An email lands in your inbox. Sender: Information Commissioner’s Office. Subject: formal notice of investigation. Any business owner running a field team who reads those words knows exactly what it means — someone has complained, and the ICO is now looking at how you track your workers. The fine doesn’t arrive on the day you expect it. It arrives when you’ve stopped worrying about it.
GPS tracking of field employees is entirely legal under UK GDPR. The problem is that most businesses using it have no idea what makes it legal — and the gap between “we use an app” and “we are compliant” is precisely where the ICO finds its cases.
Contenuti
What UK GDPR actually says about tracking your field workers
The ICO’s guidance on employee monitoring is clear on one point: tracking is lawful, but only when you have a documented lawful basis, a declared purpose, and a transparent privacy notice. The two bases most relevant to field service businesses are legitimate interests (Article 6(1)(f) UK GDPR) and the performance of a contract (Article 6(1)(b)). Legitimate interests requires a balancing test — a written assessment that your need to track outweighs the workers’ right to privacy. Most SMEs have never done one, and the ICO knows this.
The Data Protection Act 2018 supplements UK GDPR with specific employment provisions. Section 10 and Schedule 2 paragraph 5 allow processing for employment purposes where it’s necessary and where requiring consent would prejudice the employment relationship — which is effectively always. This means consent is rarely the right basis for tracking. If your current privacy notice says “we track with GPS and employees have consented,” you may want to revisit it.
The three mistakes that lead to ICO investigations
The first is always-on tracking. The ICO expects data minimisation — your tracking should operate only during working hours and only to the extent necessary for the declared purpose. An app that logs position every 30 seconds throughout a shift, including breaks and travel between jobs, is hard to justify under the proportionality test. It’s not the frequency that’s automatically unlawful; it’s the inability to explain why that frequency is necessary.
The second is an inadequate privacy notice. The employee monitoring guidance published by the ICO is explicit: workers must be told what is being collected, why, how long it is kept, who has access to it, and what their rights are. A clause buried in an employment contract signed three years ago is not a privacy notice — it’s a liability. The notice needs to be current, specific, and actually given to workers before monitoring begins.
The third — and the one that causes the most expensive investigations — is keeping location data longer than necessary. The ICO’s storage limitation principle under Article 5(1)(e) UK GDPR is not flexible. If you collect GPS data to verify job attendance, you need a retention period that matches that purpose. Keeping years of location history “just in case” is a finding that almost always appears in enforcement action.
What you actually need to be compliant
Three things need to be in place before any GPS tracking system goes live. A documented lawful basis — not a general one, but specific to your use case, with a legitimate interests assessment on file if that’s the basis you’re relying on. A current privacy notice that explicitly mentions GPS tracking, states the purpose, retention period, and data access — and has actually been given to every worker who is tracked. And a retention and deletion policy: a written decision about how long you keep location data and why that period is proportionate.
If you run a unionised workforce, there’s an additional layer. The ICO expects employers to consult with trade union representatives or staff councils before introducing or significantly changing monitoring practices. This isn’t a legal veto — it’s a consultation obligation. Skipping it is a procedural failure that tends to appear prominently in complaint investigations.
A useful benchmark for retention: if you track to verify job attendance and handle client disputes, 12 to 24 months of location records is typically defensible. If you track only for real-time routing optimisation, there may be no justification for keeping historical data at all beyond a few weeks.
The distinction the ICO makes that most businesses miss
The ICO’s own guidance draws a line that matters enormously in practice: monitoring to control is different from recording to verify. The first is surveillance — it implies continuous observation of behaviour, and it triggers the full weight of the employee monitoring requirements. The second is job verification — documenting that a worker was at a specific site, at a specific time, for a specific job. The ICO treats these purposes differently, and the gap in compliance burden is significant.
A system that activates GPS only when a job is opened — and deactivates it when the job is closed — producing a sealed record of presence, time and photographic evidence — is built around verification, not surveillance. The lawful basis is clearer. The privacy notice is simpler. The retention period is more defensible. And if a client disputes whether your team was on site, you have evidence that holds up, not just a spreadsheet someone filled in manually.
What to do now
If you’re currently using a GPS app without a documented lawful basis and an up-to-date privacy notice, you are already non-compliant. Not out of bad faith — most tracking tools hand you the technology and leave the legal framework entirely to you. Nobody flags the gap until the ICO letter arrives.
The answer isn’t to stop tracking. It’s to track in a way that is legally grounded: with a declared purpose of job verification, a system that runs GPS only during active jobs, data kept for a defined and proportionate period, and workers properly informed from day one. That’s the model that holds up to scrutiny.
GeoTapp is built on exactly this logic. GPS activates when a job opens and stops when it closes, producing a cryptographically sealed report with location, timestamp and photo evidence. The lawful basis is job certification — not surveillance. Worker-facing documentation is included. If you want to see how it works in practice, this page walks you through it.
Keep reading
Employee geolocation: what the GDPR says and what you can do (practical guide)
18 March 2026
Digital Stamping vs Paper Cards: Real Costs & ROI
18 March 2026
GPS Tracking in 2026: Rules That Changed Everything for Field Teams
8 April 2026
Stop Chasing Hours: Why Field Teams Need GeoTapp
18 March 2026
Manage Field Teams Without the Chaos: GeoTapp
18 March 2026
CCNL Multiservices 2026: Avoid €60K+ compliance risks
2 April 2026