Immediate actions

• Conduct a Data Protection Impact Assessment (DPIA) before deploying any new employee monitoring technology, especially cameras or location tracking.
• Halt or suspend any active surveillance pilots that lack documented lawful basis and consult your Data Protection Officer (DPO) before resuming.

Long-term improvements

• Embed privacy-by-design reviews into all project initiation processes so that data protection requirements are evaluated before technology is procured or deployed.
• Establish a formal employee monitoring policy that defines permissible use cases, retention limits, and required legal bases (consent, legitimate interest balancing test, legal obligation).
• Conduct regular GDPR compliance audits of existing surveillance and monitoring tools to ensure ongoing lawful basis and proportionality.

Governance & training measures

• Train HR, operations, and project management teams on GDPR obligations specific to employee data processing and the conditions under which legitimate interest can be claimed.
• Require sign-off from the DPO and legal counsel before any pilot program involving personal data collection from employees is launched.