Did you know that the GDPR (General Data Protection Regulation) doesn’t just apply to basic information like names and addresses, but also to information about people’s habits and movements?
This means that things like having CCTV and monitoring employees’ browsing activities are covered by the Regulation.
However, that doesn’t mean you can no longer put up cameras or track your employees; it just means you need to be more careful about how you do so.
How you can monitor employees
Employers are entitled to monitor what their staff do during office hours, but they need a lawful basis to do it and must let employees know what they are doing.
Before the GDPR, organisations tended to rely on implied consent to justify workplace monitoring, but the Regulation’s consent requirements mean that consent isn’t valid where there is an unequal relationship, such as in the employer–employee one.
You would be better off using either:
- Legal obligations, which apply when you need to process personal data to comply with other laws; or
- Legitimate interests, which apply when a private-sector organisation has a genuine reason (including commercial benefit) to process personal data without consent, provided it’s not outweighed by the negative effects to the individual’s rights and freedoms.
Do you need to monitor employees?
Some organisations assume that monitoring employees – or even threatening to do so – is essential because it makes them less likely to slack off.
In most cases, organisations have a point. However, they need to be able to justify that and explain their rationale. They must also show that they recognise the risk that monitoring may present to their employees, and that they’ve looked at and implemented mitigating controls where possible. This means conducting a DPIA (data protection impact assessment) to assess the extent to which monitoring is necessary, where and when it is required, and what method(s) to use.
A DPIA will also cover several other points to bear in mind:
- Data must be processed if it fulfils its intended purpose. For instance, if you want to install CCTV for security reasons, the footage should be of sufficient quality to be able to identify individuals.
- CCTV recordings and other logs must be stored securely and encrypted wherever possible.
- Individuals have the right to request a copy of any CCTV footage in which they are in focus and/or clearly identifiable. If the request is valid and permissible, the organisation must supply the individual with that footage within one month of the validation. The same is true of other kinds of data relating to employee monitoring.
Learn more about the GDPR
With so much to remember about the GDPR, we suggest that anyone who handles personal data as part of their job enrols on a dedicated training course.
Our Certified GDPR Foundation Distance Learning course is ideal for anyone who wants a comprehensive introduction to the Regulation. It explains the key requirements you need to meet in simple terms, and because you take the course remotely you can study around your work and other commitments without having to travel to and from a classroom.