Time Tracking: Are you GDPR compliant?

The UK General Data Protection Regulation (GDPR) is a significant legislative act enacted by the European Union that establishes stringent rules for the collection, use, and processing of personal data. The scope of the regulation is broad, and it does not exclude data collected by time tracking software.

Ensuring time tracking and GDPR compliance is critical not only for ethical data management, but also for avoiding significant financial penalties. GDPR is not only enforced by the EU in Ireland, but the UK GDPR was adopted into law following Brexit (it’s almost identical to the GDPR) and is enforced in the United Kingdom. The Information Commissioner’s Office (ICO), the UK’s independent authority established to protect information rights, has the authority to levy heavy fines on companies found to be in violation of the General Data Protection Regulation (GDPR).


Don’t Risk A Fine For Time Tracking

If a company fails to comply with the GDPR in Ireland, it could face fines of up to €20 million or 4% of its global annual turnover, whichever is greater. In the United Kingdom, the ICO has the authority to levy fines of up to £17.5 million, or 4% of a company’s global annual turnover. These levels of monetary punishment highlight the importance of data protection in the current digital age.

Understanding GDPR’s principles is vital to ensure that time tracking adheres to these regulations. It’s essential to remember that GDPR is not just about protecting data but about safeguarding fundamental human rights, and reassuring your team that you take the safety of their data seriously.



Lawfulness, Fairness, and Transparency

Under GDPR, every process involving personal data must be lawful, fair, and transparent. This principle states that businesses must explicitly inform their employees about the collection and processing of their time tracking data. Furthermore, employees must be able to withdraw their consent at any time.

The principle of lawfulness, fairness, and transparency affects how businesses communicate about time tracking software. It requires businesses to provide clear, understandable information about how they use employee data. This requirement may lead to companies developing comprehensive data policies and training programmes to ensure their employees are well informed.


Purpose Limitation and Data Minimisation

For any business employing time monitoring, the principles of purpose limitation and data minimisation are critical. Companies must justify the necessity for the data they gather and ensure that it is only used for the purpose specified, such as payroll or project management.

Purpose limitation is a natural extension of data minimisation. It requires enterprises to acquire only the data required for a given reason, with no surplus. Time tracking is gathering data directly relevant to an employee’s work hours, such as the start and end time of a workday, breaks taken, and tasks worked on. Unnecessary personal data collection, such as an employee’s location, without a legal reason may breach GDPR guidelines. Your Privacy Impact Assessment (PIA) and GDPR policies should detail why you are collecting information.


Accuracy, Storage Limitation, Integrity, and Confidentiality

The GDPR highlights the need for organisations to keep personal data correct and up to date. Employees must be given the option to address any incorrect time tracking data.

Furthermore, GDPR requires businesses to follow storage limitation requirements. That is, time tracking data should be deleted after it is no longer required for its original purpose. Businesses should develop explicit data retention rules that stipulate how long they will keep specific types of data.

Finally, the integrity and confidentiality principle compels businesses to effectively secure personal data. This information should only be accessible to authorised persons. This provision may encourage enterprises to increase their investments in cybersecurity, physical security and data encryption technology.


Implementing GDPR-Compliant Time Tracking – Steps to Follow

Several practical measures must be taken to ensure that your time tracking software complies with GDPR requirements and all of these should be covered between your Privacy Impact Assessment and your Data Protection Policy:

  1. Get Informed Consent

Businesses should get clear and informed consent from their employees before collecting any personal data. The consent request must be specific, describing why and how the data will be used. If an employee has a legitimate reservation about a specific time tracking mechanism being implemented, they should be able to raise the matter without fear of repercussion. In certain circumstances it may be appropriate to look at a different method of data collection. Good communication with your employees is vital for the successful implementation of a new time tracking system, explain to them the benefits and why this is best for them, not just why it’s good for the company! Serco leisure were recently fined by the ICO over their use of facial recognition time tracking. The key points that led to the judgement were that Serco failed to inform their employees in a transparent way, failed to get consent from their employees and failed to offer them an alternative way of clocking in should they object to using facial recognition.

  1. Collect Only Necessary Data

Businesses should follow the data minimisation principle and acquire just the personal data required for particular reasons. For example, when time tracking, you shouldn’t be gathering GPS data from employees outside working hours as this would be considered excessive.

  1. Secure the Data

Ensure that time tracking data is securely maintained, and only authorised personnel have access to it. This should be documented within your PIA.

  1. Delete Data When It Is No Longer Required

Companies should evaluate their data on a regular basis and remove any material that is no longer needed. It’s best to set these periods of retention at the beginning when you are scoping out the system and again, they should be detailed in your PIA.

  1. A Data Protection Officer (DPO) should be appointed.

If a company processes large volumes of personal data or if the data processing activities carry high risks, the GDPR requires the appointment of a DPO. Part of their role should be to review communication for employees around any new gathering of personal data and regularly reviewing your data protection policy.


Navigating the time tracking and GDPR compliance landscape can be difficult, but it is an essential component of modern corporate operations, especially with the increased emphasis on data privacy and protection.

Companies may ensure that they are on the right side of the law by understanding and following GDPR requirements around time tracking and clocking in. More importantly, they can respect and protect the privacy of their employees, fostering a culture of transparency and trust that goes beyond mere legal compliance.


If you want to track time better in your business, and do it compliantly, get in touch with our team today. Review your time tracking methodology and efficiency and start seeing productivity gains. Our Consultants are experts in helping you identify the steps necessary to make sure you choose the best and most appropriate system for your business while acting within the law.

If you have more questions about time tracking or clocking in machines, read our comprehensive FAQs 

Time and attendance software on computer showing different screen shots