Meeting prospective clients’ due diligence demands Proving your data protection and information security credentials Many businesses provide a service to other businesses, and once the pitch is done and you’re getting closer to signing that vital and lucrative contract, there can be a hurdle to overcome. Namely, meeting the client’s due diligence and supplier set up requirements. For bigger well-known service providers this can be a breeze, but often small-to-medium sized organisations can find themselves grappling to prove their credentials. Requests can sometimes feel exasperatingly detailed, irrelevant or over-zealous. Once you’ve got through the questions about sustainability, environmental impact, modern slavery, diversity, equality and inclusion, there will often be the need to answer questions about your approach to data protection and information security. This will almost certainly be the case where your company’s services involve handling your prospective client’s personal data on their behalf. To use data protection terminology, if the client is the ‘controller’ and your organisation will act as their ‘processor’. It’s important this relationship is clear, as there are specific contractual requirements for controllers-to-processors relationships under EU/UK GDPRs. Both parties need to meet their obligations. Are we a controller or processor? So how can you get ahead of the game and be well-prepared? I’ve put together some key questions you may need to cover off. Some of these points will need to be included in any Controller-Processor Data Processing Agreement. 1. Do you have a Data Protection Officer? Not all businesses need to appoint a DPO (despite most questionnaires expecting you to). If you don’t have a DPO, you may need to explain who in the organisation is responsible for data protection, and may need to be ready to justify why you don’t need a DPO. DPO Myth Buster 2. Do you have a dedicated Information Security team? As well as being able to provide details of where responsibility for information security rests within your organisation, you’re also likely to be required to provide details of the security measures and controls you have in place to protect client data. This could for example be restricted access controls, use of encryption or pseudonymisation, back-ups, and so on. You may be asked if you have any form of security certification or accreditation. Note: For contractual terms, such as a Data Processing Agreement/Addendum it’s likely you’ll need to include a summary of your security measures. 3. What data protection related policies do you have? The most common requirement is being able to demonstrate you have a Data Protection Policy. Namely an internal policy which sets out data protection requirements, and your expectations and standards for your staff. A client could ask to see a copy of this. They might also ask if you have more detailed policies or procedures covering specific areas such as a data retention, individual privacy rights and so on. 4. Where will your processing of client personal data take place? Many clients will be looking to understand if an international data transfer (what’s known as a restricted transfer) will be taking place. Whether this is happening will be dependent on your client’s location and your own location – including the locations of any servers you’ll process client data on. The client may want to confirm there are necessary ‘safeguards’ in place for any restricted transfers, to ensure such transfers meet legal requirements. Examples of these include an adequacy decision, Standard Contractual Clauses (with the UK Addendum if relevant) or a UK International Data Transfer Agreement. They may also ask you about Transfer Impact Assessments. International Data Transfers Guide 5. Do you sub-contract services to third-parties? You need to be prepared to share details of any third-party companies you use to provide your services which involve the handling, including access to, your client’s personal data. These are often referred to as ‘sub processors’. They’re also likely to ask you to confirm in which country these sub-processors are based (i.e. the geographical location where the ‘processing’ takes place). Note: International data transfers and working with sub-processors are key elements of the GDPR mandated contractual terms between a controller and processor. 6. What procedures do you have in place for handling a personal data breach? You may be asked if you’ve suffered a data breach in recent years, and to provide details of your procedures for handling a data breach. We’d recommend all businesses have a data breach plan/procedure/playbook. If you’re acting as a processor for your client, you’ll need to inform them ‘without undue delay’ (often within 24 or 48 hours of becoming aware of the breach). Plus be ready to provide them with all relevant information about the incident rapidly, so they can assess their own data risks and report it to the relevant Data Protection Authority (such as the Information Commissioner’s Office) if appropriate. 