Remote Workers Time Tracking vs GDPR — What You Need to Know
If you are doing business in the European Union, your practices must be in line with the General Data Protection Regulation (GDPR), the law that started applying in May 2018.
In short — GDPR gave more rights to data subjects, allowing them to have more transparency from the data controllers. Additionally, data controllers in the EU need explicit consent for almost all acts of personal data collection and processing (legitimate interest can sometimes be a basis for processing, but we will speak of that a bit later). GDPR also allows data subjects full control over their data, meaning they can request changes, or even erasures (right to be forgotten) from the data controller.
GDPR affected all industries, and many companies needed to improve their data protection practices. It also affected the use of employee monitoring software. Keep reading to find out how.
How Does GDPR Affect Workers Time Tracking?
GDPR did not explicitly change the rules of employee monitoring, however, there are some parts of the legislation which complicate this practice.
1. Basis for monitoring and processing of workers data
Under GDPR, consent is required in most cases of processing. Yet, the regulation also allows processing based on legitimate interest. In order to process data on legitimate interest, companies must perform a legitimate interest assessment and have justified reasons to process data without consent.
Many employers are avoiding consent-based monitoring in the fear of being rejected, so they are looking for a workaround with legitimate interest processing. Keep in mind that this document should contain the reason for monitoring, which can’t be related only to performance assessments.
2. Monitoring carried out by Non-EU organizations
The fact that your organization is not located in the EU doesn’t mean you are exempt from GDPR. If your remote workers are located in EU, you must abide by this law. Any breaches of this regulation could lead to extremely high penalties: up to €20 million, or 4% annual global turnover — whichever is higher.
We recommend consulting with your legal team, or a third party who specializes in GDPR to be certain you are abiding all EU laws.
3. Privacy Impact Assessment must be carried out before implementation
Employee monitoring is a high-risk practice and it requires a privacy impact assessment (PIA) report to be done prior to monitoring. This report should be filled before you implement the app, and it should outline your organization’s needs and challenges related to privacy and data protection that could arise from the implementation of time tracking software.
What Can Employers Do?
The good news is — you can still track time of your remote workers. However, you need to be more careful in terms of data protection.
Here are some of the things you can to do make sure you are time tracking by the book:
· Notify the employees that monitoring is happening, and why (secret monitoring is only allowed when there are grounds for suspecting a criminal activity)
· Create policies and procedures which clearly outline monitoring activities
· Limit access to data collected through monitoring to staff members who need to have access to this data. Keep in mind that you should train these employees on data protection.
· Monitoring should be limited to information necessary for the purpose of time tracking activities.
· Personal and work communication are completely separate and must be treated as such (unless there are suspicions of criminal activity)
In Conclusion
Your remote workers must be clearly notified about your time tracking practices, and data protection policies. Additionally, you should keep monitoring to the point where it protects your businesses and your remote employee’s best interests.
