UK GDPR and ICO Employment Practices Code: GPS tracking employees lawfully
GeoTapp

UK GDPR and ICO Employment Practices Code: GPS tracking employees lawfully

May 20, 2026 ยท 5 min

Your operations manager wants to roll out GPS tracking next Monday because a customer in Leeds has just asked for proof of attendance on a service contract. Two of your engineers send a polite email to HR objecting on privacy grounds. By Wednesday the union rep is involved. The roll-out gets paused, the customer takes the contract elsewhere, and you spend a fortnight unpicking a Data Protection Impact Assessment you should have done first.

What the ICO actually says, and what most employers miss

The ICO’s draft updated guidance on Monitoring at Work, published in late 2023, did not invent new rules. It restated the ones already in the UK GDPR, the Data Protection Act 2018 and the Employment Practices Code. The three principles that catch employers out are necessity, proportionality and transparency, in that order.

Necessity is the test most rollouts fail. You cannot deploy GPS tracking because it is convenient or because a competitor does it. You must be able to point to a specific operational purpose: timekeeping for payroll, lone-worker safety, evidence of attendance for a regulated contract, or audit-trail for billing. The purpose drives everything else. If the purpose is timekeeping, you cannot then quietly use the same data for performance ranking.

Proportionality is the second filter. Continuous tracking outside working hours is almost never proportionate. Tracking inside the geofence of the site for the duration of the shift is. If a less-intrusive method (badge-in, photo clock-in, supervisor sign-off) would do the same job, the ICO expects you to consider it. A workforce platform that defaults to capturing location only at clock-in, clock-out and break events sits inside that proportionality envelope.

Capture location only at clock-in, clock-out and breaks for one week, and see how the proportionality conversation simplifies.

No credit card, up and running in 2 minutes.

Open your trial
UK GDPR and ICO Employment Practices Code: GPS tracking employees lawfully

Transparency: the privacy notice and the union conversation

Article 13 UK GDPR requires you to tell workers, before the processing starts, what you are collecting, why, on what lawful basis, who can see it and for how long. The lawful basis for workforce monitoring is usually legitimate interests (Article 6(1)(f)), which means you also need a documented Legitimate Interests Assessment balancing the business need against the worker’s reasonable expectation of privacy.

Consent is the lawful basis you should not rely on for ongoing monitoring of staff. The ICO is explicit that consent in an employment relationship is rarely freely given. You ask, the worker effectively cannot say no, and the consent collapses on the first complaint. Legitimate interests, properly assessed and documented, is the durable basis.

Try GeoTapp free for 14 days

No credit card required. Get started in 2 minutes.

Start free trial

Where a union or works representative is involved, the conversation goes faster if you arrive with the LIA, the DPIA and the privacy notice already drafted. Saying you have done the analysis, here is the proportionality logic, here is the data minimisation, here is how workers can raise concerns. That changes the meeting tone from ambush to negotiation.

Data Protection Impact Assessment: when, how, and what regulators read first

A DPIA is mandatory under Article 35 UK GDPR for any systematic monitoring of employees. The ICO publishes a template. The version that survives a complaint runs to about six pages and is signed by the DPO or, if you do not have one, by the senior manager responsible. It documents the purposes, the categories of data, the geofence design, the retention period, the access controls and the residual risks.

The mistake most SMEs make is treating the DPIA as a one-time bureaucratic file. The right pattern is to review it every twelve months and after any material change (new sites, new contracts, new data flows, integration with payroll). When the inspector reads it, they want to see a live document, not a 2024 PDF nobody has opened since.

Subject access requests: prepare for them before they arrive

Sooner or later a worker will send a Subject Access Request. Under the UK GDPR they have a right to a copy of all their personal data, including location history, time stamps and any internal notes about them, within one month. The disorganised employer takes six weeks, asks for extensions, and ends up at the ICO. The prepared employer exports the relevant data in two clicks, redacts third-party identifiers, and sends it within ten working days.

The deeper point is cultural. A workforce that knows the data exists, knows it can be requested, and trusts that requests will be handled lawfully is a workforce that does not file ICO complaints. GeoTapp is built to give you that audit-grade export by default, with retention windows you can set per data category, so the privacy notice you publish matches the system you actually operate.

Picture the next ICO subject access request landing on a Monday morning, and you export the lot in two clicks.

Set UK GDPR retention by data category. Fourteen days, no card.

No credit card, up and running in 2 minutes.

Open your trial

Get articles like this in your inbox

Practical insights on GPS tracking, field operations and GDPR. No spam, just useful content.

Comments

No comments yet. Be the first.

Leave a comment

Try GeoTapp free for 14 days

No credit card required. Get started in 2 minutes.

Start now

ยฉ 2026 GeoTapp โ€” original content. You may quote it and reuse parts with a link to this page. Full republication or commercial use only with our permission.