7. Do you have a disaster recovery plan and backups? The GDPR doesn’t detail specific requirements around resilience and disaster recovery – this will depend on the nature and sensitivity of the processing. But if you suffer a data breach (particularly a ransomware attack) you’ll want to make your systems have integrity and are fully operational again very quickly after the event. Your clients will expect this if their data could be affected, so expect to be asked tricky questions. 8. Do you have a Record of Processing Activities? You may be asked to confirm you have a Record of Processing Activities and might be asked more detailed questions about your record keeping. 9. Procedures for handling client individual privacy rights requests If you are a processor, handling personal data on behalf of your client, it won’t be your responsibility to respond to privacy rights requests (such as Data Subject Access Requests or erasure requests). However, you may need to assist your client in fulfilling requests relating to the client data you hold. And if you receive a request relating to client data, this must be swiftly sent on to the client. They may ask for evidence of a robust process for doing this. 10. Privacy information Don’t forget your Privacy Notice (aka Privacy Policy). Before a prospective client works with you, they may look at your website and take a peek at the privacy information you provide. If this is off the mark and fails to meet key legal requirements, it could be a warning sign for them that you don’t take your data protection obligations seriously. Privacy Notices Quick Guide The above is by no means an exhaustive list but should help you to be prepared for some of the key areas you may be questioned about. At DPN, we often suggest processors prepare a factsheet or FAQ in advance of receiving these due diligence questionnaires. This can really help put your business on the front foot and demonstrate to your clients you’re on the ball for both data protection and information security. Crucially it speeds up the decision-making and onboarding process, as by being well prepared you no longer have to scrabble around at the last minute. So you can start work for your new client more quickly.
DPN Legitimate Interests Guidance and LIA Template (v 3.0) Published in November 2024 this third version of our established Legitimate Interests Guidance aims to help organisations assess whether they can rely on legitimate interests for a range of processing activities. Routine or more complex activities, such as those involving the use of AI. First published in 2017, this updated version includes an improved LIA template (in Excel) to use when conducting your own Legitimate Interests Assessments. Many thanks to PrivacyX Consulting and Privacy Partnership Law for working with us on this latest version. We’d also like to thank the original Legitimate Interests Working Group of 2017/2018, comprising representatives from a wide range of companies and institutions, who collaborated to produce previous versions. Important UK update: The Data (Use and Access) Act 2025 introduces a new lawful basis for processing into the UK GDPR. This new lawful basis of ‘recognised legitimate interests‘ can be relied up by organisations for specific purposes without being required to conduct a balancing test (i.e. a Legitimate Interests Assessment).
Five top causes of data breaches And how to mitigate the risks Data breaches are like booby traps in movies; some are like the huge stone ball that chases Indiana Jones down a tunnel. Some are sneaky, like the poisoned darts Indie dodges (before he gets chased by a big stone ball!). Nonetheless, like booby traps in Hollywood movies, there are common themes when it comes to data breaches. None of them, to my knowledge, involve being chased by a giant stone ball. And, unlike Indiana Jones, you don’t have to rely on supernatural luck and a sympathetic screenwriter to prevent these breaches occurring. Back to the real world. While the threat of cyber-attacks continues to loom large, here’s an interesting fact; 75% of breaches reported to the Information Commissioner’s Office (ICO) are non-cyber related – caused by ‘human error’. Or, to put it another way, they’re often attributable to a lack of training and robust procedures to prevent someone making a mistake. We’ve delved into ICO reporting figures, and put together a top five of the most common causes of data breaches, together with some top tips on how to mitigate the risk of these occurring in your organisation. Our data breach countdown… Number 5: Ransomware Ransomware is a malicious software used by bad actors to encrypt an organisation’s system folders or files. Sometimes the data may be exfiltrated (exported) too. A ransom demand often follows, asking for payment. The attacker will say this can be paid in exchange for the decryption key and an assurance the data they claim to have will be deleted. In other words, it will not be published on the dark web or shared with others. But there are no guarantees even if you choose to pay the ransom. It’s worth noting the ICO and National Cyber Security Centre discourage paying ransoms. Ransomware attacks can cause a personal data breach, but this may be only one of a number of risks to the business, such as financial, legal, commercial and reputational. These attacks are becoming increasingly sophisticated. It’s now possible for a bad actor to buy an ‘off the shelf’ cyber-attack via the dark web, or tailor a package to