As the GDPR clock counts down, is your police force compliant?

Policing is all about people, and where there are people there is data.

Your police force holds masses of personal, sensitive and high-risk information related to citizens, crimes and your own operations. To prevent crimes, provide evidence and protect the public, you need to be able to easily access and record this information.

Fortunately, most of your current data will already be captured in compliant role-specific record management systems, but a significant amount - particularly legacy data – will be spread across paper files, word documents, spreadsheets and various multimedia formats such as audio, images and videos. Whether it’s victim or witness statements, simple forms or even firearms certificates, you still have a responsibility to store, process, log and retain this data in accordance with the Data Protection Act 2018 (DPA) and UK General Data Protection Regulation (UK GDPR). Failure to comply may lead to enforcement action by the Information Commissioner.

A tale of two types of data

UK GDPR came into effect in May 2018, setting the bar for the control of policing data at broadly the same level as for non-policing purposes, but some exemptions were included in relation to the logging and audit of data access and disclosure. By May 2026, however, all forces will be required to manage data using systems that can account for the data held, as well as track who has accessed it and when.

Although, you’re likely to have comprehensive systems in place for managing your core data, when it comes to legacy or miscellaneous data that doesn’t fall neatly into the core systems covering operational records management, command and control, HR, finance or payroll, you can quickly run into problems. When this type of data is held in legacy systems, shared drives or piled away in boxes, rather than stored on a modern information management system, it can be extremely difficult to get a handle on what you have and what you need to do with it.

The increasing provision and penalties associated with data protection legislation means it’s crucial your force puts in place robust plans to properly manage remaining non-compliant data. The good news is that, due to demand from elsewhere in the public sector, information management services are now available which are both proven and cost effective. By helping you to consolidate your data and make it more accessible, you will be able to save time and improve productivity.

Shining a light on your hidden data

To be able to work with your data compliantly, you first need to understand the volume, type, quality and location of the data you have. Working with a data management partner will help you to identify the scope of the challenge that lies ahead and ensure that you look at all your data holistically across your force, rather than in siloed data sets. This will ensure that all data is accounted for and give your staff and officers more time to focus on solving crimes and supporting victims.

By digitising your paper records and bringing all your miscellaneous and legacy data into one centralised fully compliant repository, you’ll be able to see clearly what action you need to take; whether that’s to keep it and update the audit trail, or destroy it.

Once your data is digitised and within a data management system, you’ll be able to search large volumes of otherwise inaccessible information faster and more efficiently. Fortunately, the rapid advancement of technologies, such as AI and robotic process automation, is also making it easier to locate information, streamlining processes to reduce costs and build in intelligent search engines to improve decision-making and operational performance.

Successful public sector data management in action

As a data management expert with a strong history of supporting the public sector, we’ve helped many organisations to become data-compliant, while also reducing costs and improving efficiency. We conducted a full inventory of paper medical records that Primary Care Support England (PCSE) held in storage and migrated them to a dedicated, centralised record storage facility where every record is logged with a barcode. We migrated approximately 12 million records in the first 18 months, and now PCSE can process and validate the records it receives from NHS England against secure NHS data. Our approach has ensured that PCSE is compliant with a clear audit trail and identifier for every record.

We can help you ensure compliance with the Data Protection Act and all GDPR requirements, which will fully apply to Law Enforcement bodies in 2026. This eliminates the risk of Information Commissioner's Office (ICO) investigations, fines, and reputational damage – enabling you to focus on preventing crime and protecting the public.

Find out more about our information management services: