You may well have handheld devices that staff are using as part of their jobs that potentially tell you where those employees are. You may also have tracking fitted to company vehicles for insurance purposes, and both of those are examples of technologies that the Information Commissioners Office has indicated they regard as high risk activities, which require a Data Protection Impact Assessment. You may have done such an assessment when you introduced your technology or software in the past, but you may have done this so long ago that you didn’t even know that you had to when you did.

My suggestion would be that you look at the evidence from the ICO on Data Protection Impact Assessments and conduct one in relation to this activity, to ensure what you’re doing is implemented in as least an intrusive way into employees lives as is practicable. Can your engineers switch off tracking devices in the evening, for example?

You should know that the ICO has published a draft assessment template that you could choose to use, or you could design your own. As part of carrying out the impact assessment you will be required to identify and assess the risks – physical, emotional or material, and where there is a risk of disadvantage or damage to the individual. The draft guidance suggests a structured matrix to do this and gives you an example.

It’s then suggested to identify measures to mitigate the risks for example, making changes to privacy notices. If you can’t take measures to reduce the risks that you have identified, then the ICO has to be consulted and processing isn’t supposed to begin until the ICO has responded.

Their draft guidance clearly only expects a very small percentage of impact assessments to be sent to them. If you fall into this category, then they would be looking at responding to you within eight weeks and it might be useful to telephone them and ask for their advice prior to this.

For further support and assistance in relation to anything to do with the GDPR email us at