Expert Insight into Legally Monitoring Staff

How to remain compliant with privacy laws

How much and what type(s) of staff monitoring is too much? How can organisations ensure that they don’t overstep the mark?

More and more organisations are monitoring their staff for productivity. But what practices, if any, overstep the mark, and become intrusive, unfair or even illegal surveillance?

We put these questions to Louise Brooks, who is the head of consultancy at DQM GRC, where she advises organisations on the GDPR and other data privacy laws, helping them fulfil their privacy obligations while continuing to meet their business objectives.

How can employers assess whether their staff monitoring is intrusive, unfair or illegal?

A DPIA [data protection impact assessment] would be a good place to start.

DPIAs are a type of risk assessment that are required in all instances where the processing of personal data is likely to result in a high risk to people. This type of assessment will help organisations understand the possible impact of the processing activity they want to conduct – such as employee monitoring – and how people’s rights and freedoms might be affected by that impact.

If, after completing the DPIA, the organisation finds that it still can’t mitigate the risks, it needs to consult the ICO [Information Commissioner’s Office] before it can start the processing activity.

In the context of staff monitoring, what would “high risk” include?

I’d look to the ICO’s guidance on monitoring employees, which gives several examples of processing that the ICO considers high risk. Those include:

  • Processing staff biometric data or using facial recognition technologies;
  • Monitoring employees’ keystrokes;
  • Monitoring emails, messages and/or network traffic; and
  • Using monitoring tools to collect data on employees who drive as part of their job.

All these activities would likely require the organisation to undertake a DPIA to understand what the risks are and how they might be mitigated.

How can organisations stay on the right side of the law?

There’s no simple answer to that one. That said, after doing some hard graft to lay the groundwork, compliance should be relatively painless.

First, it’s important to stay on top of ICO guidance and the law, particularly the GDPR [General Data Protection Regulation]. The ICO often categorises its guidance into ‘must’, ‘should’ and ‘could’. To explain those in a little more depth:

  1. Organisations need to comply with the ‘must’ requirements because they’re legal requirements.
  2. Organisations would need a good reason not to comply with the ‘should’ requirements.
  3. Organisations would be following best practice by sticking with the ‘could’ guidance, but aren’t likely to get in trouble if they didn’t. The key is being able to justify the chosen path.

It’ll also help organisations to have a thorough understanding of the GDPR and other relevant data protection legislation, as this will also help them understand and interpret the guidance from the ICO and other regulators. This also means investing in training for those people responsible and/or accountable for data protection compliance.

Organisations should then develop policies and procedures relevant to their operational environment. You can buy standard documents as a starting point, but must then adapt them to your business – they have to reflect how your organisation does things and how it achieves its goals. For example, a long and overly complicated DPIA process isn’t going to work well for a fast-paced, agile business.

What else can organisations do?

Organisations need a strong compliance programme built on the law and the ICO guidance that has appropriate policies, procedures and processes to implement and follow.

These will also double up as evidence of your compliance, should you need to demonstrate your accountability.

Furthermore, and this is perhaps most important of all, you need to engage all your employees on the topic. All the policies in the world will mean nothing if your staff don’t follow them! Organisations need to build a solid compliance culture.

There are lots of ways to achieve this. The route you take depends on your organisation’s context. They will also take commitment and, at times, persistence to embed.

Organisations should consider regular data protection updates – think newsletters, desk drops, stand-up meetings, drop-in sessions, awareness training, quarterly briefings, and more.* This empowers people to take more responsibility for compliance, perhaps through data ‘champions’, and holding one another accountable for their role in data protection compliance.

These sorts of things, when taken together with regular training and solid processes and procedures, ensure data protection becomes part of the norm, rather than an annoying hurdle or blocker.

*For more ideas on engaging colleagues in data protection, read 118 Ways to Engage Your Colleagues in Data Protection.

What fines or other enforcement action can organisations face for breaking the law?

The ICO might issue a monetary penalty notice [i.e. a fine, which can be as high as £17.5 million or 4% of an organisation’s annual global turnover] or an enforcement notice [a recommendation to fix/improve issues/violations].

That said, I need to be honest here by pointing out that where the GDPR is concerned, the ICO has been leaning towards issuing reprimands. Those are essentially a rap on the knuckles.

Then again, whether the ICO issues formal or informal enforcement, organisations may notice a hit to their brand or reputation for non-compliance, particularly for those that hit the headlines. That can often have a greater impact on an organisation than any fine.

How we can help

DQM GRC offers interim and seconded consultancy services, which can include assistance with implementing a new process, such as employee monitoring. We can guide you through projects, enabling you to reach your business objectives within the constraints of data protection regulations.

We hope you enjoyed this week’s edition of our ‘Expert Insight’ series. We’ll be back next week, chatting to another expert within the Group.

In the meantime, if you missed it, check out last week’s blog, where privacy consultant Mark James gave us his expert insights into voice cloning.


Add a Comment

Your email address will not be published. Required fields are marked *