Personal data refers to anything that can identify an individual, not just written information. This includes CCTV and employee monitoring, which will typically be considered high-risk activities under the EU General Data Protection Regulation (GDPR).
Employers are entitled to monitor employee activity, but they need a lawful basis to do it and they need to communicate the monitoring to employees.
Many companies currently rely on implied consent to justify monitoring, but the GDPR’s consent requirements mean other legal grounds should be sought where possible. The most appropriate grounds will probably be legitimate interests or legal obligations.
In a code of practice guide, the Information Commissioner’s Office (ICO) recommends that organisations carry out a data protection impact assessment (DPIA) to assess the extent to which monitoring is required, where it is required and at what times. It also outlines a number of things you should bear in mind if you plan to monitor your employees:
- Data must be used and kept only to fulfil its original purpose. For instance, if the purpose of holding data is to identify individuals engaged in criminal activity, the footage should be of sufficient quality to do so and be available to the police should they request to view it.
- CCTV recordings and other logs must be stored securely and encrypted wherever possible.
- Individuals have the right to request a copy of any CCTV footage in which they are in focus and/or clearly identifiable. If the request is valid and permissible, the organisation must supply the individual with that footage within 30 days of the validation. The same is true of other kinds of data relating to employee monitoring.
Prepare for the GDPR
If you want to learn more about your obligations under the GDPR, you should register for our Certified EU General Data Protection Regulation Foundation (GDPR) Training Course.
The Regulation strengthens many compliance requirements, and introduces much stricter penalties for companies that don’t meet them. Any organisation that fails to comply with the GDPR faces a fine of up to €20 million or 4% of its annual global turnover – whichever is greater.
Our Foundation-level training course provides a comprehensive introduction to the GDPR and helps you understand the implications and legal requirements for all organisations affected by the Regulation.