Balancing surveillance, security, and data protection risk
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
Organisations across sectors are accelerating their investment in fraud prevention and employee surveillance technologies. These tools promise to detect misconduct before it escalates, protect sensitive assets, and reduce internal risk exposure. But as the sophistication of these systems grows, so too does the volume of personal data they capture — often without sufficient scrutiny. For senior leaders, this raises a serious question: are the very tools intended to shield the business now introducing a new layer of legal and reputational risk?
Sophisticated fraud analytics platforms now leverage behavioural patterning, anomaly detection, keystroke logging, and even sentiment analysis to flag potential insider threats. For example, financial institutions use layered surveillance to track unauthorised data transfers, mass downloads, or deviations from typical access patterns. Retail firms deploy real-time monitoring tools to detect transactional fraud or stock manipulation. In the technology sector, software development environments are increasingly subject to activity logging to guard against intellectual property theft. These are commercially sound strategies — but they must be approached through a lens of proportionality and necessity.
The challenge arises not from the existence of such tools, but from the manner in which they are implemented — often hastily, in response to perceived gaps in control, without adequate governance or data protection oversight. The intent may be defensible, but intent alone will not suffice when facing a regulator, a tribunal, or a reputational incident triggered by overreach. Organisations must demonstrate that their monitoring activities are lawful, fair, and transparent, with clear boundaries that are understood by both operators and employees.
As data protection professionals, we must challenge the premise that security and privacy are mutually exclusive. The use of employee surveillance must be anchored to clearly defined purposes, subject to strict access controls, and communicated with transparency. The practice of silent monitoring — such as the covert use of screen-recording software or location tracking without proper legal basis — can erode trust and expose an organisation to regulatory scrutiny. The Information Commissioner’s Office in the United Kingdom has already signalled that employee monitoring will be a regulatory priority, especially when deployed without a lawful basis or when carried out in a manner that is excessive relative to the risk being mitigated.
There is also a human dimension that cannot be ignored. Excessive surveillance can foster a culture of suspicion, reduce morale, and damage the psychological contract between employer and employee. Where staff feel they are being watched without justification, performance suffers, trust breaks down, and talent retention becomes more difficult. Security does not exist in a vacuum — it must coexist with ethics, accountability, and organisational culture.
Crucially, there is a growing disconnect between the security departments implementing these technologies and the data protection functions tasked with oversight. This siloed approach is unsustainable. A Data Protection Impact Assessment must be a precondition to any monitoring deployment. DPIAs are not simply a legal requirement — they are a mechanism to challenge assumptions, interrogate necessity, and surface risks early. Employers should not wait for a complaint, breach, or subject access request to interrogate the legality of their tools. By then, the damage may already be done.
Executives must demand better questions from their teams: Is this tool necessary, or merely convenient? Does it target a specific risk, or surveil broadly? Have we documented our reasoning, and would we be comfortable explaining it to a regulator or tribunal? Are the people affected aware, and do they understand the limits of what is being collected and why? These are not operational questions — they are strategic imperatives.
Ultimately, the goal is not to inhibit fraud prevention, but to ensure that such measures are implemented with rigour, respect, and restraint. It is entirely possible to build a security function that is both robust and rights-respecting. The companies that succeed in this will not be those with the most aggressive monitoring systems, but those who align their controls with law, logic, and leadership. Privacy is not the enemy of security. It is the mark of a mature, defensible, and ethically grounded security strategy.