What is business crime intelligence?

Business crime intelligence is the collection, analysis, and sharing of data about criminal activity targeting commercial organisations — including retail theft, fraud, organised crime groups (OCGs), and internal theft. Unlike generic security, it combines live offender databases, technology such as facial matching and ANPR networks, and expert analyst interpretation to deliver actionable intelligence that enables businesses to detect, prevent, and prosecute offenders across the UK.

How does facial matching technology work for retail crime investigation?

Fortify Intelligence's Facial Matching Engine allows businesses to submit CCTV images of suspects for retrospective matching against a database of thousands of the UK's most prolific and persistent business crime offenders. Using AI-powered analysis, the system identifies potential matches, providing investigators with name leads, offending histories, and intelligence context — dramatically accelerating identification timelines.

What is civil recovery and how can it benefit my business?

Civil recovery is a legal process that allows businesses to reclaim losses from shoplifters and fraudsters through civil litigation, independent of the criminal justice system. Fortify Intelligence enhances civil recovery rates by cleansing offender data before submission to a recovery agency — conducting thorough background checks to verify identities, confirm addresses, and enrich records. This significantly increases the proportion of successful recoveries and maximises financial returns.

How does the ANPR network help prevent business crime?

Automatic Number Plate Recognition (ANPR) surveillance tracks vehicle movements across 5,000+ sites nationwide — including petrol forecourts, shopping centres, retail parks, hotels, and motorway laybys. When a vehicle linked to known offenders enters the network, businesses receive real-time alerts enabling proactive prevention.

What are organised crime groups (OCGs) and how does Fortify Intelligence tackle them?

Organised crime groups (OCGs) are structured criminal networks responsible for a disproportionate share of retail and freight crime in the UK. Fortify Intelligence provides deep-dive OCG analysis: mapping group structures, identifying members, tracing stolen goods disposal routes, and briefing your team in-person or virtually.

Why work with ex-police professionals for business crime intelligence?

Ex-police and security professionals bring a fundamentally different capability to business crime intelligence. They understand how criminal investigations work, know what evidence is needed to secure prosecutions, have established police liaison relationships, and are trained in intelligence analysis techniques developed in law enforcement. Every Fortify Intelligence analyst and investigator is ex-police or security.

Do your business crime intelligence services cover the whole of the UK?

Yes. Fortify Intelligence operates a UK-wide service. Our ANPR network spans 5,000+ sites across England, Scotland, Wales, and Northern Ireland. Our offender database covers prolific offenders from across the UK, and our intelligence team operates nationally.

How quickly can your team respond to an active crime incident?

Clients on the Managed Service benefit from a dedicated analyst working exclusively for them — providing rapid intelligence support during and after incidents, including immediate ANPR checks, facial matching submission, and police liaison. For general enquiries and new client onboarding, our team aims to respond within one business day.

Personal Data Processing Documentation (Offenders)

1. Definitions

Data subjects for the purpose of this policy include all living individuals about whom we hold personal data. All data subjects have legal rights under UK GDPR and the Data Protection Act 2018.

Personal data means data relating to a living individual who can be identified from that data (or from that data and other information in our possession). It can be factual (name, address, date of birth) or other information about a person's actions and behaviour which, taken together, could identify them.

Data Controller — Fortify Intelligence Ltd, which determines the purposes for which, and the manner in which, personal data is processed.

Data Processors — any person or organisation that processes personal data on our behalf and on our instructions, including technology suppliers and contractors.

Processing — any activity involving use of data, including obtaining, recording, holding, organising, amending, retrieving, using, disclosing, erasing or destroying it.

Special Category Data — information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (for the purpose of uniquely identifying an individual), health data, or data concerning sex life or sexual orientation. Personal data relating to criminal convictions and offences is subject to additional requirements under Article 10 UK GDPR and DPA 2018 Schedule 1, Part 2.

DPIA — Data Protection Impact Assessment: a process to identify and minimise data protection risks for high-risk processing activities.

2. Contact Details

OrganisationFortify Intelligence Ltd

Emailinfo@fortifyintelligence.co.uk

ICO RegistrationZC158080

The Data Controller is responsible for ensuring compliance with current data protection law. Any queries regarding this documentation should be directed to the contact details above.

Fortify Intelligence Ltd complies with the Equality Act 2010 and its amendments. Any decision to process an individual's data will be based entirely on their criminal or anti-social behaviour, not on protected characteristics such as race, gender, sexual orientation, or religious belief.

3. The JAPAN Test

Before any data processing occurs, it is subjected to the JAPAN test:

Justification

Can we justify the need to collect, store, share or destroy this personal data?

Authorisation

What authority are we using? What is our legal basis under UK GDPR?

Proportionality

Is what we are doing proportional to the purpose? Could we achieve the same result with less data?

Audit

Do we have a record of what we have shared, with whom and why, providing an audit trail?

Necessary

Is what we are doing necessary, or can the end result be achieved another way?

4. Types of Data Subjects Processed

Fortify Intelligence processes the personal data of Offenders: individuals aged 14 years and over who have been reported to have been actively involved in incidents which present a threat or damage to the property or safety of our Clients or their staff or customers, or who disrupt the peaceful enjoyment that customers expect from goods and/or services offered by our Clients.

Purpose of Processing

Our Clients have a recognised legitimate interest in protecting their property, staff and customers from crime and anti-social behaviour. Fortify Intelligence processes offenders' personal data for the specific purposes of:

The investigation, detection and prevention of crime and disorder
Managing intelligence on behalf of Clients and drawing active offenders to Clients' attention
Informing Clients of an offender's modus operandi and identifying links to organised crime groups
Collating intelligence on criminal activity across our nationwide area of operation
Supporting civil recovery proceedings against offenders, through civil litigation
Contributing to legal proceedings against offenders where appropriate
Delivering prevention intelligence alerts to subscriber Clients
Operating our Facial Matching Engine for retrospective identification
Processing vehicle movement data through our ANPR network

5. Lawful Basis of Processing

Our Clients' recognised legitimate interests provide the lawful basis on which Fortify Intelligence may process specific items of offenders' personal data for specific purposes without the offenders' consent.

Fortify Intelligence has assessed the impact of its processing on offenders' rights and freedoms, has balanced these with our Clients' rights, and has concluded that our Clients' rights prevail in this specific matter. The GDPR conditions relevant to this documentation are:

Article 6 — Personal Data	Article 9 — Special Category	Article 10 — Criminal Data	DPA 2018 Schedule 1
Art. 6(1)(ea) — Recognised Legitimate Interests: processing is necessary for investigating, detecting or preventing crime or apprehending offenders (the "crime condition")	Art. 9(2)(f) — Legal claims: processing is necessary for the establishment, exercise or defence of legal claims	Processing is authorised by DPA 2018 providing appropriate safeguards for the rights and freedoms of data subjects	Part 1, s.10(1)(a) — Preventing or detecting unlawful acts Part 2, s.11(2)(a) — Protecting the public from dishonesty, malpractice and other seriously improper conduct
Art. 6(1)(f) — Legitimate Interests: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party	Art. 9(2)(g) — Public interest: processing is necessary for reasons of substantial public interest		Part 2, s.10(3) — Preventing fraud Part 2, s.14 — Legal claims

6. The Confidence Test

When an offender is reported by a Client or partner agency, the information received is subjected to a confidence test before processing. Only information meeting a minimum confidence threshold will be processed.

Intelligence Assessment	Reliable Source	Untested Source	Unreliable Source
Authenticity directly known	HIGH	MEDIUM	LOW
Indirectly known but corroborated	HIGH	HIGH	MEDIUM
Authenticity indirectly known	MEDIUM	LOW	LOW
Authenticity unknown / suspected false	NOT PROCESSED

Reliable sources include technical surveillance sources (CCTV, ANPR), police officers, and Clients who report regularly and have proven reliable. Untested sources are treated with caution and must be corroborated where possible. Unreliable information and information suspected to be false or malicious is never processed.

