The ICO updated its workplace monitoring guidance in 2026. The changes hit field service companies directly. If you use an app to track where your workers are, ICO GPS monitoring rules now demand three things you probably do not have: a documented DPIA, a specific privacy notice, and proof that GPS is proportionate.
ICO GPS monitoring: what changed
The ICO made three things explicit. First, GPS tracking must be proportionate. You cannot just say “we need it for the business.” You must prove that less intrusive methods would not work. A phone call, a check-in text, a time sheet, if any of these could achieve the same goal, your GPS tracking is disproportionate.
Second, every employee needs a clear privacy notice before you switch the tracking on. Not a generic data protection policy buried in the employment contract. A specific notice that says: we track your GPS location, here is why, here is how long we keep the data, here is who sees it.
Third, you need a Data Protection Impact Assessment. GPS tracking of employees almost always creates a high privacy risk. The DPIA documents that risk and shows what you did to reduce it. No DPIA means no compliance. Full stop.
Company vehicles vs personal devices
For company vehicles, you have stronger legal ground. Legitimate interest usually applies, the company owns the vehicle and has a right to know where it is. But tracking must stop when the shift ends. A company van parked in your employee driveway at 10pm is not your business.
For personal devices, the rules are tighter. You need explicit consent. The employee must be able to withdraw that consent at any time, without fear of consequences. “Consent” that cannot be withdrawn is not consent at all.






