Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
The COVID-19 pandemic has been responsible for shifting working arrangements from fixed locations and office hours to remote working, with dispersed teams and flexible working patterns. Changing working environments has led businesses to embrace new ways to monitor their workforce's activity and productivity and ensure work goals are being met. However, with any monitoring or surveillance, there are legal and ethical ramifications which should be considered by employers as it could result in hefty fines and reputational damage. In this blog, we discuss what employee monitoring is, the risks involved for employers, and the legal implications for companies to consider.
Employee monitoring is the active observation of workers using digital tools to track, monitor, and assess employee attendance, behaviour, and productivity. With remote working becoming commonplace and a shift towards cloud computing platforms, employers are increasingly beginning to embrace workplace monitoring to ensure their business assets remain safe and secure. Monitoring employee performance and productivity are also reasons why employers want to keep an eye on their employees. It can give employers confidence that the work is being done and provide valuable insight into employee performance whilst placing trust in them that they are conducting themselves responsibly.
There is a plethora of monitoring tools now at the disposal of employers. These can include time, activity or keystroke frequency tracking, to something more specific that utilises webcams or captures text entered. In the right setting, with employees aware and engaged, aspects of these monitoring tools can be useful for tracking productivity, but it is all too easy to cross the line into being intrusive and increasing security weaknesses. There are many examples of appropriate forms of monitoring. These include email analytics programs which track time spent on emails and time monitoring systems such as electronic timesheets and clocking machines. However, making employees use biometrics for a clocking machine without good cause, or requiring clocking-in and out for going to the bathroom, can breach data protection laws. Employers also need to be aware of violating employment law, the Equality Act, and Human Rights Act through excessive or inappropriate employee monitoring.
In addition to the risks of breaching various laws designed to safeguard individuals, employee monitoring tools can also put your business's security in danger. Keystroke logging tools can pose considerable risks to cyber security by monitoring confidential data and passwords. There are also other considerations businesses need to be wary of when conducting employee monitoring. For example, continuous webcam monitoring could easily capture the personal data of other people living in the house, information that the company is not legally or ethically entitled to collect. This would almost certainly be viewed as excessive and intrusive. If we take a look at work mobile phones, there's a natural need for businesses to track them in case they're lost or stolen. Employers may also monitor the device's usage (such as personal use at company expense or the use of unsafe apps).
Excessively tracking employees, and the presence and accessibility of that data can be a serious vulnerability. This could be exploited by insider threats with the theft of data, acts of espionage, or the exposure of that data. Hackers could also exploit the tracking information businesses hold to blackmail employees and to elicit more sensitive data.
If you're thinking about implementing employee monitoring, to proceed safely and lawfully, you will need to make sure:
Employee monitoring is not expressly forbidden in law. However, laws including the GDPR and the Human Rights Act place limits and obligations where this takes place. The GDPR requires that the objective underpinning your activity is both fair and lawful in the first instance. Businesses will need to show that there is a real threat that needs to be combatted to use surveillance. Surveillance must be overt unless there is a strong reason to override this. For example, in the case that abuse of a care patient is suspected, the use of hidden cameras to identify the person responsible is justifiable, if it meets the regulations under the Health and Social Care Act. In any case, employees must be told that they could be subject to monitoring. Once you have demonstrated that your activity is fair, you need to show that it's legal. That means that you must not contravene other laws and regulations.
The activity must be necessary to achieve the fair and legal objective. That simply means that if you can achieve your objective in a less intrusive way, then you must do so. For instance, HR will need to know certain health information in order to uphold the rights of employees. However, that data shouldn't make its way into shared folders accessible by managers or be used for anything other than those essential purposes without the meaningful and active permission of the employee. Be careful around permission though, as it is rare for consent to be a valid basis for processing employee data due to the imbalance of power between the employer and the employee.
Data Protection Impact Assessments (DPIAs) allow you to identify and document the objective, benefits, challenges, risks, and lawful implications of your intended processing. A balance of interests test (which may be part of your DPIA) will assist in resolving inherent conflicts between the interests of employees, the public interest, and those of the employer. For many cloud-based tracking solutions, you'll need to ensure you choose a GDPR compliant hosting location such as the UK, EU, or one of the jurisdictions considered adequate by the ICO. Many of the tools will process data globally by default but will allow you to restrict the data to a specified region.
Several employers are facing challenges regarding employee monitoring. These include warehouse operators using trackers to monitor employees. For example, in 2018 Amazon were granted patents for wristbands that would track their warehouse employees' movements and productivity to ensure orders were being fulfilled. It is unclear whether Amazon has yet to implement the technology, however, it raises concerns around workers' privacy rights. These are aspects which would be seen as excessive by employees and regulators, and in most instances are best avoided.
It's advised you tread carefully if you are thinking about implementing device monitoring into the workplace. Here are some tips on the dos and don'ts of device monitoring to ensure you stay on the right side of the law and comply with employee's privacy rights:
In 2020, the Hamburg DPA fined H&M €35m under the GDPR after it was found to have breached employee privacy. The fine was the largest of its kind since the implementation of the GDPR in the EU. It was reported H&M team leaders were monitoring staff by recording informal interviews after a period of sick leave and collecting data about their personal lives. The data was regularly updated and digitally stored where it could be accessible by up to 50 other managers within the company. The reason for storing this data was to create staff 'profiles' which sat alongside performance evaluations to guide H&M on employment decisions concerning those individuals.
This case demonstrated H&M's neglect for employee data protection and highlighted a violation of employee privacy. This highlights the wider issue of employee monitoring and why you need to be certain that it's necessary, lawful, fair, and that the employee knows about it. Companies who abuse employee monitoring could be in breach of data protection laws and risk facing substantial fines.
Employers must consider whether employee monitoring is an effective way to manage their workforce beyond the basic means of trust. Employee monitoring is not just about the use of technology and shouldn't be underhanded. Any monitoring which is unduly intrusive will be considered unlawful and the penalties incurred from inappropriate monitoring can be severe under data protection law. It can easily breach an individual's rights to privacy, therefore if organisations are to consider monitoring their workforce, they must have a written policy in place, ensure they are not in breach of data protection laws, and consult with employees on how and why employee monitoring will be implemented.
Richard is a seasoned senior GDPR and data protecton consultant who uses his experience in GDPR compliance to write with passion and insight on GDPR and data protection. Heading up Bulletproof's GDPR team, he makes sure that our services and individual data protection consultants are all at the top of their game.
Bulletproof's experienced data protection officers give your business on-going support and maintenance of your data protection obligations. Find out more about our flexible, cost-effective packages.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.