Once data passes the confidence test it is stored in our secure, access-controlled intelligence platform. Full incident details are stored in a restricted section accessible only to authorised Fortify Intelligence analysts. A limited data view (name, image, brief offence descriptor) is available to Clients on a need-to-know basis via our secure platform.

7. Categories of Personal Data Processed

Name, date of birth, and facial image — still photographs and/or video footage captured on CCTV without prior specific technical processing. Purpose: to enable Clients to identify offenders, submit incident reports, and protect the personal safety of staff, customers and Members.

Contact details — postal address, email address, telephone number(s). Purpose: to enable Fortify Intelligence to communicate with offenders where required (e.g. to confirm exclusions, send warning letters, or provide privacy notices under Article 13 UK GDPR). Contact data is not shared with Clients.

Incident information — details and evidence about alleged incidents in which an offender has been involved. Purpose: to assess the suitability of exclusion notices, support civil recovery proceedings, and collate intelligence. Detailed incident data is not shared with Clients; only a brief summary descriptor (e.g. "theft", "fraud", "violence") is made available. Full details may be shared for civil recovery and with law enforcement.

Vehicle registration marks — processed through our ANPR network. Purpose: to identify vehicles associated with offending, support investigations, and provide movement intelligence. Processed under Legitimate Interests.

Intelligence links — associations between offenders and organised crime groups, co-offenders, or patterns of behaviour. Purpose: to inform Clients of modus operandi and to identify linked offending series.

8. Special Category Data

To lawfully process special category data, UK GDPR requires identification of both a lawful basis under Article 6 and a separate condition under Article 9. The processing of special category data is permitted under UK derogations for the prevention of crime and disorder — DPA 2018, Schedule 1, Part 2, paragraph 10(a).

Such processing will be avoided if possible, but any processing undertaken will be proportionate to the aim pursued, will respect the right to data protection, and will include appropriate safeguards for the fundamental rights and interests of the data subject (Article 9(2)(g)).

Facial images processed through our Facial Matching Engine constitute biometric data under Article 4(14) UK GDPR (data resulting from specific technical processing relating to the physical characteristics of a natural person which allows unique identification). A DPIA has been completed for this processing and is reviewed annually.

Fortify Intelligence will not process AI-altered or reconstructed facial images for identification purposes. Such manipulation risks creating inaccurate biometric profiles and would breach GDPR data accuracy principles (Article 5(1)(d)).

9. Data Processed & Shared

Data Category	Processed?	Shared With	Justification
Name	Yes	Clients; Partner BCRPs (with DSA); Police	To identify excluded individuals and submit reports about offending behaviour
Date of Birth	Yes	Clients; Partner BCRPs (with DSA); Police	To correctly identify individuals, particularly in high-volume environments
Still photographic image	Yes — unaltered only	Clients; Partner BCRPs (with DSA); Police	To identify excluded individuals and submit reports
Video footage	Yes	Not shared with Clients. Partner BCRPs (with DSA); Police for evidence	To identify travelling offenders; to assist law enforcement in evidence gathering
Biometric matching data	Yes — via Facial Matching Engine	Output shared with commissioning Client only	Retrospective identification in business crime investigations
Vehicle registration mark	Yes — via ANPR network	Clients (in connection with specific incidents)	Vehicle movement intelligence for prevention and investigation
Alleged offences	Yes	Clients receive brief descriptor only (2–3 words). Full details: Police	To allow Clients to assess risk; to support civil recovery and legal proceedings
Contact details	Yes	Not shared with Clients except for civil recovery proceedings	To communicate with offenders as required by Article 13 UK GDPR
Race / Ethnic origin	Not processed	Not shared	—
Religion / Politics / Trade union	Not processed	Not shared	—
Genetic / Health / Sexual	Not processed	Not shared	—

