Lewis Silkin Senior Associate Sean Illing, CIPP/E, has been at the forefront for advising clients on the ins and outs of British and European employee privacy laws. He also helps his multinational clients coordinate employee privacy strategies and assists them in responding the data subject access requests.

Illing, based in London, started at the firm a year before the EU General Data Protection Regulation was drafted. In the time since, he has become a subject matter expert in the evolving field of employee privacy.

In this Member Spotlight, Illing speaks with IAPP Staff Writer Alex LaCasse about his work. He also explored conditions that may make an employee monitoring program beneficial to companies. He presented insights into how the U.K.’s data protection reform effort is progressing with an eye toward the impending European Commission adequacy decision.

Editor's note: This conversation has been edited for clarity and length.

The Privacy Advisor: How did you get your start in privacy and what interests you most about this field?

Illing: I qualified for the employment team at Lewis Silkin in 2015. And then the (EU) GDPR was drafted in 2016. I wanted to get up to speed on it, so I could be of help. I was interested in the intersection between employment and privacy law. 

The Privacy Advisor: Can you walk me through what your day-to-day work looks like? And what are some of the major issues your clients seek advisement for?

Illing: It's a nice practice. We receive ad-hoc queries from clients with privacy concerns in the workplace.

If the client carries out criminal background checks on their employees, they’ll ask, “Can we do that, and what are the risks of doing that? What do we need to do to learn to mitigate those risks?” And that can be from a U.K. perspective or coordinating an international project with our counsel around the world.

Clients could be concerned about a particular area of their workplace such as covert monitoring if they're concerned about the behavior of an employee. It can be advising on data subject access requests, and following the subsequent complaints that have been received. They might ask how they've handled a request or what they need to do to prevent a complaint being raised in the first place. We get a lot of data subject access requests. So that's a big part of my practice is dealing with litigious or aggrieved data subjects in the employment context, who are looking for information or want to gain some leverage through putting in complaints.

The Privacy Advisor: You mentioned data subject access requests make up a significant part of your work, are you finding there has been an uptick in those as EU data protection authorities are increasing their enforcement activities?

Illing: We are seeing an uptick. Claimant lawyers see data subject access requests as kind of the key string to their bow. Previously, it would just be a grievance, and the threat of the claim. Now a DSR is kind of completing that holy trinity of ways to get leverage over somebody.

U.K. Information Commissioner John Edwards was on the "Today" program recently, singing the praises of the right of access, (while) encouraging people to submit details if they had any queries or concerns about the way their data was processed. So, yes, they are becoming more and more of something that employees are using to find out information about themselves.

The Privacy Advisor: You also brought up your interest in employee privacy law. As the world economy begins to move on from the COVID-19 pandemic, do you think more companies will adopt employee surveillance technologies if workforces still prefer to work remotely? Or will companies be less inclined to do so to promote goodwill among their employees?

Illing: It’s a really interesting question because the COVID-19 pandemic forced this seismic change in the way that we work. People have been forced to work from home without companies necessarily being able to put in place what they would have liked to do (to ensure employee productivity). I think if it hadn't happened, companies probably would have wanted to get the software in place first to get the data. But we're in a world where employees have demonstrated that they don't need to be monitored and surveilled in order to produce good work while being able to work from home and be accountable to their employers.

Employee goodwill is a really good point in that employees are going to feel like they are being babied or parented if they're feeling that they're having to be monitored all the time. One of the big trade unions carried out some research that said it does impact employee morale if they are being monitored. We are seeing certain software being adopted, but these are more for kind of performance rather than monitoring. It's primarily used for attendance and key keystrokes while sitting at your desk. Employers are looking at the quality or the output of work rather than babysitting and recording the time employees spend on their computers.

I think as the software becomes more available, and as companies look to it as a way to increase productivity to increase profits, it's inevitable that they're going to want introduce it to their employees. Companies are going to make sure that privacy is built-in from the start, and that they are transparent with employees about why software is being used and how it's going to impact them.

The Privacy Advisor: It sounds like you’re saying there is a healthy balance for companies to strike if they want to pursue some form of employee monitoring program, while not upsetting them at the same time?

Illing: Exactly, I think if the employee can see the benefits, rather than monitoring for monitoring sake, if they can see what the company has achieved from this, and that goal is reasonable, then I think that that's a better way of going about it. 

The Privacy Advisor: Zooming out, what are your overarching thoughts about the U.K.’s data protection reforms, and how do you think they’ll be viewed when the European Commission makes its adequacy decision?

Illing: We've also got a change of government in place, and it looks like the Truss administration is going to be even more potentially fractious with the EU than the Johnson administration. Obviously, we've got this kind of tightrope that we need to walk to show Brexit’s benefits, and the latest bills are trying to demonstrate that we can diverge from the EU.

But we've also got this adequacy decision, and what we don't want is to be left as some kind of pariah state where the EU can no longer send data to the U.K. because it has been labeled as an inadequate jurisdiction.

The Privacy Advisor: Do you think there could be a scenario where the U.K. isn’t granted adequacy by the EU?

Illing: I think the EU will view any GDPR change by the U.K. will give the EU pause when considering the adequacy ruling. In the U.K., the GDPR is essentially the EU GDPR, with 'U.K.' thrown in. I think what you've also got to look at is other countries that have received adequacy decisions, one would hope the EU would be pragmatic and think, 'Well, actually, there's a huge market in the U.K. that is doing lots of business with the EU.' The extent of the changes is actually not great at the moment, we have these countries around the world that have adequacy and the U.K.’s data regime has no more of a negative impact on data subjects than those other adequate regimes are. There’s also an element of data protectionism, I think, and politicians might think a popular way to go would be to try to show that Brexit, or any kind of exit from the EU, is not going to be beneficial to a leaving country.