It starts with a letter. Formal, measured, unmistakably serious. The Information Commissioner’s Office has received a complaint from one of your employees regarding the GPS tracking system you use to monitor field workers. They’re requesting your Data Protection Impact Assessment, your lawful basis documentation, your privacy notice to employees, and evidence that tracking is limited to working hours only. You have twenty-eight days to respond. ICO GPS tracking workers cases are rising.
๐ Free tool: see what you need to be compliant country by country with the GPS on workers in the EU guide, 39 European countries, verified at the source.
If you’re like most field service business owners, you installed the tracking app two years ago because a mate recommended it. You told the lads it was for “job scheduling” and left it at that. No DPIA. No written policy. No idea whether the app tracks them on their lunch break or their drive home. You’re not malicious, you’re busy. But the ICO doesn’t distinguish between malice and negligence. The fine is the same.
2026 is the year the ICO shifted from guidance to enforcement on workplace monitoring. Their updated Employment Practices guidance, published in late 2025, makes clear that GPS tracking of employees is a high-risk processing activity that requires a DPIA, a lawful basis, transparency with workers, and strict data minimisation. Complaints about employer tracking have risen 40% year-on-year, and the ICO is acting on them. The question isn’t whether they’ll investigate businesses like yours. It’s when.
If the tracking app you installed has no DPIA behind it, fourteen days on a compliant clock-in close that gap before the ICO does.
No credit card, up and running in 2 minutes.
Open your trialICO GPS tracking workers: expectations
Four things. A Data Protection Impact Assessment that analyses the necessity and proportionality of GPS tracking for your specific business. A lawful basis, typically legitimate interest, but it must pass the three-part test (purpose, necessity, balancing). A clear privacy notice given to every tracked worker before tracking begins, explaining what data you collect, why, for how long, and who sees it. And technical measures to ensure data minimisation, no tracking outside working hours, no location history retention beyond what’s necessary, no access by unauthorised staff.
Most field service businesses fail on at least two of these. The good news: fixing it isn’t hard. It’s a matter of choosing the right system and documenting your decisions. A purpose-built tool like GeoTapp TimeTracker handles the technical side by design – GPS capture only at clock events, automatic data expiry, role-based access controls. You focus on the policy documents; the system handles the rest.