suit their needs. How to mitigate ransomware risks Appropriate steps need to be taken to protect systems from these types of attacks. Often this will mean investing more time and money into security measures. Here are just some of the ways to try and prevent attacks: ✔ Implementing Multifactor Authentication (MFA) ✔ Installing antivirus software and firewalls ✔ Use of complex passwords ✔ Keeping all systems and software updated ✔ Running regular cyber security and penetration testing ✔ Monitoring logs to identify threats ✔ Cyber awareness training Also, crucially making sure you have up-to-date and separate backups is the most effective way of recovering quickly from a ransomware attack. Number 4: Postal errors This is a simple administrative error, which can have minor or significant consequences. An item containing personal data is posted to the wrong person. This could be an invoice sent to the incorrect person, exam results put in the wrong envelope or medical information sent to the wrong patient. Breaches of this nature can happen by: ► using incorrect addresses ► using old addresses ► mistakenly including more than 1 letter in the same envelope ► mistakenly attaching documents relating to another person to a letter How to mitigate post breach risks ✔ Robust training and regular reminders! ✔ Using a check list e.g. Step 1) Check the address is correct when drafting a letter. Step 2) Check again after printing. Step 3) Check again before it does in the envelope. Number 3: Unauthorised access As the name suggests this is someone gaining access to personal information they shouldn’t have access to. This can be an external or internal threat. To give some examples; ► Exploiting software vulnerabilities: Attackers can exploit software vulnerabilities to gain unauthorised access to applications, networks, and operating systems. ► Password guessing: Cybercriminals can use special software to automate the guessing process, targeting details such as usernames, passwords and PINs. ► Internal threats: Unauthorised access and use of personal data by employees or ex-employees. Here are some real-life cases: ● 2022 – a former staff advisor for an NHS Foundation was found guilty of accessing patient records without a valid reason. ● 2023 – a former 111 call centre advisor was found guilty and fined for illegally accessing the medical records of a child and his family. ● 2024 – a former management trainee at a car rental company was found guilty and fined for illegally obtaining customer records. Accessing this data fell outside his role at the time. How to mitigate unauthorised access risks Here are just some of the ways of reducing your vulnerability to these types of breaches: ✔ Applying the ‘principle of least privilege’ – this sets a rule that employees should have only the minimum access rights needed to perform their roles. ✔ Strong password management e.g. make sure systems insist on complex passwords and prevent users sharing their access credentials. ✔ Monitoring user activity Number 2: Phishing attacks Phishing is when attackers send scam emails or text messages containing links to malicious website. Often they try to trick users into revealing sensitive information (such as login credentials) or transferring money. Any size of organisation is a potential target for phishing attacks. A mass campaign could indiscriminately target thousands of inboxes, an attack could specifically target your company or an individual employee. Attacks are becoming increasingly sophisticated, and scam messages are made to look very realistic. Sometimes they will know who you do business with, and change just one letter in an email address, so you think it’s from an organisation you know. Mitigating phishing attack risks Here are a few tips for some of the ways you can reduce the risk of falling victim to a phishing attack. ✔ Training and awareness to help employees identify spoof emails and texts ✔ Setting up DMARC (Domain-based Message Authentication, Reporting and Conformance) to prevent bad actors spoofing your website domain Also see NCSC phishing guidance Number One: Email Errors Yup, the top cause of data breaches is still email. Emails sent to the wrong recipient(s) or accidentally using CC for multiple recipients (thereby revealing their details to all recipients). A breach of this nature can be embarrassing, and/or can have serious consequences. To give an example: The Central YMCA sent emails to individuals participating in a programme for people living with HIV. The CC field was used by accident, thereby revealing the email addresses to all recipients. People on the list could be identified or potentially identified from their email addresses and it could be inferred they were likely to be living with HIV. Mitigating email breach risks Here are some of the ways you can try and prevent email errors occurring: ✔ Don’t broadcast to multiple people using BCC (it is too easy to make a mistake).Instead use alternative more secure bulk email solutions. ✔ Set rules to provide alerts to warn employees when they us the CC field. ✔ Turn off the auto-complete function to prevent the system suggesting recipients’ email addresses. ✔ Set a delay, to allow time for errors to be corrected before the email is sent. ✔ Make sure staff are trained about