10. Sources of Personal Data

Offenders' personal data may be provided to Fortify Intelligence by:

Clients — who submit incident reports, provide CCTV footage, and share relevant intelligence about offenders
Police and public agencies — under formal Data Sharing Agreements (DSAs) for the purposes of crime prevention and detection
Partner Business Crime Reduction Partnerships (BCRPs) — under DSAs within the relevant Regional Organised Crime Unit (ROCU) area
Offenders themselves — who may voluntarily offer information about themselves
Public sources — social media content that is publicly accessible without privacy controls
ANPR network — vehicle movement data from our network of 5,000+ sites across the UK
Civil recovery legal partner — data shared where relevant to ongoing proceedings

11. Data Retention

Fortify Intelligence operates a tiered retention framework based on offending behaviour and ongoing necessity:

Trigger	Active Sharing Period	Restricted Retention	Deletion
First report — no further incidents	3 months from report	12 months in restricted database	Irrevocable deletion if no further incidents
Second report within initial 3-month period	12 months from second report	12 months in restricted database	Irrevocable deletion if no further incidents
Ongoing / prolific offender (3+ incidents)	Active whilst offending continues	Reviewed annually — retained whilst justified	On annual review when retention no longer justified
Civil recovery proceedings	Duration of proceedings	6 years from conclusion of proceedings	Secure deletion after 6-year period
ANPR vehicle data (not linked to investigation)	N/A — not actively circulated	Up to 2 years	Rolling deletion at 2 years
Facial matching source images	Duration of investigation	Deleted on investigation conclusion	Immediate deletion unless required for proceedings

All retention periods are subject to annual review. Data will be retained beyond these periods only where there is a specific legal obligation or active legal proceedings requiring it. When data is no longer required, it is irrevocably and securely deleted.

12. Data Processors

Fortify Intelligence uses the following categories of Data Processors, all of whom are bound by Data Processing Agreements (DPAs) in accordance with Article 28 UK GDPR:

Cloud infrastructure providers — secure, UK-hosted cloud storage certified to Cyber Essentials standard
Intelligence platform software — the technology platform used to manage and share intelligence with Clients
Facial Matching technology provider — the biometric matching engine used for retrospective identification
ANPR data network operator — the provider of our nationwide ANPR feed
Civil recovery legal partner — independent Data Controller for civil recovery proceedings

A full record of Data Processors is maintained in our Records of Processing Activities (RoPA) and is available to the ICO upon request.

13. Automated Decision-Making

Fortify Intelligence does not make solely automated decisions with legal or similarly significant effect about any individual. Our Facial Matching Engine produces match candidates that are always reviewed and verified by a qualified human analyst with relevant professional experience before any action is taken or any output is shared with a Client.

Any intelligence output shared with Clients is clearly marked as intelligence, not evidence, and Clients are required under their terms of engagement to exercise their own judgement before acting on it.

14. Subject Access Requests

Any individual who believes Fortify Intelligence holds personal data about them has the right to submit a Subject Access Request (SAR). We will respond within one calendar month of receipt of a valid request. We may require the requestor to provide proof of identity before releasing data.

Note that the DPA 2018 includes exemptions from the right of access where disclosure would be likely to prejudice the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty. Where an exemption applies, we will explain this in our response.

To submit a SAR, contact: info@fortifyintelligence.co.uk

15. Data Security

Fortify Intelligence implements the following technical and organisational security measures:

All data stored in cloud infrastructure certified to the Cyber Essentials standard
Encryption of data in transit (TLS 1.2 minimum) and at rest
Role-based access controls — analysts access only the data required for their specific role
Multi-factor authentication on all systems containing personal data
Regular penetration testing and vulnerability assessments
Staff data protection training on joining and annually thereafter
Pseudonymisation of data where practicable
Physical security controls for any on-premises processing
Data breach detection, reporting, and response procedures
Supplier due diligence and contractual data processing requirements for all processors

Breach Management

In the event of a personal data breach, Fortify Intelligence will:

