Important: This article is not intended to replace official legal counsel. We are not legal experts. Please consult your lawyer. We exist to help customers improve their businesses. It’s important for us to show how they can maintain responsible control over the data collected and protect it in accordance with GDPR requirements.
Contents
- What is the General Data Protection Regulation (GDPR)?
- GDPR compliance & ActivTrak
- Five key recommendations
- Configuring your ActivTrak account for GDPR compliance
- Preparing for audits
- Learn more
What is the General Data Protection Regulation (GDPR)?
GDPR (General Data Protection Regulation) is Europe’s sweeping consumer data privacy law, designed to protect the personally identifiable information of any person who is physically inside the EU (both citizens and non-citizens).
Note: Organizations in the UK must maintain GDPR compliance with EU regulations and comply with the Data Protection Act 2018 from January 1, 2021, and beyond.
The regulation explains that if a “controller” is collecting personal data from anyone inside these regions, they must ensure GDPR compliance. A “Controller” is a person, public authority, agency, or any other body that collects data.
GDPR compliance & ActivTrak
ActivTrak respects data privacy laws in our data-driven approach to analyzing productivity. Our commitment to data privacy and security ensures businesses are GDPR-compliant while achieving business productivity goals.
In this article, we outline compliance recommendations and specific account configuration steps you can take to ensure your use of ActivTrak complies with GDPR regulations.
Five key recommendations
Tell employees you want to collect employee data.
A recurring theme in the GDPR is transparency. In this regulation, a person has the right to know that their data is being collected, except in exceptional circumstances. And while there are a few exceptions, you’ll be safer if you inform your employees that you want to gather employee data. Being transparent is a great place to start, and it opens the door to a relationship built on trust.
Explain why you want to collect employee data.
It’s not enough to tell your team that you plan to track their activities on their machines. One of the GDPR requirements is that you need to have a meaningful purpose for collecting data, and you need to explain that purpose to your team. The regulation spells it out: “Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”
It boils down to having a specific reason or reasons for using ActivTrak and ensuring your team understands those reasons. And if your mission changes and your purposes for collecting data stray from your original intent, inform your team that you’ve made the change.
Get permission to gather employee data.
For organizations gathering data on people in the EU and UK, you’ll have to provide documentation that they understand how you plan to collect data and that they consent to it. You can do this in written form. It should be very clear in the form what the employee is agreeing to and set apart from any other matters. Additionally, please note that the employee has the right to withdraw their consent at any time.
In the US, for example, several states, such as California, Virginia, and Colorado, have implemented GDPR-based laws that require companies to obtain their team’s permission before gathering data. Though ActivTrak encourages employers to be transparent with their team, we leave it up to the business to make that decision in adherence to local laws and regulations.
Be ready to provide the collected employee data.
At any time, a person has the right to access the data you collect. If you’re upfront about what you capture, this shouldn’t be an issue. We make it easy to export and share ActivTrak reports or the entire raw dataset, allowing unlimited users to view their performance and see how they’ve improved. But if there is a request to see the stored data regarding the GDPR, you can easily provide it for that reason, too.
Be ready to delete the collected data.
The GDPR outlines the right of erasure, or “right to be forgotten.” This means that if a person requests that their information be deleted, it must be erased in most circumstances.
Configuring your ActivTrak account for GDPR compliance
The table below provides a high-level overview of individual GDPR requirements, as well as specific steps your organization can take to ensure its processes and procedures related to ActivTrak usage are compliant.
| Requirement | Recommended Actions | ActivTrak Capabilities |
|---|---|---|
| Process data for proper purposes | Ensure that the data collected is only for employment-related purposes. | ActivTrak capabilities are solely for workforce analytics purposes. |
| Right to Know |
Communicate to your employees that you will be deploying ActivTrak and explain how the data will be used. Learn more
Share with employees the list of data elements captured by ActivTrak. Learn more |
Share ActivTrak data with employees via Personal Insights or via custom-built reports using BI tools like Power BI, Tableau, etc. so they can identify and report inaccurate information. |
| Right to Access | Provide employees access to their own data. | Share ActivTrak data with employees via Personal Insights or via custom-built reports using BI tools like Power BI, Tableau, etc. so they can identify and report inaccurate information. |
| Right to Object |
Employees can object if the data processing is not for employment reasons.
Establish a process to capture and process requests from employees to opt out if data is not used for employment reasons. |
ActivTrak user delete functionality allows you to delete all data associated with a given employee Learn more
Optionally, allow employees to install the ActivTrak Agent on their computers as a way to explicitly opt in. Learn more |
| Right to Correct | Establish a process where employees can file a report of incomplete or inaccurate data. | ActivTrak allows corrections to information like activity classification, productivity status, passive time settings, etc. via multiple administrative screens. Learn more |
| Right to be Forgotten |
This is applicable when the employee is no longer employed with the company or when the employer no longer needs the employee’s data for employment purposes.
Establish a process to capture and process requests from employees to delete their data. |
ActivTrak user delete functionality allows you to delete all data associated with a given employee. Learn more
ActivTrak can process a request to delete your account. Learn more |
Preparing for audits
ActivTrak has resources you can leverage in the event of a data privacy compliance audit. They include:
- Data Retention and History: As an extra level of protection, our system does not retain data beyond an account’s set limits. Admins can also restrict date filters for user roles. Learn more here.
- Security Alarms: Alarms can be configured to alert you in real time to potential data privacy or security risks, such as when users export data, change access levels, and more. Learn more here.
- Security Audit Log: Our Security Audit Log provides a detailed record of changes or logins made to the account. Learn more here.
- Data Integrity Verification: Cryptographic signatures verify that activity data has not been modified in transit from agent to backend, addressing integrity requirements under GDPR Article 32. Tamper detection provides audit trails for unauthorized modification attempts. Learn more about our security measures here.
Learn more
Data privacy & compliance
- ActivTrak's Trust Center
- Data Privacy and the ActivTrak Platform
- ActivTrak’s Data Retention Policy & Data History
- What Data Does ActivTrak Collect?
- Configure ActivTrak for HIPAA Compliance
- Configure ActivTrak for CCPA and CPRA Compliance
- Configure ActivTrak for DPDP Act Compliance
- ActivTrak’s SOC 2 Compliance