How to Configure ActivTrak for GDPR Compliance

NOTE: This article is not intended to replace official legal counsel. We are not legal experts. Please consult your lawyer. We exist to help customers improve their businesses. It’s important for us to show how they can maintain responsible control over the data collected and protect it in accordance with GDPR requirements.

What is GDPR?

GDPR  (General Data Protection Regulation) is Europe’s sweeping consumer data privacy law, designed to protect the personally identifiable information of any person who is physically inside the EU (both citizens and non-citizens).

NOTE: Organizations in the UK must maintain GDPR compliance with EU regulations and comply with the Data Protection Act 2018 from January 1, 2021, and beyond.

The regulation explains that if a “controller” is collecting personal data from anyone inside these regions, they must ensure GDPR compliance. A “Controller” is a person, public authority, agency, or any other body that collects data. 

 

Ensuring Compliance with GDPR while using ActivTrak 

ActivTrak respects data privacy laws in our data-driven approach to analyzing productivity. Our commitment to data privacy and security ensures businesses are GDPR-compliant while achieving business productivity goals. 

In this article, we outline compliance recommendations and specific account configuration steps you can take to ensure your use of ActivTrak complies with GDPR regulations.

5 Recommendations for GDPR Compliance with ActivTrak Workforce Analytics Software

1. Tell employees you want to collect employee data.

A recurring theme in the GDPR is transparency. In this regulation, a person has the right to know their data is being collected – at least in most circumstances. And while there are a few exceptions, you’ll be safer if you inform your employees that you want to gather employee data. Being transparent is a great place to start, and it opens the door to a relationship built on trust.

2. Explain why you want to collect employee data.

It’s not enough to tell your team that you plan to track their activities on their machines. One of the GDPR requirements is that you need to have a meaningful purpose for collecting data, and you need to explain that purpose to your team. The regulation spells it out: “Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”

It boils down to having a specific reason or reasons for using ActivTrak and ensuring your team understands those reasons. And if your mission changes and your purposes for collecting data stray from your original intent, inform your team that you’ve made the change.

3. Get permission to gather employee data.

For organizations gathering data on people in the EU and UK, you’ll have to provide documentation that they understand how you plan to collect data and that they consent to it. You can do this in written form. It should be very clear in the form what the employee is agreeing to and set apart from any other matters. Along with this, note that the employee has the right to withdraw their consent at any time.

In the US, for example, there currently are a few states like California, Virginia, and Colorado, with GDPR-based laws requiring a company to have their team’s permission before gathering data. Though ActivTrak encourages employers to be transparent with their team, we leave it up to the business to make that decision in adherence to local laws and regulations.

4. Be ready to provide the collected employee data.

At any time, a person has the right to access the data you collect. If you’re upfront about what you capture, this shouldn’t be an issue. We made it easy to export and share ActivTrak reports or the entire raw dataset for an unlimited number of users to let them see their performance and how they’ve improved. But if there is a request to see the stored data with regards to the GDPR, you can easily provide it for that reason too.

5. Be ready to delete the collected data.

The GDPR outlines the right of erasure, or “right to be forgotten.” This means that if a person decides they want their information deleted, then in most circumstances, it needs to be erased.

Configuring Your ActivTrak Account for GDPR Compliance 

The table below provides a high-level overview of individual GDPR requirements as well as specific steps your organization can take to ensure your processes and procedures related to your ActivTrak usage are compliant. 

GDPR Requirement

Recommended Actions

ActivTrak Capabilities

Process data for proper purposes

Ensure that the data collected is only for employment-related purposes.

ActivTrak capabilities are solely for workforce analytics purposes.

Right to Know

Communicate to your employees that you will be deploying ActivTrak and explain how the data will be used. Learn more→


Share with employees the list of data elements captured by ActivTrak. Learn more→

Share ActivTrak data with employees via the Personal Insights Dashboard or via custom-built reports using BI tools like Power BI, Tableau, etc. so they can identify and report inaccurate information.

Right to Access

Provide employees access to their own data.

Share ActivTrak data with employees via the Personal Insights Dashboard or via custom-built reports using BI tools like Power BI, Tableau, etc. so they can identify and report inaccurate information.

Right to Object

Employees can object if the data processing is not for employment reasons.


Establish a process to capture and process requests from employees to opt out if data is not used for employment reasons.

ActivTrak user delete functionality allows you to delete all data associated with a given employee Learn more→


Optionally, allow employees to install the ActivTrak Agent on their computers as a way to explicitly opt in. Learn more→

Right to Correct

Establish a process where employees can file a report of incomplete or inaccurate data.

ActivTrak allows corrections to information like activity classification, productivity status, passive time settings, etc. via multiple administrative screens. Learn more→

Right to be Forgotten

This is applicable when the employee is no longer employed with the company or when the employer doesn’t need the employee’s data for employment purposes.


Establish a process to capture and process requests from employees to delete their data.

ActivTrak user delete functionality allows you to delete all data associated with a given employee. Learn more→


ActivTrak can process a request to delete your account. Learn more→

Being Prepared for Audits

ActivTrak has resources you can leverage in the event of a data privacy compliance audit. They include:

  • Data Retention and History: As an extra level of protection, our system does not retain data beyond an account’s set limits. Admins can also restrict date filters for user roles. Learn more here.
  • Security Alarms: Alarms can be configured to alert you in real-time of any potential data privacy or security risks such as when users export data, change access levels and more. Learn more here.
  • Security Audit Log: Our Security Audit Log provides a detailed record of changes or logins made to the account. Learn more here.

Additional Resources

Best Practices & Support

Data Privacy & Compliance

Was this article helpful?

2 out of 3 found this helpful

Comments

No comments