Notify the ICO within 72 hours where the breach is likely to result in a risk to individuals
Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms
Document all breaches in our internal breach register, whether or not notification is required

16. Legitimate Interests Assessment (LIA)

Fortify Intelligence has conducted a Legitimate Interests Assessment (LIA) for the processing of offenders' personal data. The three-part test is summarised below:

Purpose Test

The legitimate interests pursued are: the prevention and detection of crime against our Clients' businesses, the protection of their staff, customers, and assets, and the collation of intelligence to address patterns of organised retail and business crime. These are genuine, real, and present interests — business crime causes significant financial and physical harm to UK businesses.

Necessity Test

Processing offenders' personal data is necessary to achieve these purposes. It would not be possible to effectively identify, track, or alert Clients to offenders without processing their personal data. No less intrusive means of achieving the same purpose exists. Consent cannot be relied upon as the lawful basis because seeking it would prejudice the crime prevention purpose and offenders are unlikely to consent.

Balancing Test

The rights and freedoms of offenders have been balanced against our Clients' interests. We have considered:

The nature of the data (identification data, offending behaviour — not sensitive health or political data)
The reasonable expectations of individuals who commit offences in commercial premises
The limited sharing (Clients on need-to-know basis; full details restricted)
The proportionate retention periods and review process
The safeguards applied (confidence test, human review, no automated decisions)
The availability of subject rights and the right to complain to the ICO

We have concluded that our Clients' legitimate interests prevail, having applied appropriate safeguards to minimise the impact on offenders' rights and freedoms. A copy of the full LIA is available to data subjects and the ICO on request.

17. Data Protection Impact Assessment (DPIA)

Fortify Intelligence has completed a DPIA covering the high-risk processing activities described in this document, in particular:

Biometric processing via the Facial Matching Engine
Systematic processing of criminal offence data at scale
ANPR vehicle movement monitoring
Sharing of intelligence data with multiple Client organisations

The DPIA identifies and assesses risks, sets out the mitigating measures in place, and concludes that residual risks are acceptable given the safeguards implemented. The DPIA is reviewed annually and whenever there is a material change to our processing activities.

A summary of the DPIA is available on request. The full DPIA is available to the ICO upon request.

18. Appropriate Policy Document (APD)

As required by Schedule 1, Part 4 of the DPA 2018, Fortify Intelligence maintains an Appropriate Policy Document (APD) for the processing of criminal offence data and special category data under the substantial public interest condition.

The APD sets out:

The Schedule 1 condition(s) relied upon and why processing meets that condition
Our procedures for securing compliance with the UK GDPR principles in connection with the processing
Our retention and erasure policy for such data

The APD is reviewed annually and updated whenever our processing activities change. A copy is available to the ICO upon request.

19. Children's Data

Fortify Intelligence does not knowingly process personal data about individuals under the age of 14. Where an incident involves a person who appears to be under 18, additional safeguards apply:

Enhanced proportionality assessment before any processing is undertaken
Disclosure to police and/or appropriate safeguarding authority in preference to processing within our intelligence platform
Data is not circulated to Clients without specific authorisation from a senior analyst
Retention periods are shortened — data is reviewed within 90 days and deleted unless there is a compelling and documented reason for retention

Where we become aware that we have inadvertently processed data about a child under 14, we will take immediate steps to delete it and will review the circumstances that led to the processing.

20. Personal Data Breach Management

Fortify Intelligence maintains a documented breach management procedure. All staff are trained to recognise and report potential breaches immediately to the Data Controller.

On identification of a breach, we will:

Contain the breach and assess its likely scope and severity
Notify the ICO within 72 hours if the breach is likely to result in a risk to data subjects' rights and freedoms
Notify affected data subjects if the breach is likely to result in a high risk to their rights and freedoms
Document the breach, its causes, and the steps taken in our breach register
Review and update our security measures to prevent recurrence

To report a data protection concern or suspected breach, contact: info@fortifyintelligence.co.uk