Employee Monitoring in the Era of Data Privacy

In May 2018, The European Union amalgamated most of the existing and newer Privacy guidelines to set base for the newer General Data Protection Regulations (GDPR), synchronizing privacy requirements across Europe.

Countries like the United States aren’t far behind, devising newer laws that hold executives criminally liable for data breaches, and the CCPA (California Consumer Protection Act), which enables California residents to understand what data is being collected about them while also giving them the right to dispute its use. These acts have forced most websites with servers in the mentioned regions to update their Privacy Policy.

The GDPR reformed decade old privacy laws, keeping a check on the data-heavy business models of today in the process.

Other Governments too are focusing much more on the nuances of data and privacy. The Government of India sanctioned a Data Protection Committee to study regulatory issues related to data privacy in India. The proposed Personal Data Protection Bill, includes requirements for notice and prior consent for the use of data, limitations on data processing, restrictions on the amount of data requested, compliance requirements, data localization – with constraints on transfer of data to servers outside of India, and penalties for non-compliance with the mentioned regulations.

The privacy compliance requirements are not just limited to customer data, protecting Employee data and complying to certain monitoring standards is treated equally under the newly proposed privacy bills.

One of the most common monitoring activities, which may now turn out to be illegal under the newer laws, is monitoring and tracking the employee’s use of the internet and other services. Software that track and analyse usage of Internet and assess email traffic, can now only be used with the consent of the Employee.

It is  important to remember that the same set rights exist for Freelancers, Contractors or Interns that work with the company, as they are treated as employees under the privacy protection view.

Laws like the GDPR also safeguard sensitive employee information against any possible non-compliant processing.

The employer is still allowed to collect data but has to make sure that the monitored data is used strictly for the purpose it has been obtained for, such as data collected to evaluate employee performance. The employer is prohibited to store or process this data for further usage, and any decisions regarding the employee cannot be made solely on the basis of automated monitoring data.

While frameworks that completely safeguard Customer and Employee Data are still a long shot, the efforts have been commendable to say the least.