GDPR: Example email, internet and technology policies updated

We have revised our model policies on the use of email and internet, telephones and portable electronic devices to comply with the General Data Protection Regulation (GDPR). Our sample "bring your own device to work" (BYOD) and CCTV policies have also been updated.

Why review your documents?

The introduction of the GDPR means that employers should review their procedures and documentation to ensure that:

  • data protection and privacy considerations are embedded;
  • only the minimum amount of personal data is collected and processed for a specific purpose;
  • there is a legal basis for processing personal data; and
  • individuals whose personal data is being processed are provided with privacy notices.

The GDPR, which is in force from 25 May 2018, requires employers to be transparent about the personal data that they hold and how it is used. They also have to show that they are complying with the GDPR's data protection principles.

Information obtained from monitoring an employee's use of email and internet, telephones and portable electronic devices may amount to personal data. It is important that employees are told why data is processed and the legal basis for processing as well as what type of monitoring is carried out.

Employers will generally be able to justify processing data during monitoring on the legal basis that it is in the organisation's legitimate interests to do so. However, employee monitoring should not be disproportionately intrusive.

There are some specific issues for employers around "bring your own device to work" (BYOD) and CCTV policies. A BYOD policy should have strict limits on what "special category data" is processed on personal devices and safeguards in place to prevent data breaches. A CCTV policy should explain what the footage will be used for, who will have access to it, and how long it will be kept before being erased.

We have therefore updated our model policies on the use of technology and employee monitoring to take account of the GDPR as follows:

Email and internet use

Use of email, instant messaging and internet at work policy Updated with a new section to explain how personal data will be handled during monitoring of email and internet use.

Use of social media policy Updated with a new section to explain how personal data will be handled during monitoring of employees' social media activity.

Telephone use

Use of mobile phones at work policy Updated with a new section to explain how personal data will be handled when monitoring mobile phone use.

Making personal telephone calls at work policy Updated with a new section to explain how personal data will be handled when monitoring the making of personal calls on work telephones.

Use of computers and other electronic devices

Use of hand-held or portable electronic devices policy Updated with a new section to explain how personal data will be handled when monitoring the workforce's use of the organisation's hand-held or portable electronic devices.

Use of personal devices for work/bringing your own device to work policy Updated to set out:

CCTV use

Use of CCTV policy Updated to set out: