GDPR and data protection responsibilities
Introduction
In today’s security environment, protecting people’s data is just as important as protecting property. Whether you’re writing an incident report, handling CCTV footage, or checking ID, you’re dealing with personal data—and the law requires you to handle it correctly.
This lesson will help you understand UK GDPR rules, your responsibilities, and the consequences of getting it wrong. By the end, you’ll know how to stay compliant and act professionally.
What is GDPR?
General Data Protection Regulation (UK GDPR)
The UK GDPR is a legal framework that governs how you collect, use, store, and share personal data. It applies to everyone working in security, including frontline officers, supervisors, and control room staff.
Personal data = any information that can identify someone
Examples: Name, address, CCTV image, licence plate, staff roster, phone number
Key GDPR Principles You Must Follow
| Principle | What It Means for You |
|---|---|
| Lawfulness, fairness, and transparency | Be honest about why and how data is being collected (e.g. signs for CCTV use) |
| Purpose limitation | Only use the data for the reason you collected it (e.g. for incident investigation) |
| Data minimisation | Collect only what’s necessary (e.g. don’t ask for extra personal info) |
| Accuracy | Record correct and up-to-date information (especially in incident reports) |
| Storage limitation | Don’t keep personal data longer than needed (e.g. CCTV footage beyond retention period) |
| Security | Keep data safe – physically and digitally (e.g. secure folders, locked drawers) |
| Accountability | You must be able to show how you’re complying with these rules (e.g. through logs, policies) |
Common Security Officer Activities That Involve Personal Data
| Task | What to Watch Out For |
|---|---|
| Writing incident reports | Include only facts; avoid speculation or unnecessary personal detail |
| Reviewing or operating CCTV | Ensure signs are visible; never use CCTV to monitor staff casually |
| Logging visitor or delivery info | Use secured systems or locked paper logs; never leave these unattended |
| Body Worn Camera (BWC) footage | Store, transfer, and delete recordings in line with policy and retention periods |
| Handling ID or staff information | Don’t photograph or store documents unless authorised under company policy |
Real-World Example
Scenario
You witness a shoplifting incident in a department store. You use your Body Worn Camera (BWC) to record the event. After the arrest, you write a report and include footage.
What you must do:
Label the footage clearly and save it according to your company’s retention policy
Do not share footage via phone or messaging apps
Only provide it to authorised persons (e.g. police, manager with clearance)
Keep your report factual and avoid naming the individual unless needed
This protects both the suspect’s rights and your legal position.
Standards You Must Follow
| Standard/Law | Requirement for Security Officers |
|---|---|
| UK GDPR (2016/679) | Applies to all personal data; breach can lead to fines and disciplinary action |
| SIA Licencing – PSIA 2001 | As a licenced officer, you must act responsibly and lawfully, including when handling personal data |
| BS 7499 (Static Guarding) | Requires accurate documentation, incident reporting, and data handling procedures |
| NSI Codes of Practice | Promotes ethical handling of data in alarm and CCTV monitoring operations |
| Data Protection Act 2018 | UK’s supporting law for GDPR compliance |
Statistics You Should Know
85% of UK retailers use CCTV, yet many breaches are due to poor footage handling
In 2023, the ICO (Information Commissioner’s Office) issued fines exceeding £6 million to UK organisations for data breaches
The average GDPR penalty for a security-related breach is £4,000–£20,000, depending on the severity
Tips to Stay Compliant
Lock up paper logs or shred them when no longer needed
Use company devices only when handling reports or evidence
Double-check incident reports for spelling, accuracy, and fairness
Only access CCTV or BWC footage if it’s required for your role
Never post or share work footage on WhatsApp, social media, or personal email
Consequences of Getting It Wrong
| Action | Possible Consequence |
|---|---|
| Leaving a visitor log visible | Breach of confidentiality; data complaint or ICO investigation |
| Emailing CCTV footage to a friend | Gross misconduct; SIA licence suspension; criminal data offence |
| Poor recordkeeping in reports | Case may collapse in court; disciplinary action; loss of trust from client/employer |
| Sharing footage without permission | Legal action against company and officer; fines; contract termination |