security measures when sending bulk communications One of the biggest weapons in the data protection arsenal is training and awareness. We recently worked with a client who was using an excellent cyber-security training module, which staff had to complete not once, but twice a year. However, training on its own is unlikely to be enough. Regular reminders and updates are needed too. Near-misses and high-profile cases in the media can be used to get the message through. Here’s a real-life example of a genuine disaster, one I would definitely share. You can just imagine how this happened. The Police Service of Northern Ireland (PSNI) experienced a horrendous, life-changing data breach entirely of its own making. Hidden fields in a spreadsheet disclosed in a Freedom of Information Request revealed the personal details of their entire workforce, including their job description and places of work. It was assumed the list subsequently fell into the hands of paramilitary organisations, leading to an enormously disruptive and expensive personal security review. ICO PSNI fine The PSNI case also illustrates how some of the worst data protection hazards are those we set for ourselves. Not a big stone ball or poison darts. Simply a human error on a spreadsheet, an error adequate in-house procedures failed to prevent or identify. How many such hazards are spread across your organisation?
ICO fine for Police Service of Northern Ireland What went wrong and what can we learn from this data breach? You may recall the awful data breach last summer by the Police Service of Northern Ireland (PSNI). The personal details of its entire workforce (9,483 officers and staff) were accidentally exposed in response to a Freedom of Information request. The dreadful mistake left many fearing for their safety with an assumption the information shared got into the hands of dissident republicans. This was a simple mistake involving a spreadsheet, which ALL organisations should take heed of. The ICO has announced a £750,000 fine and says simple-to-implement procedures could have prevented this serious breach. If the ICO had not applied its discretionary approach for the public sector, the fine would otherwise have been £5.6 million. But in assessing the level of the fine, the current financial position of the PSNI and a desire not to divert public money from where it’s needed, were taken into account. A commercial organisation would have faced a much heftier financial penalty. What went wrong? The PSNI received two Freedom of Information requests in August 2023 from the same person. These came via WhatDoTheyKnow (WDTK); a platform which helps people submit requests and publishes responses. The requests were for information about the number of officers at each rank and number of staff at each grade, and some other details. This information was downloaded in the form of an Excel file from the PSNI’s HR system and included personal data relating to all employees. During the analysis, multiple other worksheets were created within the same file. Once completed all visible worksheets were deleted. But when the file was subsequently uploaded to the WDTK website, it emerged a hidden worksheet remained containing personal details. This had gone unnoticed, despite quality assurance. More detail is available in the ICO Penalty Notice. In this case the evidence of the distress and harm caused by this data breach was evident. The ICO has published some of the comments from police officers affected, including: “How has this impacted on me? I don’t sleep at night. I continually get up through the night when I hear a noise outside to check that everything is ok. I have spent over £1000 installing modern CCTV and lighting around my home, because of the exposure.” In announcing the penalty fine, John Edwards, UK Information Commissioner said: “I cannot think of a clearer example to prove how critical it is to keep personal information safe… Let this be a lesson learned for all organisations. Check, challenge and change your disclosure procedures to ensure you protect people’s personal information.” What lessons can we learn? While this is a particularly serious case, the ICO says mistakes when disclosing information via spreadsheets are nothing new. Public Authorities in particular are being urged to make sure robust measures are in place to make sure personal information is kept safe and the risk of human error is reduced. The regulator has published a useful checklist for any disclosures made using Excel: ✔ Delete hidden columns, rows and worksheets that are not pertinent to the request ✔ Remove any linked data from pivot tables, charts and formula which are not part of the request ✔ Remove all personal data and special category data which is not necessary to provide to fulfil the request ✔ Remove any meta data ✔ Make sure the file size is as you’d expect for the volume of data being disclosed ✔ Convert files to CSV More information is available in an ICO Advisory Note Crucially, organisations need to make sure all staff involved in the disclosure process have been given appropriate training. It’s too easy to point the finger at individuals for making mistakes, when it’s often a lack of robust procedures, training and final ‘pre-send’ checks which are ultimately to blame.
