Access Requests
Individuals have the right to request copies of their personal data. You must respond within one calendar month. This includes guards requesting their GPS tracking data, incident subjects requesting reports about them, and former employees requesting their personnel files.
Practical Steps for Compliance
- Audit your data — map what personal data you hold, where it’s stored, and who has access
- Write a privacy policy — separate policies for employees, clients, and the public
- Implement access controls — use role-based permissions in your management software
- Train your staff — guards need to understand basic data protection principles
- Plan for breaches — have a procedure for reporting breaches to the ICO within 72 hours
How Technology Helps
Modern guard management platforms can support GDPR compliance by design. Role-based access controls ensure guards only see data relevant to their role. Encrypted storage protects data at rest. Audit trails show who accessed what and when.
TacDesk is built with data protection in mind, featuring role-based access, encrypted storage, and controlled data sharing for third-party requests. Explore the demo to see how it handles sensitive data.