Employee GPS Tracking Before and After May 25, 2018: Are You Prepared for GDPR?

EU’s new revolutionary GDPR rule set went active on May 25th and has resulted in many a privacy policy being overhauled. The rules essentially tighten how companies access and use employee data and give the latter far more control over what information their employers can collect about them.

While GDPR reaches into almost all of a company’s functions, some like GPS powered employee tracking are obviously more deeply affected. Since many companies use employee tracking to execute their business functions more efficiently, it’s important for them to understand how GDPR will affect their workings.

So, what the *bleep* is GDPR?

Complex rules like the GDPR have a way of sounding, well, complex. So, here’s a simpler summary of what it is…

Implemented to replace the 1995 Data Protection Directive, the GDPR or General Data Protection Regulation has been implemented. The step was taken because the older rule-set was failing to keep up with the sheer pace at which technology was progressing. As a result, employee privacy was seen to be falling prey to vague language which basically entitled employers to collect and use their data as they pleased.

Some of the key changes that GDPR brings to the table include…

• The rules now apply throughout the EU, regardless of the company’s location. So, if your company is located outside the EU and are working with customers within it, your operations will need to comply.
• Personal data is defined as “any information relating to an identified or identifiable natural person ‘data subject’; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
• Explicit content must be obtained which clearly outlines how the data will be used.
• People will have a right to access their personal data and learn more about how this data is being used.
• People will have a right to erasure where they can ask for certain data they own to be erased.
  
• People will have the right to transfer their personal data from one electronic format to another.
  
• Data protection will need to be built into a business’s processes for products and services, and privacy settings will need to always be at high.
  
• A full record of all processing activities will need to be maintained.

Failure to comply carries more stringent punishment as well. Fines that you can incur for not being in good stead with GDPR will include…

• First level –fines of nearly $12 million (10 million euros) or 2% of the company’s worldwide annual revenue, whichever is greater.
  
• Second level –fines of nearly $24 million (20 million euros) or 4% of worldwide annual revenue, whichever is greater.

The full ruleset is a lot more elaborate and you can find out about it here.

How does GDPR affect employee tracking?

Since GPS based employee tracking collects all manner of personally identifiable information, they come within the purview of GDPR.

Many companies use a variety of GPS tracking solutions. For instance, logistics and transport companies that have their vehicles lowjacked with GPS trackers. Big tech companies are coming out with electronic solutions to create more interconnected, efficient workforces, too.

However, these developments blur the line between productivity and personal privacy. Add to that the prospects of companies actively GPS tracking employees, and it becomes increasingly apparent that stronger measures are the need of the hour.

One of the bigger issues surrounding consent is that it quickly becomes a catch 22 situation for the employee. They cannot actually say no as there’s always the risk of losing their job or favor with their employers.

Since consent becomes hard to work in such a case, companies will therefore need to seek one or more of five lawful grounds in order to function within GDRP. These include…

• A contract with the individual: As in if user tracking is necessary for the performance of a contract.
  
• Compliance with a legal obligation: As in if a company is legally obligated to keep track of their employees.
  
• Vital interests: As in if tracking information is required to protect someone or help them.
  
• A public task: As in if tracking will help a company fulfill an official function such as those involving the police, school or hospital.
  
• Legitimate interests: When the company has a really good reason for tracking the user, provided it doesn’t trespass on the latter’s rights and freedoms.

How can companies uphold GDPR rules?

Traversing these new rules can be tough for companies as the language in the rules itself is pretty vague to ensure the rules could be built upon by local authorities.

To mitigate any oversight and ward of those pesky lawsuits, companies need to leave a steady audit trail that details how they are collecting and handling their data periodically.

Broadly speaking, you will need to answer the following questions in your audit…

What does our company hold?

List all the systems and data types here.

Where is all this data stored?

Are you using on-site servers? The cloud? Ask your IT department to provide you with a list of all the systems and their names.

What is the collected data used for?

Tabulate all the different data types against all the business functions they are used for. For instance, an email address can be used for marketing, sales and business intelligence.

Who can access the data?

Different departments may have different uses for the data. It’s best to know how your data is being used across your company.

This is an oversimplification and you will probably need to delve a lot deeper into how your organization functions in order to run an audit properly. Check out this awesome checklist on how to prepare for the GDPR from the UK’s Information Commissioner’s Office (ICO) for a more thorough understanding.

Conclusion

With the kind of technological sophistication that is making its way into our lives, regulations such as the GDPR couldn’t have come sooner.

Amazon for instance, filed for a couple of patents for wristbands that will tell them when an employee has reached for a certain shelf! UPS has sensors on its trucks that can tell them when an employee has opened or shut the door or whether the engine is running or not.

As the Internet of Things (IoT) becomes a more pervasive part of our lives, it will result in privacy concerns that few can deny. In times to come, regulations like GDPR will help even the odds in the employee’s favor while helping companies operate better.