AI in the workplace survey report Business grapple with AI governance AI governance is described as being in its infancy by Data Protection Officers and those who work in data protection related roles. Many are concerned employees are using AI tools for work purposes without telling anyone. This is just one of a number of concerns DPOs have about AI use. Many organisations have yet to decide who should be responsible for governing AI and managing the potential risks. These are just some of the findings of our 2024 AI in the Workplace Survey. Learn more in our survey report:
How to prevent DSAR complaint escalation Nearly forty thousand complaints were received by the Information Commissioner’s Office in the past year. Staggeringly, 39% of them concerned people’s Right of Access according to the ICO’s Annual Report 2023/24. Handling Data Subject Access Requests (aka DSARs or SARs) can be fraught. Often those requesting a copy of their personal data are already disgruntled, be it an employee going through a grievance procedure or a dissatisfied customer. This means requestees are often quick to react if the statutory deadline is missed. They may also closely scrutinise your response, looking for any mistakes or omissions. Or their solicitor will. Any requestee has the potential to become dissatisfied and escalate matters to the ICO. More than a decade ago, I was handling a request and missed the deadline by 24 hours. Much to my frustration they’d had already fired off their complaint to the ICO, and this was pre-GDPR! I know of many businesses who’ve received letters from the ICO following a DSAR complaint. These will usually ask you to address the issues raised directly with the individual – and quickly! However, if your organisation racks up too many ICO complaints, the regulator is likely to delve deeper. This delving has led to a number of ICO DSAR-related reprimands being issued. Most recently, the Labour Party has been in the spotlight for ‘repeatedly failing to respond to people who asked what personal information the party held on them’. A backlog of requests mounted up after a cyber attack in October 2021, with the ICO receiving 150 complaints. During its investigation, the ICO discovered 78% of people had not received a response within the maximum extended timescale of three months and more than half were delayed by over a year. They also found an unmonitored ‘privacy inbox’ was overflowing with hundreds of DSAR and erasure requests – none of which received any form of response whatsoever. Hopefully most organisations will avoid such a catalogue of problems, but it’s still worth remembering certain factors can prompt a spike in DSAR requests. In this case a cyber attack, but a non-cyber data breach could also create a surge. Similarly, a business restructure might prompt a rise in employee-related requests. And let’s not forget the random factor – like Mr Farage’s very public DSARs to NatWest, which not only led to NatWest getting an increase in requests, but reportedly had a knock-on effect on other banks too. Here are my tips for getting on the front foot and mitigating the risk of complaint escalation. 6 golden rules for managing DSARs 1. Staff awareness & a sense of urgency A request can be submitted in writing, verbally or even via social media. It doesn’t matter who in the business receives a request. Employees all need to be able to recognise them (and other privacy rights, such as erasure), and know what to do if they receive or spot one. Failing to do so puts you on the back foot straight away. Everyone needs to be aware time is of the essence, so training and clear guidance is essential. Refresh it too, with friendly reminders. Quick checklist: ✓ Individual privacy rights are covered in new starter and refresher training. ✓ Ongoing awareness via posters, intranet posts, newsletters etc. ✓ Specialist training for those involved in the process of fulfilling requests. 2. Robust procedure A clear procedure which walks relevant staff through the key steps and considerations is invaluable, especially for times when key people aren’t available and someone else has to pick up the reins. Procedures should clearly set out how to retrieve the data, the collation and assessment stage, what to redact (or extract), when exemptions might apply and so on. Without this, a lot of knowledge could walk out the door when a key person leaves the business or is not available in cases of long periods of absence like maternity or sickness leave. 3. Adequate resourcing Businesses receiving a significant volume of requests are likely to have a dedicated person or team to handle them. They might also have sophisticated software to help speed up the process. But for those who have low or fluctuating volumes, it can be tricky to judge how many people need to understand the process and manage requests. In my experience, often the one or two people who have to handle requests end up snowed under for weeks and completely distracted from their day jobs when a DSAR lands on their desk with an ominous thump. What happens if your go-to DSAR person is not available? The clock is ticking. You also need to factor in how to handle any spike in requests – seen or unforeseen. Have you got other adequately trained staff, or alternative resources on standby to cover higher volumes? There was a case in Belgium where the Data Protection Authority ruled the person who normally handled DSARs being on long-term absence was no excuse for a late response. I think the UK’s ICO would take a similar stance. 