Disclaimer: the post below provides general information on the impact of GDPR on time tracking and cannot be understood as legal advice. For legal advice on how to adapt your HR practices to the new regulations, you should seek help from legal professionals.
With General Data Protection Regulation (GDPR) coming into effect on 25 May, several workplace policies will need to change to comply with the new law. Monitoring employees and employee time tracking practices is one of them. Learn how GDPR will affect processes such as keeping time sheets in your office in the post below!
GDPR background information
General Data Protection Regulation is a digital privacy law standardizing data protection practices in all EU countries. As a directive, it is legally binding and will affect all businesses that handle data of EU residents – not only businesses based in the EU. Given the large fines that may be imposed on businesses who fail to comply with the new regulations, and the total costs of complying with the new laws, GDPR sparked a lot of public outcry since it was enacted in April 2016.
GDPR introduces a few general principles of data protection and imposes new definitions of consent. The cornerstone principles include ‘data protection by design’ and ‘data protection by default’. This means that every entity handling data must have appropriate and well-documented processes for data control and protection, as well as designated persons for controlling them (data controllers). It also prescribes specific encryption methods such as pseudonymisation to encode personal data.
The new law also stresses the need for a ‘freely given, specific, informed, and unambiguous’ consent to process personal data from the owner through clear ‘affirmative action.’ More information on GDPR in general can be found here.
General employee monitoring and GDPR
Monitoring employees is a controversial issue that companies rarely seek explicit consent for – according to the Taylor Wessing Legal Group.
The law firm maintains that employee monitoring may be considered a high-risk practice and hence require a Privacy Impact Assessment (PIA) report to be filed with the appropriate national data protection authority by the company’s data controller.
What should employers do?
1. Inform employees about monitoring practices in the workplace – how and why the employees are monitored. Have clear written monitoring policy guidelines in place.
2. Make sure the employees know the legal basis for the processing of their personal data.
3. Allow the individuals concerned access to monitoring records.
4. Respect privacy of personal communications and only require access when there is a good reason for it – e.g. suspicion of criminal activity, breach of confidentiality, or leak of company secrets.
5. Limit monitoring to the necessary minimum warranted by business needs or ‘legitimate interest.’
GDPR and sensitive employee data
According to DLA Piper Law Firm, certain data deemed ‘special categories data,’ including information about employee age, gender, ethnic origin, race, sexual orientation or data otherwise known as biometric data, will need to be subject to additional data protection practices. This will involve a separate written protocol of how these data are protected and processed by the company in order to avoid discrimination and unfair dismissal.
The data controller in the company will be responsible for issuing a separate ‘special categories data’ protection and processing policy, reviewing the policy occasionally to make sure it complies with the current standards, and informing and training all HR professionals in the business who handle sensitive data about the new GDPR-compliant data handling processes throughout the employment lifecycle.
Time tracking and GDPR – make sure there is ‘legitimate interest’
Some employee time management and tracking records obtained from electronic timeclock solutions such as TrackTime24 may be subject to regulation of biometric data processing in light of GDPR.
For instance, when an employee clocks in by scanning a QR code, if the app records the image of the face of the employee, this can be construed as biometric data processing (Source: DLA Piper).
Employers should ensure that they have legitimate interest in processing such data – e.g. to ensure that the employees arrive on time and really clock-in personally, especially where access to restricted areas is limited to specific individuals and there is a need for strict control by using biometric data, e.g. face/voice/fingerprint recognition software.
Moreover, employers must inform their employees about the rationale behind such data use. According to DL Piper: ‘continuous monitoring of entrance and exit times cannot be justified for purposes such as performance evaluation.’ This means that in order to process employee work time data there needs to be another legitimate interest to do so legally.
Why use time tracking apps now that GDPR comes into effect?
Firstly, using electronic solutions will make data processing record keeping a lot easier. As we have already mentioned above, GDPR will require a lot more record keeping from employers on how personal data is stored and processed in their companies. Keeping such records manually would create several problems and extra work for employers and HR professionals. However, if apps such as TrackTime24 are used, they can easily export data processing reports directly from the app.
Secondly, in accordance with data protection ‘by default’ and ‘by design’ principles of GDPR, employers are legally obligated to implement systems for secure data storage and encryption. Data stored in TrackTime24 is encrypted using the secure socket layer (SSL) technology, which minimizes the risk of data breach or data loss compared to paper records.
All in all, although GDPR may seem to be a large burden for employers, it provides an opportunity to update and streamline employee time management systems in your company. And since the benefits of implementing time-tracking apps in a business are far greater than just compliance with the law – increased employee productivity and engagement, time and money savings, stronger leadership and accountability (see: Why a cloud-based employee time tracking system is a must) - GDPR can provide a great opportunity to transform your business.