Skip to content
Get in touch Support Hub Investors
Book a demo Free trial
Back to blog

Keeping Employee Monitoring Compliant

5 minute read

GDPR
Keeping Employee Monitoring Compliant
Last updated: October 07, 2025

Employers monitoring their staff should carefully consider guidance from the UK Information Commissioner's Office (ICO) to ensure they comply with data protection laws.

See our Data Protection Training Package

Key takeaways

  • Research shows that 70% of the public would find it intrusive to be monitored by an employer, and 19% believe they have been.
  • The ICO issued new guidance on employee monitoring in October 2023.
  • Key principles for employee monitoring are transparency, lawful basis, proportionality, data minimisation and security.
  • The ICO’s advice covers types of monitoring, including electronic communications, video, in-vehicle and information from third parties.
  • Introducing employee monitoring involves several steps, from establishing clear guidelines to explaining how monitoring data will be used.
  • Consequences of non-compliant staff monitoring include fines of up to £17.5 million or 4% of global annual turnover, whichever is higher.

The ICO issued new guidance on employee monitoring in October 2023, outlining key principles  employers must follow.

  • ICO findings
  • Key principles for employee monitoring
  • Types of employee monitoring
  • How to introduce employee monitoring
  • Consequences of non-compliant staff monitoring

ICO findings

Research commissioned by the ICO revealed that 70% of the public would find it intrusive to be monitored by an employer, and almost one in five (19%) believe they have been. 

Of those who believe they have been monitored, timekeeping and access were the most common practices at 40%, followed by emails, files, calls or messages at 25%.

The ICO recognises that employers have a legitimate interest in monitoring to protect their business and ensure employees are working productively. However, the public body also emphasised that poeple have a right to privacy and any monitoring must be justified and proportionate.

In 2023, Amazon France Logistique was fined a substantial €32 million (£27 million) by France's data watchdog, CNIL, for "excessive" surveillance on warehouse workers. The fine resulted from detailed tracking of employee activities through handheld scanners, including recording interruptions in their work, requiring workers to justify every break or pause.

A. Key principles for employee monitoring

  1. Transparency: Employees must be aware of the nature, extent and reasons for any monitoring.
  2. Lawful basis: There must be a lawful basis for processing employee data, such as consent, legitimate interest or legal obligation.
  3. Proportionality: Monitoring should be proportionate to the legitimate interest it seeks to protect.
  4. Data minimisation: Employers should only collect the data required for the monitoring purpose, and delete it when it is no longer needed.
  5. Security: Employers must take appropriate measures to protect the security of employee data.

B. Types of employee monitoring

The ICO's guidance also covers specific types of monitoring, such as:

  1. Covert (hidden): If employees are unaware they are being monitored, it is generally only justified in exceptional circumstances, such as where there is a risk of serious harm to the business or individuals.
  2. Electronic communications: For example, employee emails and internet use.
  3. Video and audio: For example, CCTV and other video and audio recording devices.
  4. In-vehicle: For example, company cars. 
  5. Information from third parties: For instance social media or credit reports.

 

C. How to introduce employee monitoring

The new guidance provides clear information on how monitoring can be conducted lawfully and fairly, and foster trust and respect among employees.

Being transparent with your staff about monitoring is important for maintaining a positive work environment. By following the steps below and being open and honest about monitoring practices, you can cultivate trust and cooperation, where employees understand the need for monitoring and are comfortable with its implementation.

  1. Establish clear monitoring policies and guidelines: These should outline the reasons for monitoring, the types that will occur, and be easily accessible to all employees.
  2. Explain why monitoring is needed: Ensure they understand that it's not about invading their privacy but about ensuring compliance, security, and productivity. Be honest about the risks your organisation faces.
  3. Involve staff in the monitoring process: Whenever possible, ask staff for their input and feedback. This can help create a sense of ownership and cooperation.
  4. Respect privacy and legal requirements: Ensure your monitoring activities comply with all applicable laws and regulations. Stay abreast of privacy laws like the General Data Protection Regulation (GDPR), and ensure your monitoring practices don't violate them. 
  5. Explain how monitoring data will be used: Will it be used for performance evaluations, security purposes, or something else? This can alleviate concerns about misuse.
  6. Clearly outline the consequences of violations: Consistently enforce monitoring policies, and let staff know the potential outcomes of breaches. 
  7. Respect employee rights: Remind staff that, as the 'data subject', they have the right to express concerns or request clarification about the monitoring process. Let them know who to contact usually your data protection officer).
  8. Seek legal counsel: If you're unsure whether your monitoring practices are compliant, consult with legal experts. Seeking advice can help you navigate the complexities of data privacy and employment laws.

D. Consequences of non-compliant staff monitoring

The ICO can investigate complaints about employee monitoring and take enforcement action against employers found to be in breach of data protection laws. This can include fines of up to £17.5 million or 4% of global annual turnover, whichever is higher.

Employee monitoring compliance: FAQs

What are the GDPR rules for employee monitoring?

It must be lawful, fair and transparent; data must only be used for stated reasons; data collection should be limited to what’s necessary; information must be protected using features like access controls; and it shouldn’t be stored for longer than required.

What rights do employees have regarding monitoring?

They have GDPR rights, including to be informed, of access, to rectification of inaccuracies, to erasure (where applicable) and to object if monitoring isn’t justified.

When could covert monitoring be allowed?

In cases like criminal investigations – in which case, it must meet strict legal requirements.

Want to learn more about GDPR?

Our Essentials Library contains e-learning content designed to help organisations meet fundamental compliance requirements. If you are looking for focused training, our Data Protection and GDPR Training Package offers a complete solution for your compliance programme. Courses in the libraries include:

We've created a comprehensive GDPR compliance roadmap to help you navigate the compliance landscape. If you would like to access leading insights and compliance tips, you can browse our free resources by topic to find guides, modules, compliance bites and more.

 

Explore our collection

Written by: Emmeline de Chazal

Emmeline is an experienced digital editor and content marketing executive. She has a demonstrated history of working in both the education management and software industries. Emmeline has a degree in business science and her skillset includes Search Engine Optimisation (SEO) and digital marketing analytics. She is passionate about education and utilising her skills to encourage greater access to e-learning.

Emmeline de Chazal

Related articles

appointing-a-data-protection-officer-|-skillcast
Information Security GDPR

Appointing a Data Protection Officer | Skillcast

6 minute read

We explain how to decide if you need a DPO, what their responsibilities should be and the key priorities they should address. 

Read the article
best-practices-for-email-distribution-lists-|-skillcast
Information Security GDPR

Best Practices for Email Distribution Lists | Skillcast

6 minute read

Email distribution lists are a blessing and a curse. Our 10 best practices will help ensure your lists stay effective, efficient and comply with the law.

Read the article
-esg-data-guide-|-management,-security-and-analysis-|-skillcast
Information Security Compliance Strategy

ESG Data Guide | Management, Security and Analysis |...

6 minute read

Manage ESG data effectively and securely with our comprehensive guide. Explore strategies for data collection, analysis, and privacy protection.

Read the article
Visit the blog