You Got GPS Authorisation for Staff? That Is Not Enough

You sat through the consultation, you ran the impact assessment, you put a line in the handbook telling everyone the vans now carry GPS. The box is ticked, the paperwork is filed, and you breathe out: done, sorted, nobody can come after me now. It is the same calm as someone walking out of the test centre with a fresh licence, convinced they already know how to drive.

The trouble is that the formal step you took is a door, not the room. Informing people, declaring the system, going through the motion of compliance tells you that you are allowed in. It says nothing about what you are allowed to do once you are inside. Between those two things sits the whole difference between feeling compliant and actually being compliant, and it reads like a lawyer’s hair-splitting right up until a fine arrives to remind you there is nothing subtle about it.

A company can do everything by the book at the gate and still get caught for what it does in the room. That is not a hypothetical. In November 2023 the French data protection authority, the CNIL, handed down a wave of sanctions, around €97,000 across ten organisations, against employers who tracked their staff vehicles non-stop, with no way for workers to pause the system during breaks. The systems were known. The staff had been told. The regulator still ruled the tracking an excessive interference with privacy and freedom of movement, because declaring the thing was never the question. How they ran it was.

The step you took answers one question, not all of them

What trips up so many honest employers is the belief that the compliance step they took covers the whole field. It does not, because it only ever answered one question: are we allowed to put this tool in place, yes or no? Whether you went through a works council, ran your impact assessment, or simply notified your people, all of that lives on the access side of the line. Once the system is running, a second chapter opens that the first never touched. What data you collect and what you leave alone, how long you keep it, whether you could reach the same goal with something less intrusive, and above all what you actually tell the people whose movements you are recording.

That second chapter is written by the GDPR, and it has a different bailiff. In Ireland that is the Data Protection Commission, and it does not check whether you announced the system. It checks whether you respected necessity, proportionality, transparency and storage limits. UK readers sit under the same logic with the ICO and the UK GDPR, whose own workplace monitoring guidance is blunt that location data gathered beyond what the job needs, tracking that runs outside working hours, is excessive on its face. Two questions, two different authorities, and you have to satisfy both. Clearing the first one and forgetting the second is precisely the gap the French fines fell through.

What actually counts, beyond the announcement

The guarantees that make the difference are not mysterious. They are just dull, which is exactly why they get skipped. Collecting the minimum counts: a location reading tells you the job was done at that address, it does not need to reconstruct, hour by hour, where a person spent their day. Not tracking continuously counts: a system that pings position all day long hoards a mountain of data you will never use, and the morning a complaint lands, that mountain becomes the evidence against you rather than for you. Deleting what you no longer need counts, instead of stacking years of trails in an archive nobody opens until the wrong person opens it. And above everything else there is the privacy notice: telling your people, in writing and in plain language, what you collect, why, and for how long.

Have you ever announced the system to the room and then never written a single line of a proper privacy notice for your staff? It is more common than it looks, and it is the exact hole the fines come through. Saying the words out loud once is not the same as handing each person the written notice the law actually requires. In that situation your tidy paperwork does not protect you. If anything it shows you knew you were handling sensitive data and stopped paying attention at the easy bit, the announcement, while leaving the rest undone. It is like having a licence and then keeping the loaded gun on the kitchen table: the bit of paper does not absolve you of how you use the thing.

There is a timing trap in here too that catches plenty of people. The announcement and the impact assessment get done once and filed, and from then on the whole matter feels closed. The guarantees, on the other hand, are work that keeps going. Every time you change the system, add a feature, take on new people, the picture shifts and the notice has to be redone. Treat compliance as a stamp collected and forgotten and you wind up, years later, with a system that grew sideways and a privacy notice describing a company that no longer exists.

Getting it right for real

The good news is that putting this right does not mean ripping everything out. It means choosing tools built to collect little and say so clearly, and pairing them with the documents that belong alongside. A system that records position only at the moment someone clocks in and out, at the start and the end of the shift and never in between, starts on the right foot: it gathers the minimum by its nature, not by anyone’s good intentions, and that minimum is exactly what the law is asking for. What is left is the written part, the notice that puts people in the picture, and there a ready template you just fill in takes away the I-do-not-know-where-to-start excuse.

GeoTapp was put together precisely along those lines: location is logged with a single tap at the start and end of a shift, and in between there is no tracking at all, because proof of work has no need to follow anyone around. The permission side is one job, the guarantees are another, and there is no shortcut between them. Whoever treats the two as a single block, and genuinely resolves it, stops opening the post bracing for a regulator’s letter.

The announcement, almost everyone manages. The written privacy notice to staff, almost no one. And it is always that missing line the regulator starts reading from.

The formal step opens the door, the privacy notice is what keeps you inside the law. If you have not written that line yet, it is worth starting from the right document.