Are employee monitoring and data loss prevention solutions legal in a GDPR governed world? Are any requirements placed on them, and what is the best way to implement it.
Over the years WorkExaminer has become a popular tool for employee monitoring in the European Union. That is why we decided to come up with this helpful guide of some of the ways it can be implemented with full GDPR compliance:
- Create a GDPR-compliant policy framework
Before you implement employee monitoring, you first need to create a policy framework. That framework should specify what data you are going to be collecting, and why you’re going to be collecting it.
Using WorkExaminer will let you collect many types of data including emails, online activity, IM conversations, and more. But you need to explain why you are collecting that data, and how it will be used.
- Get your employees involved
Try to get your employees involved when you come up with your policy. Don’t just notify them, but install the free trial version and let them see WorkExaminer in action – and show them how it collects data and reports on it.
- Always be transparent
As a rule you should be as transparent as possible, every step of the way. If you want you could set up WorkExaminer to send a copy of its reports to employees or give them access to its data in some other way – so they can see what’s being gathered.
- Ask for their consent
The best way to make sure your monitoring is above board is to get consent from your employees. If possible you should ask them to sign off on the policy, and you may want to also set up the software to request consent each time it runs.
- Define and restrict access to personal data
Defining personal data and restricting access to it can reduce the risk of sensitive data being exposed. But to do that you need to understand what is personal data under the GDPR – despite how broad it is.
In WorkExaminer not only can you determine what type of data you want to collect, but you can also control access to some data. Additionally it will let you monitor file transfers and other potential leaks.
- Prepare to handle requests based on the rights of data subjects
The GDPR stipulates that individuals (i.e. data subjects) have eight specific rights regarding their data, and they can make requests based on those rights. On your part you need to be prepared to deal with any requests that are made.
That may entail setting up WorkExaminer to enable the delivery of data to fulfill some requests.
- Adopt a minimal approach
Generally you should only use WorkExaminer to monitor and collect data that you absolutely need. For example, although it can capture and log keystrokes, you may not want to activate it unless there is a strong reason why you need that information.
- Capture the necessary forensic data
Last but not least, the GDPR sets out that you have a responsibility report incidents involving personal data – and the WorkExaminer monitoring software could play a vital part in that. The forensic data it collects will help facilitate the reporting of any incidents.
Overall WorkExaminer can not only be used legally under the GDPR if you structure it correctly – but it can also be an invaluable tool to enable GDPR-compliance. By using it carefully you can protect your data, avoid data breaches, and fulfil the requirements of the new regulations – all at the same time.