Organisations can audit their employees while they work from home, but the auditing should take into consideration a balance between employees’ right to privacy and the organisations’ legitimate needs to protect their digital assets from unauthorized exposure. On one hand, companies should evaluate the risks that are coming with a work-from-home or hybrid work environment: data theft, data losses, data unauthorized exposure, lack of efficient control mechanisms, and access from unsecured hardware. On the other hand, companies should evaluate whether the level of employee monitoring at home – logon/logoff times, navigation history, activity time, etc are justified in order to address the abovementioned risks. Companies must demonstrate adherence to the principle of data minimization, from Article 5 GDPR - Principles relating to the processing of personal data - that requires data controllers to make sure that the minimum amount of personal data is processed in order to achieve a processing purpose.
We highly recommend performing a Data Protection Impact Assessment (DPIA) before implementing technologies and policies/procedures to monitor employees that work from home.