Data protection by design and default

The GDPR introduced the concept of data protection by design and default. In an employment context, this means that an employer must consider at the outset — before new data is collected or used for any purpose — how they are going to build safeguards into their systems. In some cases, this will include a requirement to carry out a data protection impact assessment (DPIA), and this will almost certainly be the case if an employer intends to carry out monitoring of workers (see page 18).

Employers should design systems that will only process the personal data that is necessary for each specific purpose: this applies to the amount of data collected, the extent of the processing, how long it is kept, and who can access it. Monitoring systems that process more information than is necessary are likely to be unlawful.