Home / Blog / GDPR Compliance and Employee Data Monitoring

GDPR Compliance and Employee Data Monitoring

With the General Data Protection Regulation (GDPR) in effect in the EU and the comparable Data Protection Act 2018 in the UK (adapted from the EU GDPR), you probably have concerns about how it may affect your plans to use employee monitoring software. You want to gain insight into your team’s productivity, but you’re also dedicated to protecting personal data and staying compliant.

ActivTrak respects data privacy laws in our data-driven approach to analyze productivity. Our commitment to data privacy and security ensures businesses in these regions are GDPR-compliant while  achieving  business productivity goals.. It’s important to show there’s no reason why you can’t continue to analyze business processes when the GDPR is the law of the land. In fact, the GDPR was adopted by the European Union in 2016 to protect the personal data of its residents, not make it harder for businesses to be successful.

There’s quite a bit of legal jargon in the regulation, but a simple GDPR definition is: A set of regulations intended to help keep personal information personal. The EU and UK want you to have responsible control over the way you record information to prevent sensitive employee data from leaving your office.

This article is not intended to replace official legal counsel. We are not legal experts. Please consult your lawyer.

Who is protected by the GDPR?

As of May 25, 2018, any person who is physically inside the EU is protected. It applies to citizens and non-citizens alike. Organizations in the UK are required to maintain GDPR compliance with the EU regulations, and comply with the Data Protection Act 2018 (UK’s GDPR) from January 1, 2021, onwards.

Who must be GDPR compliant?

The regulation explains that if a “controller” is collecting personal data from anyone inside these regions, they must ensure GDPR compliance. A “Controller” is a person, public authority, agency or any other body who collects data. If the controller does not follow the regulation, they could face GDPR fines, up to 20,000,000 EUR or 4% of their worldwide revenue, whichever is higher. The fine applies even if you or your business is not physically located inside the EU. In other words, ActivTrak, British Petroleum or a New York-based company looking to compare the productivity of their US sales team to their UK sales team must be GDPR-compliant when collecting personal data.

What is personal data?

It’s in the word: Data that is personal. The sky’s the limit as to what could be considered personal, seeing as how the General Data Protection Regulation classifies “any information relating to an identified or identifiable natural person,” as personal data. And if you were curious, an identifiable person is someone who can be identified by something like a name, id number, location data or social identity.

personal data

Any information regarding you can be considered personal data, including what you do at work. What does that mean for tools which gather employee data? One of the primary uses for ActivTrak is to analyze business processes to discover trends and correlations that can be used to improve workflow, productivity and efficiency. This is done in part by tracking application usage, internet activity and time spent on these activities. It’s likely at some point during all stages of this information gathering process that an employee’s data will be captured.

We exist to help customers improve their businesses. It’s important for us to show how they can maintain responsible control over the data collected and protect it in accordance with the GDPR requirements.

6 Tips for Remaining GDPR Compliant with Employee Monitoring Software

1. Tell employees you want to collect employee data.

A recurring theme in the GDPR is transparency. In this regulation, a person has the right to know their data is being collected – at least in most circumstances. And while there are a few exceptions, you’ll be safer if you inform your employees that you want to gather employee data. Being transparent is a great place to start, and it opens the door to a relationship built on trust.

2. Explain why you want to collect employee data.

It’s not enough to tell your team that you plan to track their activities on their machines. One of the GDPR requirements is that you need to have a meaningful purpose for collecting data, and you need to explain that purpose to your team. The regulation spells it out: “Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”

A perfect example of using ActivTrak for a “legitimate purpose” is the way Royal Air Force Cadets did. They enlisted our help to ensure internet safety for the cadets under their supervision. But their goal was more than monitoring and controlling access to harmful websites. The RAF also wanted to understand home issues better. As a result of their data gathering and monitoring, the RAF felt confident enough to develop and implement technology-based learning with their cadets.

Here was a “specified, explicit and legitimate purpose” for collecting data that resulted in a positive outcome for an organization.

It boils down to this: Have a specific reason or reasons for using ActivTrak and ensure your team understands those reasons. And if your mission changes and your purposes for collecting data stray from your original intent, inform your team that you’ve made the change.

3. Get permission to gather employee data.

So you’ve told your team you’ll be installing employee monitoring software and why. For organizations gathering data on people in the EU and UK, you’ll have to provide documentation that they understand how you plan to collect data and that they consent to it. You can do this in a written form. It should be very clear in the form what the employee is agreeing to and set apart from any other matters. You can’t hide the text in a paragraph of a 100-page document and then ask them to sign page 100.

Along with this, note that the employee has the right to withdraw their consent at any time.

In the US, for example, there currently are a few states like California, Virginia and Colorado, with GDPR-based laws requiring a company to have their team’s permission before gathering data. Though ActivTrak encourages employers to be transparent with their team, we leave it up to the business to make that decision in adherence to local laws and regulations.

However, when teams are informed of the steps taken to protect and maintain control over their information, it can help alleviate some concerns of a behavior analytics software.

4. Be ready to provide the collected employee data.

At any time, a person has the right to access the data you collect. If you’re upfront about what you capture, this shouldn’t be an issue. We made it easy to export the productivity reports, screenshots or the entire raw dataset for an unlimited number of users to let them see their performance and how they’ve improved. But if there is a request to see the stored data with regards to the GDPR, you can easily provide it for that reason too.

5. Be ready to delete the collected data.

personal data

The GDPR outlines the right of erasure, or “right to be forgotten.” This means that if a person decides they want their information deleted, then in most circumstances, it needs to be erased.

Software like ActivTrak provides a way for you to meet this need. In this instance, an admin can delete logs and screenshots. They can even delete logs by individual users without losing the data from the entire team. And while the monitored employees can’t remove the data themselves, they can view it.

6. Utilize all the tools at your disposal.

ActivTrak provides  a digital toolbox to reap the benefits of analyzing your team’s work habits while respecting their data.

Try ActivTrak’s Powerful Toolset Yourself!

Get started

We designed ActivTrak with the key elements of trust, transparency, privacy, compliance and security top of mind, and intentionally developed a powerful platform focusing on the collection of contextual data, and avoiding intrusive employee monitoring techniques. 

We recommend being transparent with employees about the intent, use, benefit, expectation and trustworthy application of ActivTrak insights for improved productivity, healthier work habits, and greater engagement. ActivTrak’s data privacy controls and related features help safeguard personal information and ensure your business is GDPR-compliant through:

  • Sensitive data protection
  • Privacy compliance support – GDPR, HIPAA, COPPA
  • Exclude Non-business activity 
  • Anonymized and aggregated data when appropriate
  • Role-based access and permissions
  • Report subscriptions and sharing
  • Schedule working hours
  • Do Not Track list
  • Security alarms and domain blocking
  • No Keystroke logging, video or camera monitoring
  • Security compliance – SOC 2 Type 1 compliant