It starts with a letter. Formal, measured, unmistakably serious. The Information Commissioner’s Office has received a complaint from one of your employees regarding the GPS tracking system you use to monitor field workers. They’re requesting your Data Protection Impact Assessment, your lawful basis documentation, your privacy notice to employees, and evidence that tracking is limited to working hours only. You have twenty-eight days to respond. ICO GPS tracking workers cases are rising.
If you’re like most field service business owners, you installed the tracking app two years ago because a mate recommended it. You told the lads it was for “job scheduling” and left it at that. No DPIA. No written policy. No idea whether the app tracks them on their lunch break or their drive home. You’re not malicious — you’re busy. But the ICO doesn’t distinguish between malice and negligence. The fine is the same.
2026 is the year the ICO shifted from guidance to enforcement on workplace monitoring. Their updated Employment Practices guidance, published in late 2025, makes clear that GPS tracking of employees is a high-risk processing activity that requires a DPIA, a lawful basis, transparency with workers, and strict data minimisation. Complaints about employer tracking have risen 40% year-on-year, and the ICO is acting on them. The question isn’t whether they’ll investigate businesses like yours. It’s when.
ICO GPS tracking workers: expectations
Four things. A Data Protection Impact Assessment that analyses the necessity and proportionality of GPS tracking for your specific business. A lawful basis — typically legitimate interest, but it must pass the three-part test (purpose, necessity, balancing). A clear privacy notice given to every tracked worker before tracking begins, explaining what data you collect, why, for how long, and who sees it. And technical measures to ensure data minimisation — no tracking outside working hours, no location history retention beyond what’s necessary, no access by unauthorised staff.
