GDPR Compliance and Employee Data Monitoring
The GDPR is now in effect and you probably have concerns about how it may affect your plans to use employee monitoring software. You want to gain insight into your team’s productivity, but you’re also dedicated to protecting personal data and staying GDPR compliant.
We help many businesses in the EU accomplish their goals using ActivTrak. In fact, the UK is our second largest market! It’s important for us to show that there’s no reason why you can’t continue to analyze your business processes at a time when the GDPR is the law of the land. In fact, the General Data Protection Regulation was adopted by the European Union in 2016 to protect the personal data of its residents, not make it harder for businesses to be successful.
There’s quite a bit of legal jargon in the regulation, but a simple GDPR definition is, “A set of regulations intended to help keep personal information personal.” The EU wants you to have responsible control over the way you record information to prevent that sensitive employee data from leaving your office.
This article is not intended to replace official legal counsel. We are not legal experts. Please consult your lawyer.
Who is protected by the GDPR?
As of May 25th, 2018, any person who is physically inside the EU is protected. It applies to citizens and non-citizens alike.
Who must be GDPR compliant?
The regulation explains that if a “controller” is collecting personal data from anyone inside the EU, they must ensure GDPR compliance. A “Controller” is a person, public authority, agency, or any other body who collects data. If the controller does not follow the regulation, they could face GDPR fines, up to 20,000,000 EUR or 4% of their worldwide revenue, whichever is higher. The fine applies even if you or your business is not physically located inside the EU. In other words, ActivTrak, British Petroleum, or a New York-based company looking to compare the productivity of their US sales team to their UK sales team must be GDPR compliant when collecting personal data.
What is personal data?
It’s in the word: Data that are personal. The sky’s the limit as to what could be considered personal, seeing as how the General Data Protection Regulation classifies “any information relating to an identified or identifiable natural person,” as personal data. And if you were curious, an identifiable person is someone who can be identified by something like a name, id number, location data, or social identity.
Any information regarding you can be considered personal data, including what you do at work. What does that mean for tools which gather employee data? One of the primary uses for ActivTrak is to analyze business processes to discover trends and correlations that can be used to improve workflow, productivity, and efficiency. This is done in part by tracking application usage, internet activity, and time spent on these activities. It’s likely at some point during all stages of this information gathering process that an employee’s data will be gathered.
We exist to help customers improve their businesses. It’s important for us to show how they can maintain responsible control over the data collected and protect it in accordance with the GDPR requirements. With that, here are six tips for remaining GDPR compliant while using activity tracking software.
1. Tell employees you want to collect employee data.
A recurring theme in the GDPR is transparency. In this regulation, it’s a person’s right to know their data is being collected – at least in most circumstances. And while there are a few exceptions, you’ll be safer if you inform your employees that you want to gather employee data. Being transparent is a great place to start, and it opens the door to a relationship built on trust.
2. Explain why you want to collect employee data.
It’s not enough to tell your team that you plan to track their activities on their machines. One of the GDPR requirements is that you need to have a meaningful purpose for collecting data, and you need to explain that purpose to your team. The regulation spells it out; “Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”
A perfect example of using ActivTrak for a “legitimate purpose” is the way Royal Air Force Cadets did. They enlisted our help to ensure internet safety for the cadets under their supervision. But their goal was more than monitoring and controlling access to harmful websites. The RAF also wanted to understand home issues better. As a result of their data gathering and monitoring, the RAF felt confident enough to develop and implement technology-based learning with their cadets.
Here was a “specified, explicit and legitimate purpose” for collecting data that resulted in a positive outcome for an organization.
It boils down to this: Have a specific reason or reasons for using ActivTrak and make sure your team understands those reasons. And if your mission changes and your purposes for collecting data stray from your original intent, you must inform your team that you’ve made the change.
3. Get permission to gather employee data.
So you’ve told your team you’ll be installing employee monitoring software and why. For organizations gathering data on people in the EU, you’ll have to provide documentation they understand how you plan to collect data and that they consent to it. You can do this in a written form. It should be very clear in the form what the employee is agreeing to and set apart from any other matters. You can’t hide the text in a paragraph of a 100-page document and then ask them to sign page 100.
Along with this, note that the employee has the right to withdraw their consent at any time.
This might be a new concept to some. In the US, for example, there currently is no law requiring a company to have their team’s permission before gathering data. Though ActivTrak encourages employers to be transparent with their team, we leave it up to the business to make that decision.
However, when teams are informed of the steps taken to protect and maintain control over their information, it can help alleviate some concerns of a behavior analytics software.
4. Be ready to provide the collected employee data.
At any time, a person has the right to access the data you have collected. If you’re upfront about what you are gathering, this shouldn’t be an issue. We made it easy to export the productivity reports, screenshots, or the entire raw dataset for an unlimited number of users to let them see their performance and how they’ve improved. But if there is a request to see the stored data with regards to the GDPR, you can easily provide it for that reason too.
5. Be ready to delete the collected data.
The GDPR outlines the right of erasure, or “right to be forgotten.” This means that if a person decides they want their information deleted, then in most circumstances, it needs to be erased.
Software like ActivTrak provides a way for you to meet this need. In this instance, an admin can delete logs and screenshots. They can even delete logs by individual users without losing the data from the entire team. And while the monitored employees can’t remove the data themselves, they can view it.
6. Utilize all the tools at your disposal.
In our software, we’ve given you a digital toolbox to reap benefits of analyzing your team’s behavior while respecting their data.
Something else you might consider is our Data Leak Prevention option, a way to keep some data captured from ActivTrak safe from prying eyes. It includes an image redaction feature to redact sensitive information from the screenshots you capture, like:
- Driver’s License Numbers
- National Health Service Numbers
- National Insurance Numbers
- National Taxpayer Identification Numbers
- NIF Numbers
- NIE Numbers
- Credit Card Numbers
- Bank Account Numbers
- ICD 9-CM Lexicon
- ICD 10-CM Lexicon
- International Mobile Equipment Identity
- MAC Addresses
- Phone Numbers