WorkTime is GDPR compliantSince the introduction of GDPR, organizations in the EU looking to or already implementing employee monitoring are seeking legitimate answers to questions such as: Is employee monitoring software legal under GDPR, what are the GDPR requirements, and how do I apply it to my employee monitoring process? This article from WorkTime experts answers the above questions and how WorkTime meets GDPR compliance objectives.
What is GDPR?In brief, the General Data Protection Regulation (GDPR) took effect on May 25, 2018, to protect all European Union citizens' data and privacy. GDPR sets guidelines for all businesses collecting and processing any personal data, including but not limited to (names, photo, email address, banking details, social media posts, medical information, or a computer IP address) from EU companies or entities and those outside the EU that monitor EU individuals or offer them goods/services (paid or free).
Penalties for any data breach can cost 4% of a company's annual worldwide revenue or €20 million. To avoid these penalties a company must be able to demonstrate:
GDPR sets guidelines for all businesses collecting and processing personal data from individuals living in the EU and EU citizens working internationally.
- Proper processing
- Security controls
- Zero breaches
Is employee monitoring software legal under GDPR?The quick answer to the question is yes. The use of software to monitor employees is legal under GDPR laws. Employee monitoring software is a vital means of ensuring work productivity, protecting sensitive data, and guaranteeing that company assets are used suitably. That said, any solution used to monitor employees must be GDPR compliant since they collect data that is considered personal, including names, internet use, email traffic, etc.
The quick answer to the question is yes. The use of software to monitor employees is legal under GDPR laws.
GDPR principles to follow when using employee monitoring softwareConcerning employee monitoring, the General Data Protection Regulation (GDPR) requires that businesses dealing with personal data processing must abide by seven fundamental principles to ensure that their monitoring practices comply with national and EU data protection laws:
- Transparency, fairness, and lawfulness.
- Purpose limitation.
- Data minimization.
- Storage limitation.
- Security, Integrity, and confidentiality.
Transparency, fairness, and lawfulnessThis principle demands transparency, fairness, and lawfulness in the handling and use of personal data. Employers are obligated to be transparent with their employees about why they are collecting the data, how they are collecting it, and what it will be used for.
It’s good practice to create well-defined policies that clearly explain the type of data collected and the reasons it is being collected to ensure transparency.
Purpose limitationThe purpose of the data collection must be legitimate, specified, and explicit. An employer should accurately pinpoint the purpose of the monitoring and the business interest the monitoring is trying to protect. Doing this places them in a better position to justify the measures from a legal and practical perspective.
An employer should accurately pinpoint the purpose of the monitoring and the business interest the monitoring is trying to protect.
Data minimizationMinimizing the collection and storage of personal data. Personal data collected must be as minimal as possible to avoid any violation of privacy. Personal data to be collected should be "adequate, relevant and limited to the intended purpose only." Note that under the GDPR, businesses are required to justify the amount of data collected.
Personal data must be used for the purposes for which they are collected.
AccuracyBusinesses must ensure old and outdated data is not retained. Also, the GDPR states that every incorrect personal data must be erased or rectified within 30 days. Personal data must be "accurate and, where necessary, kept up to date."
Organizations should ensure that the obtained personal data is accurate and correct.
Storage limitationThis principle relates to data minimization and states that personal data must be "kept in a form which permits identification of data subjects for no longer than necessary." Simply put, every personal data collected should be retained only for as long as necessary to achieve the purposes for which the data was collected.
Collected personal data should be retained only for as long as necessary to achieve the purposes for which the data was collected.
Security, integrity, and confidentialityThis principle deals exclusively with security. Businesses must ensure that all the appropriate measures are taken to secure personal data. The GDPR states that organizations handle personal data "in a manner appropriate security," which includes "protection against unlawful processing or accidental loss, destruction or damage."
Businesses must ensure that all the appropriate measures are taken to secure personal data.
AccountabilityThis principle requires organizations to be accountable for the information under their control and ensure adherence to the GDPR principles. This implies that all measures to gather and process the data must be thoroughly documented and comply with the law.
Measures taken to gather and process the data must be thoroughly documented and comply with the law.
How WorkTime satisfies GDPR requirementsEnsuring the privacy and safety of data obtained through employee monitoring software is imperative. WorkTime satisfies the GDPR requirements without unnecessarily infringing employees' privacy through the following ways:
The WorkTime monitoring process is fully transparentTransparency is required under GDPR laws when handling personal data. By providing employee monitoring handbooks and detailed policies alongside the software package, WorkTime ensures transparency for employers who wish to inform employees of the monitoring process that will be implemented within the organization. Also, WorkTime allows users to choose when they are monitored. Employees can be granted access to their own reports to see what was monitored.
WorkTime ensures transparency by providing ready-to-use policies, employee monitoring handbooks, announcement samples, and detailed policies for employers who wish to inform employees of the monitoring process. Request a copy now. It's free!
WorkTime's monitoring purpose is centered around improving productivityNon-invasive, pure productivity monitoring is the focus of WorkTime employee monitoring software. WorkTime collects as minimal personal data as possible. The data collected is relevant and limited to the intended business purpose. For example, WorkTime does not record and store any passwords to avoid security and privacy issues.
WorkTime collects data that is relevant and limited to intended business purposes.
WorkTime takes appropriate measures to safeguard the data collectedWorkTime has built-in data security features to prevent data leaks. All captured information is stored in an encrypted database that is password protected. User records can also be deleted at any time.
WorkTime ensures zero data breaches by providing security control for anyone handling personal data.