You may be forgiven for thinking that data protection doesn’t really have a lot to do with a mystery shopping program. But in fact, it’s important to ensure that your mystery shopping program protects your employees’ personal information in order to be compliant GDPR (General Data Protection Regulation).

Without safeguards, your mystery shopping program might be collecting and processing personal data on your employees without you realising it, or without understanding the implications.

During the course of a mystery shop visit, a mystery shopper will likely interact with your employees and team members. It is commonplace for mystery shoppers to note the name or provide a description of the team who served them. They may even have a video recording or an electronic recording if the visit is completed over the telephone. Therein lies the problem. If information is collected and processed on your employees you should ask yourself these questions: Do we have a legal basis for processing your employees personal data in that way? And more importantly, do your employees have a reasonable expectation that their personal data might be collected and processed?

With this in mind, it is important to remember a couple of things:

  1.        Remember that the definition of personal data is broad!
    1. Personal data is not restricted to direct identifiers only, such as name. It includes any information relating to an identified or identifiable individual, where an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. If you can identify an employee from the description provided by a mystery shopper, you and your mystery shopping provider will be processing your employee’s personal data.
  2.        Make sure that you have identified the appropriate legal basis so that you can process their personal data.
    1. Our assessment suggests that “legitimate interest” will likely be the most appropriate basis for processing the data. Using “consent” within an employment relationship as the basis for processing is problematic, and there are certain practical elements which might make compliance with the GDPR Article 7 conditions difficult to demonstrate. For example, a mystery shopping program is essential to ensuring  operational excellence and equipping your teams with the skills they need to maximise revenue and delight customers. However, participation in a mystery shopping program is not necessary for the performance of the contract that exists between employer and employee. Also, you will not likely be able to guarantee the ability withdraw consent, given you don’t know who the mystery shopper is or have a way of excluding a specific employee from being assessed under your mystery shopping program.
  3.        Make sure you complete your privacy impact assessment before the program starts.
    1. When relying on legitimate interest, you need to make sure you have completed your Legitimate Interest Assessment before you process employee personal data under your mystery shopping program. You need to consider why you are processing the personal data (the Purpose Test), why the processing is necessary for that purpose (the Necessity Test) and last whether your interests outweigh the rights and freedoms of your employee (the Balancing Test). This is essential not only for justifying the processing but will be indispensable in the event an employee exercises their data subject rights or your need to provide evidence of compliance to the ICO (Information Commissioner’s Office).

If you want to discuss the compliance of your mystery shopping program, or have a conversation in general about the role mystery shopping can have in the measurement of operational excellence, please schedule a briefing!

Schedule a Briefing

Neil Saddington is the Data Protection Officer at Market Force and has been with the company for eight years. He is an experienced project manager with a graduate diploma in law and is currently completing a LLM with a specialisation in data protection and information rights.