GPS geofence clock-in

How it works

A geofence is a virtual perimeter — usually a circle of 50 to 500 metres — drawn around a worksite, depot or client address. When the worker taps "clock in" or "clock out" in the app, the phone takes a single GPS fix and the system compares it to the geofence. Two points are recorded per shift: the in event and the out event. Position is not sampled between those events.

Under the UK GDPR, location data tied to an identifiable worker is personal data, so the employer needs a lawful basis under Article 6. For most SME shift work this is Article 6(1)(b) — processing necessary for performance of the employment contract — or Article 6(1)(f), legitimate interests (accurate timekeeping and payroll). The ICO states: "To lawfully collect and process information from monitoring workers, you must identify a lawful basis" (ICO, Data protection and monitoring workers).

A Data Protection Impact Assessment (DPIA) is required before any processing "likely to result in a high risk to individuals" (ICO, DPIAs), and the ICO notes a DPIA "may also help you to identify the most appropriate basis" for monitoring. The retained records also serve the employer's Working Time Regulations 1998 duty to "keep records which are adequate to show whether the limits…are being complied with" and to keep them for two years (Regulation 9, WTR 1998).

What it isn't (common confusions)

Geofence clock-in is not continuous tracking. The phone is not pinged in the background, and there is no live map of the worker between shifts. If you want continuous location data — for a lone-worker safety device, for example — that is a separate processing activity with its own lawful basis and risk profile. HSE guidance is clear that employers "must manage any health and safety risks before people can work alone" (HSE, lone working), but that duty does not, by itself, justify surveillance outside working time.

It is not covert. The ICO is explicit: "Apart from in very exceptional circumstances where covert monitoring is justified, you must inform workers about any monitoring" (ICO). Workers need to know what is recorded, why, how long it is kept, and who can see it. That sits in the privacy notice and ideally a short standalone monitoring policy.

It is not a substitute for trust or management. The ICO rejects monitoring that is disproportionate, giving the example that requiring all staff to send a location-tagged photo at start of shift is "likely to infringe data protection law because it is disproportionate, and there are less intrusive ways to check start times" (ICO). Geofence clock-in is defensible because it captures the minimum data — two GPS fixes — needed to confirm attendance, and nothing more.

How WagePerks does this

WagePerks' GPS clock-in and out module records a single location fix at clock-in and clock-out only, against a geofence the employer configures per site. Records are retained to meet the WTR two-year rule and surfaced for payroll. It is included in the £4.50 per employee per month all-in price, alongside the other ten modules and white-label. For an implementation walk-through, including DPIA template and worked rota examples, see the UK SME guide to GPS geofence clock-in.

Related on WagePerks

GPS clock-in & out feature page — how the clock-in module works in the WagePerks portal
UK SME guide to GPS geofence clock-in — implementation guide, compliance, and worked examples
Recruitment agency GPS clock-in — how agencies use it for temps
Pricing — what's included at £4.50 per employee per month

Sources

ICO — Employment practices and data protection: monitoring workers — scope of UK GDPR duties when employers monitor workers
ICO — Data protection and monitoring workers — lawful basis, proportionality, transparency, covert monitoring, the disproportionate-monitoring example
ICO — Data protection impact assessments — when a DPIA is mandatory ("likely to result in a high risk")
UK GDPR — Article 6, lawfulness of processing — Article 6(1)(b) contract performance and 6(1)(f) legitimate interests
Working Time Regulations 1998, Regulation 9 — duty to keep adequate working-time records and retain them for two years
Data Protection Act 2018 — UK statute that sits alongside the UK GDPR
HSE — Lone working: employer responsibilities — separate health-and-safety duty, distinct from clock-in monitoring

Sources verified 2026-06-10. We re-verify quarterly.

Common questions

Is GPS geofence clock-in legal in the UK?

Yes, when employers have a lawful basis under UK GDPR Article 6 — usually contract performance or legitimate interests — and have told workers about the monitoring. The ICO requires monitoring to be necessary and proportionate, and a Data Protection Impact Assessment is required before any processing likely to result in a high risk to individuals.

Do I have to tell employees their phone records location at clock-in?

Yes. The ICO is clear that, apart from very exceptional covert circumstances, employers must inform workers about any monitoring. In practice this means updating the staff privacy notice and ideally a short standalone monitoring policy that says what is recorded, when, why, how long it is kept and who can see it.

Does GPS clock-in track employees between shifts?

No, not when implemented correctly. A geofence clock-in records a single GPS fix at clock-in and a single fix at clock-out, then stops. Continuous location tracking between shifts is a different processing activity that needs its own lawful basis, its own DPIA and would in most office-and-site SME contexts be disproportionate.