4. Assigned responsibilities While one person or a team may have ultimate responsibility for managing DSARs and responding to them on time, it’s likely others across the business will need to support them. For example, your IT team may play a significant role in retrieving the data, or HR may need to be closely involved in an employee-related DSAR. It helps to make sure it’s clear who’s responsible for retrieving the data, reviewing the data, applying exemptions, apply redactions, reviewing the response, approving it and sending it out securely. 5. Managing expectations and communicating This is my personal favourite; quite often requestees don’t quite understand what a DSAR really entitles them to, so it pays to set out your stall from the start. Explain what the right is and what they can expect to receive. Tell them you have a duty to protect the privacy of others, that it’s not a right to documentation and that exemptions may apply. Keep in touch with requestees, and dare I say it, even pick up the phone and talk things through. Confrontation can sometimes be defused – I’ve known of DSARs being withdrawn after a decent chat (and with no pressure whatsoever applied). 6. Polished response A good covering letter can go a long way to satisfying the individual that you’ve made every effort to fulfil their request. This can for example explain; ✓ The personal data being provided ✓ Some of the internal processes (where appropriate) ✓ Redactions have been applied to protect the privacy of others (if relevant) ✓ Why an exemption has been applied (if relevant) ✓ Legally necessary supplementary information, (or a link to a Privacy Notice if this covers matters sufficiently) The above is by no means an exhaustive list and I’m a big fan of a template response letter which can be adapted as needed. Finally, don’t forget to inform people about their privacy rights such as the right to object, erasure, rectification and access. Privacy notices should set out these rights, and it should be clear how people can submit a request. And of course, tell them they have the right to raise a complaint with the ICO (with fingers firmly crossed they don’t). Check out our DSAR Guide for more tips on seeking clarification, retrieving the data, complex requests and applying redactions.
Data Protection Impact Assessments Guide A quick guide to managing DPIAs This short guide to Data Protection Impact Assessments covers what a DPIA is and when it’s mandatory to conduct one under UK GDPR and EU GDPR. It also includes helpful tips on how to manage the process. DPIAs not only help to protect people’s data, they also help to protect the business.
Monitoring employees and data protection Is it transparent, reasonable and proportionate? There are plenty of reasons why employers might want to monitor staff; to check they’re working, to detect and prevent criminal activity, to make sure people are complying with internal policies, to check their performance, for safety and security reasons, and so on. With significant advances in technology, there are multiple options available for employees seeking to monitor their workforce, such as: Camera surveillance, including CCTV and body worn cameras Webcams and screenshots Monitoring timekeeping or access control using biometric data Keystroke monitoring Internet tracking for misuse Covert audio recording Add the growing number of AI-powered solutions into the mix, and the opportunities are seemingly endless. I’ve even seen demos of AI tools which sentiment check emails; scanning the language employees use to detect content which might be discriminatory, bullying or aggressive. Just because a range of monitoring technologies exist, doesn’t mean we should use them. A survey commissioned by the UK’s Information Commissioner’s Office in 2023 revealed almost one in five people believe they’ve been monitored by their employer, and would be reluctant to take a job if they knew they were going to be monitored. This research showed 70% of the public believe it’s intrusive to be monitored in the workplace. However, there is a broad understanding employers might carry out checks on the quality and quantity of their work and an appreciation there may be a necessity to do this proportionately to meet health and safety or other regulatory requirements. Emily Keaney, the ICO’s Deputy Commissioner of Regulatory Policy says “While data protection law does not prevent monitoring, it must be necessary, proportionate and respect the rights and freedoms of workers. We will take action if we believe people’s privacy is being threatened.” Earlier this year, the ICO did just that, and ordered a Leisure Company to stop using biometric data to monitor their staff. You can read more about the case here: using biometrics to monitor