Employee surveillance is not new: the Ford Motor Company’s Sociological Department was on a secret journey to snoop on its workers’ bank deposits, divorce filings and school attendance records all the way back in 1914. Yet with millions of employees now – and for the foreseeable future – working remotely, organisations are thinking about how to monitor the productivity of people they only see on Zoom calls (other brands are available). It does sometimes feel like we’re all spirits in the material world.

However, organisations taking inspiration from the Police’s 1983 hit Every Breath You Take – “every breath you take and every move you make, every bond you break, every step you take, I’ll be watching you” – should pay close attention to the EUR 35 million fine issued yesterday against a German subsidiary of retailer H&M for its excessive collection and use of employee data, including health, religious and other sensitive information.

The fine is the second biggest under the EU’s General Data Protection Regulation and relates to H&M’s practice, which started in 2014, of collecting large volumes of employee personal data through internal surveys, watercooler chats with managers and “welcome back talks” after employees returned from holidays or sick leave.

There’s a vast array of technology out there to monitor staff, with keyboard tracking, screen captures and social media monitoring being the tip of the iceberg. But whatever tools you use to get next to your employees, considering privacy is key. Indeed, in some cases employees have a legal right to say don’t stand so close to me. A regulator is also unlikely to respond favourably to an excuse that you had no time this time.

So, friends, what steps should you take to avoid being a canary in the coalmine?

  • Assess whether the processing is necessary – and, if not, is it reasonable? What’s your legal basis, or bases, for the activity(ies)? Usually, it will be your legitimate interests, but for some organisations compliance with laws may also be appropriate.
  • Conduct a data protection impact assessment before you start the monitoring. This exercise will help you think through and document the risks of the project, as well as how to mitigate or minimise those risks. Think: flexible strategies.
  • Inform employees about what you’re doing and why, through just-in-time privacy notices and other transparency mechanisms. Communication is key.
  • Consider the usual data protection principles, such as data minimisation (don’t collect or use too much information) and retention (don’t keep the data if there’s nothing achieving).

Hopefully that doesn’t sound like a sermon. But the time and effort up front will seem like peanuts compared to the fall out of a large regulatory investigation and fine. Dealing with the fall out could make you driven to tears. 

If you’d like someone to talk to about these issues, feel free to contact me using email or LinkedIn. Or, failing that, a message in a bottle.