How the GDPR affects CCTV and workplace monitoring

Did you know that the GDPR (General Data Protection Regulation) doesn’t just apply to basic information like names and addresses, but also to information about people’s habits and movements? 

This means that things like having CCTV and monitoring employees’ browsing activities are covered by the Regulation. 

However, that doesn’t mean you can no longer put up cameras or track your employees; it just means you need to be more careful about how you do so. 

How you can monitor employees 

Employers are entitled to monitor what their staff do during office hours, but they need a lawful basis to do it and must let employees know what they are doing. 

Before the GDPR, organisations tended to rely on implied consent to justify workplace monitoring, but the Regulation’s consent requirements mean that consent isn’t valid where there is an unequal relationship, such as in the employer–employee one.  

You would be better off using either: 

• Legal obligations, which apply when you need to process personal data to comply with other laws; or 
• Legitimate interests, which apply when a private-sector organisation has a genuine reason (including commercial benefit) to process personal data without consent, provided it’s not outweighed by the negative effects to the individual’s rights and freedoms. 

Do you need to monitor employees?

Some organisations assume that monitoring employees – or even threatening to do so – is essential because it makes them less likely to slack off. 

In most cases, organisations have a point. However, they need to be able to justify that and explain their rationale. They must also show that they recognise the risk that monitoring may present to their employees, and that they’ve looked at and implemented mitigating controls where possible. This means conducting a DPIA (data protection impact assessment) to assess the extent to which monitoring is necessary, where and when it is required, and what method(s) to use. 

A DPIA will also cover several other points to bear in mind: 

• Data must be processed if it fulfils its intended purpose. For instance, if you want to install CCTV for security reasons, the footage should be of sufficient quality to be able to identify individuals. 
• CCTV recordings and other logs must be stored securely and encrypted wherever possible. 
• Individuals have the right to request a copy of any CCTV footage in which they are in focus and/or clearly identifiable. If the request is valid and permissible, the organisation must supply the individual with that footage within one month of the validation. The same is true of other kinds of data relating to employee monitoring. 

Helping you conduct a DPIA

Those looking for more advice on how they can use CCTV footage in a GDPR-compliant way should take a look at our free green paper: A Concise Guide to Data Protection Impact Assessments.

This guide goes into more detail about what DPIAs are, when you are required to conduct one and when you need to consult your supervisory authority.

It also looks at the organisational benefits that DPIAs bring in addition to helping you achieve GDPR compliance. And, most importantly, it contains information on how to complete the process.

Meanwhile, for those ready to get started with the assessment process, our DPIA Tool is the perfect solution. This software:

• Helps you create a DPIA process and define the scope of the DPIA.
• Produces a consistent approach for every DPIA.
• Gives you the ability to share DPIA results with key stakeholders and the supervisory authority.
• Generates accurate reports on each DPIA conducted.
• Enables you to export the results of each DPIA.

---

A version of this blog was originally published on 11 July 2019.