Hybrid Work in 2026: The Monitoring Rules HR Keeps Getting Wrong
Most employee-monitoring deployments since 2020 are unlawful under EU privacy rules. Here's what GDPR, the EDPB and the ICO actually require — and the workable middle path.
Hybrid work normalised faster than the legal framework around employee monitoring. Many of the productivity-tracking tools that proliferated in 2020-2022 — keystroke loggers, screen-capture systems, AI-based focus scoring — operate in a way that would not survive a GDPR audit. The 2024-2025 round of enforcement actions across the EU has made that clear in print, and 2026 is the year HR teams need to clean up their stack.
What the regulators have actually said
The European Data Protection Board's guidance on employment sets the baseline: any monitoring must be proportionate, transparent, and based on a lawful ground under GDPR Article 6. The UK's Information Commissioner's Office issued detailed guidance on monitoring workers in October 2023 with an unambiguous framing: covert monitoring is almost never justified, and overt monitoring requires a documented Data Protection Impact Assessment.
The five practices that no longer survive scrutiny
- Continuous keystroke logging. Disproportionate to almost any legitimate business need. Time-tracking should infer activity from explicit user input or calendar context, not raw keystrokes.
- Always-on screen recording. The EDPB has repeatedly flagged this as failing the proportionality test for general workforce management. Limited use in regulated industries (finance compliance) survives only with strong safeguards.
- Webcam capture without consent and notice. Several member-state regulators have issued six-figure fines for this practice in 2023-2024.
- Location tracking outside working hours. Even with company-provided phones, tracking the device when the worker is off-duty is rarely defensible.
- "AI productivity scoring" without explanation. Under the EU AI Act high-risk classification and GDPR Article 22's restrictions on automated decision-making, an opaque score driving performance reviews is a stack of legal problems.
What does work
The middle path most regulators accept is what HourSquare's time-tracking module implements by default:
- Worker-initiated time entries (start, stop, project) with optional manual review
- Aggregate, not individual, productivity metrics for management dashboards
- Calendar-based presence inference (no keystroke or screen capture)
- Clear notice to workers about what is captured, retained, and visible to whom
- A documented Data Protection Impact Assessment kept on file
The Eurofound research on telework consistently finds that trust-based arrangements with light-touch monitoring outperform heavy surveillance on both productivity and retention metrics. The compliance case and the operational case point in the same direction.
For definitions and cross-references, see our explainers on hybrid work and GDPR for HR.