staff To prevent monitoring employees in an overly intrusive and disproportionate way, it’s crucial to carefully consider any planned monitoring activity and make sure it’s a reasonable thing to be doing. Workplace monitoring checklist Here are some of the key considerations to take into account: 1. Is it `lawful, fair and transparent? To be lawful you need to identify a lawful basis under UK GDPR and meet relevant conditions. Remember, consent would only work where employees have a genuine and fair choice. Often an imbalance of power means consent is not appropriate in an employee context. Employees may feel duty-bound to give consent and therefore there may be an imbalance. You may be tempted to rely your employment contract with individuals, (i.e the ‘contractual necessity’ lawful basis) but this would need to be genuinely necessary. Many employers may choose to rely on legitimate interests, but this requires a balancing test, and we’d highly recommend conducting and keeping a record of your Legitimate Interests Assessment (LIA). To be fair you should only monitor workers in ways they would reasonably expect, and in ways which wouldn’t have unjustified adverse effects on them. The ICO says you should conduct a Data Protection Impact Assessment to make sure any monitoring is fair and proportionate. To be transparent you must be open and upfront about what you’re doing. Monitoring should not routinely be done in secret. Monitoring conducted without transparency is fundamentally unfair. There may however be exceptional circumstances where covert monitoring is justified. 2. Will monitoring gather special category data information? If monitoring involves special category data, you’ll need to identify a special category condition, as well as a lawful basis. Special category data includes data revealing racial or ethnic origin, religious, political or philosophical beliefs, trade union membership, genetic and biometric data, data concerning health or data about a person’s sex life or sexual orientation. You may not automatically think this is relevant, but be mindful even monitoring emails, for example, could, without appropriate controls in place, lead to the processing of special category data. 3. Have you clearly set out your purpose(s) for employee monitoring? You need to be clear about your purpose(s) and not monitor workers ‘just in case’ it might be useful. Personal details captured should not subsequently be used for a different purpose, unless this is assessed to be compatible with the original specified purpose(s). 4. Are you minimising the personal details gathered? Organisations are required to not collect more personal information than they need to achieve their defined purpose(s). This should be approached with care as many monitoring technologies and methods have the capability to gather more information than necessary. You should take steps to limit the amount of data collected and how long it’s necessary to retain it for. 5. Is the information gathered accurate? You need to take all reasonable steps to make sure the personal information gathered through monitoring workers is accurate and not misleading, or taken out of context, and people should have the ability to challenge the results of any monitoring. 6. Have you decided how long information will be kept? Personal information gathered must not be kept for any longer than is necessary. It shouldn’t be kept just in case it might be useful in future. Organisations must have a data retention schedule and delete any information in line with this. The UK GDPR doesn’t tell us precisely how long this should be, but other laws might. Organisations need to be able to justify any retention periods they set. 7. Is the information kept securely? You must have ‘appropriate technical and organisation measures’ in place to protect personal information. Technical measures include things like firewalls, encryption, multi-factor authentication, and so on. Data security risks should be assessed, access should be restricted, and those handling the information should receive appropriate training. If monitoring is outsourced to a third-party processor, you’ll be responsible for compliance with data protection law. 8. Are you able to demonstrate your compliance with data protection law? Organisations need to be able to demonstrate their compliance with UK GDPR. This means making sure appropriate policies, procedures and measures are put in place for workplace monitoring activities. And let’s also consider any monitoring of workers who work from home, or other ‘offsite’ locations. As with everything this must be proportionate to the risks. The ICO says organisations should make sure ‘overall responsibility for monitoring workers rest at the higher senior management level’. Monitoring people is by its very nature intrusive, it must be proportionate, justified and people should in most circumstances be told it’s happening. The ICO has published detailed guidance on this: Employment practices and data protection: monitoring workers and the regulator’s overriding message is organisations should carry out a DPIA if they’re considering monitoring their staff.