Skip to content

Does the GDPR Limit My UK Organisation’s Use of Laptop Monitoring?

Table of Contents

Nearly every UK business requires some employees to use an electronic device, such as a laptop, to carry out work. However, with electronic devices comes the potential for electronic monitoring. The General Data Protection Regulation (GDPR) aims to prevent employers from unlawfully accessing data and, as such, covers workplace monitoring practices. This article will explore the risks of using technology to monitor employees closely. In particular, we will consider the limits on electronic monitoring exercises under UK law and why it may be beneficial to restrict practices such as laptop monitoring.

GDPR on Employee Monitoring

The UK GDPR is our primary data protection law regarding electronic monitoring activities. These rules acknowledge that UK organisations have the technological ability to track all activities and conversations within a workplace and through their devices. Because of this, it aims to restrict the extent to which UK businesses can monitor their staff. Accordingly, UK organisations tend to take heed of the rules within the GDPR due to the risk of hefty Information Commissioner’s Office fines in the event of non-compliance.

Why Should My Business Be Aware of the ICO?

The power of the ICO to fine UK organisations up to £17.5m for GDPR violations motivates the majority of UK businesses to ensure good practice.

The ICO has the power to hand down such hefty financial penalties because the Government determined it would best motivate UK companies. This assumption has proven correct as most UK organisations aim to avoid breaches of the GDPR due to their subsequent financial penalties.

The ICO has issued significant fines to UK businesses that expose staff to excessive surveillance methods. Therefore, it is in your company’s best interests to act within GDPR rules.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

What Does Employee Monitoring Mean?

Employee monitoring technology includes all digital systems that seek to record the words and actions of staff. Some examples of employee monitoring systems include:

The last three examples are most relevant to laptop monitoring, which is the main focus of this article. 

Laptop Monitoring

As mentioned above, common ways of monitoring staff through their laptops (and computers) involve keystroke monitoring, website tracking and audio call recording technology.

Let us explore each of these in turn below.

Keystroke Monitoring 

Keystroke monitoring is an electronic system that records the time and use of every computer key (or mouse click). The primary purpose of this system is to check that staff are working at their computers (particularly those who are remote working).  

However, the keystroke systems could be better, and companies should not automatically presume that an absence of computer key presses means an employee is not working. For example, keystrokes monitoring cannot detect a staff member reviewing physical materials or on a telephone call.

Website Tracking

Website tracking is as simple as it sounds. Companies can set company internet browsers to record details of each webpage visited. This will allow your business to check that a staff member is visiting work-related sites during working hours and not using risky or virus-ridden web pages.

Audio Call Recording 

Audio call recording technology is more prevalent in this era of video conferencing. Many remote workers have become acclimatised to making phone or video calls through their computers rather than mobile phones. For example, a UK business can potentially set their company’s computing system to record all calls with clients.

Monitoring Techniques Permitted by the ICO

Your UK business can use the above techniques upon meeting certain conditions. These conditions include the following:

  • informing staff of your use of these systems in advance (usually through their induction and written IT or privacy policies);
  • collecting the information for a legitimate purpose, for example, to ensure the security of personal data and encourage compliance with legal obligations; and
  • ensuring that only relevant information is collected and processed, for example, information relating to calls with clients, not with family members.

The difference between an innocent and GDPR-compliant monitoring network and an unlawful, non-compliant system is likely to lie in a company’s original purpose and motivations. For example, a business checking website data during working hours to protect against viruses (under a written policy) is likely compliant. This is because the staff are pre-warned, and the aim is to ensure personal data is not stolen or held ransom by cybercriminals.

However, a business that uses covert monitoring devices or monitors computer systems without pre-warning its staff will likely risk a hefty financial penalty from the ICO. This is because UK organisations can only utilise covert recordings in exceptional circumstances.

Key Takeaways

Ensuring full compliance with data protection legislation is a challenging task. As a result, many UK businesses ask an expert lawyer to carry out a Data Protection Impact Assessment (DPIA). A DPIA is a form of risk assessment that advises your company as to which employee monitoring systems have a lawful basis.

If you need help ensuring the safe use of employee monitoring techniques, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

How helpful is a DPIA?

A Data Protection Impact Assessment can help your business ensure good employment practices and provide much-needed peace of mind in an increasingly digital world.

Where is the line between good management and excessive monitoring?

Data protection matters are complex because things are not always black and white as to what legitimate interests are lawful. However, most lawyers will advise that any company that pre-warns their employees of the nature and scope of their monitoring systems in advance faces less risk.

Register for our free webinars

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards