Who hasn’t gossiped at the coffee machine?
… or heard others gossiping and learnt a few private information about colleagues, employees of clients or suppliers?
The intersection of coffee machine gossip and GDPR brings together two incompatible elements: casual workplace chatter and stringent data protection regulations.
Ah, the Coffee Machine corner … what an entertaining spot !
What bothers me most, though, is hearing gossip when it comes from Directors.
If leaders themselves can’t refrain, how can we expect employees to?
Here are a few thoughts worth considering by Directors so they can lead by example
Personal Data Doesn’t Stop just before the Coffee Machine
- Under GDPR and the UK Data Protection Act, any information relating to an identified or identifiable person counts as personal data.
- That means if colleagues gossip about other individuals “Solange’s sick leave,” or “Solange’s divorce,” they are informally processing personal data—without consent, purpose, or legitimacy.
⛔ Even casual conversations can amount to unauthorized disclosure.
Gossip vs. Legitimate Processing
GDPR principles require:
- Lawfulness – data must be processed on a lawful basis.
- Purpose limitation – data must be collected for specific, legitimate purposes.
- Confidentiality – data must be protected from unauthorized disclosure.
⛔ When gossiping, none of these principles are met. It’s purely unlawful processing.
Risks for Organizations
- Reputational harm: Gossip spreads faster than official channels.
- Workplace harassment: Sharing sensitive data (health, private life, performance issues) could cross into harassment or discrimination.
- Liability: If gossip involves data learned in a professional role (e.g., an HR employee talking about someone’s disciplinary record), the company could be found in breach of GDPR.
🚨 Example: An HR assistant who casually reveals someone’s medical condition by the coffee machine could expose the employer to sanctions from the data protection authority.
Cultural and Compliance Solutions
Awareness training: Everyone should understand that GDPR applies beyond databases and emails—it also applies to oral disclosure.
“Need-to-know” principle: If the recipient don’t need to know, don’t share.
Positive culture: Encourage respectful communication, remind staff that gossip isn’t just “bad habit,” it can be a compliance risk.