Compliance
GDPR-aware intelligence workflows
Bernarda Škrabar Damnjanović8 min read
There is a persistent myth in the investigations market that “it's public, so GDPR doesn't apply.” It is wrong on the first page of the regulation: personal data is personal data regardless of where it was found, and everything an intelligence team does with it — collecting, storing, enriching, linking, reporting — is processing. The good news is that the GDPR does not prohibit intelligence work. It prescribes how professional intelligence work should have been run anyway: purposeful, proportionate, documented.
Start from lawful basis, in writing
Every engagement needs an Article 6 basis chosen and recorded before collection begins. In practice three bases carry most of the weight:
- Legitimate interests (Art. 6(1)(f)) — the workhorse for corporate intelligence, due diligence, fraud and insider-risk investigations, and protective intelligence. It requires a legitimate interests assessment: name the interest, show the processing is necessary for it, and balance it against the data subject's rights and reasonable expectations. Written, dated, kept with the case file.
- Legal obligation (Art. 6(1)(c)) — where screening or investigation is mandated: AML/KYC, sanctions compliance, sector regulation.
- Official authority (Art. 6(1)(e), or national law-enforcement frameworks implementing the LED) — for public bodies; the private specialists who support them work within the authority and instructions of that client.
Special-category data (Art. 9 — political opinions, health, religion, sexual orientation) deserves explicit care in OSINT, because social sources leak it constantly. The discipline is to collect it only when the requirement genuinely demands it, under a valid Article 9 condition, and to filter it out otherwise.
Minimisation as an operational practice
Data minimisation is usually presented as a principle; in intelligence work it is a workflow setting. Concretely:
- Collect against requirements. A defined intelligence requirement — not “everything about the subject” — bounds every collection task. If a source does not bear on the requirement, it is not captured.
- Filter at ingestion. Third parties who wander into captures (family members, bystanders in imagery, unrelated commenters) are excluded or redacted at the point of collection where possible, not discovered in disclosure.
- Resist the archive-everything reflex. Bulk hoarding “in case it's useful later” is both a compliance failure and an analytical one — it buries signal.
- Pseudonymise working products. Analysis environments and interim reports use case identifiers where full identity adds nothing.
Retention, rights, and the exit plan
A GDPR-aware workflow decides at engagement start how long each class of material lives: collection archives, working notes, and the final assessment usually carry different clocks, tied to limitation periods, contractual terms, or regulatory minima. Deletion is executed on schedule and the deletion event itself is recorded — the file should be able to show both what was kept and what was destroyed, and why. Data-subject rights requests are handled through counsel where exemptions apply (crime prevention, legal claims, others' rights), but the default posture is that an access request is survivable — because nothing in the file is there without a reason.
Documentation is the product
The pattern across all of this: the same artefacts that satisfy a supervisory authority — documented purpose and basis, bounded scope, recorded sources and methods, controlled access, scheduled retention — are the artefacts that make an intelligence product credible to a board, admissible alongside evidence, and defensible under cross-examination. Compliance and quality are the same discipline wearing different badges. That conviction is embedded in how we run corporate intelligence, in our OSINT services, and in the compliance approach that governs every Next Sight engagement — EU-headquartered, GDPR-native, and built to be examined.
Frequently asked questions
Does GDPR apply to OSINT on publicly available data?
Yes. Publicly available personal data is still personal data under the GDPR. Collecting, storing, and analysing it is processing and needs a lawful basis — most often legitimate interests, supported by a documented balancing assessment, or legal obligation/official authority for public bodies.
What lawful basis covers corporate intelligence and due diligence?
Private-sector investigations typically rely on Article 6(1)(f) legitimate interests: fraud prevention, counterparty risk, asset protection. That choice must be documented with a legitimate interests assessment (LIA) weighing the interest against the data subject's rights, and the processing must stay proportionate to it.
How long can intelligence findings be retained?
Only as long as the documented purpose requires. GDPR-aware practice sets retention periods per engagement category at the outset — tied to legal limitation periods or contractual needs — and deletes or anonymises collected material on schedule, keeping a record of the deletion itself.
Reading: GDPR-aware intelligence workflows
Put this into practice
Next Sight delivers these workflows as services, platforms, and training — lawful, documented, and built for teams who carry consequences.