ONA (Organizational Network Analysis): how to overcome legal fears and harness its full potential in organizations

In recent years, Organizational Network Analysis (ONA) has become one of the most powerful tools to understand how people work in a company beyond the formal organizational chart. Through ONA, we can detect silos, identify informal leaders who sustain collaboration, anticipate overload risks, or discover where innovations are generated.

However, many organizations in Spain and Europe are reluctant to implement it. The reason is clear: the fear of violating data protection regulations (GDPR, LOPDGDD) or that employees may perceive the analysis as a form of surveillance.

I’m writing this post, a bit longer than usual, with the aim of fighting those fears and showing that ONA is not only compatible with the law but can also become an example of good data use if applied with transparency and trust.

Why is it worth doing ONA?

Some illustrative examples of what an organization can achieve with ONA ^{(* See references)}:

• Detect invisible silos: an industrial company discovered that its production and quality teams hardly collaborated; thanks to ONA, workflows were redesigned and incidents were reduced by 15%.
• Identify hidden leaders: in a technology consulting firm, the analysis showed that a junior analyst was the go-to person for resolving technical questions across the office. She was offered an internal trainer role that improved team satisfaction and retention.
• Prevent burnout: a bank used ONA to visualize the overload of a group of managers who were centralizing too many meetings. By redistributing responsibilities, absenteeism was reduced and decision-making was accelerated.

The key is that ONA reveals the real organization, the one that emerges from daily interactions, and enables data-driven decisions to improve collaboration, well-being, and results.

The legal fear: what worries companies?

HR and legal departments often raise reasonable questions such as:

1. “Aren’t we surveilling employees?”
   Yes, according to case law, email or chat are part of the sphere of privacy and cannot be monitored without clear rules—but these rules do exist and can be implemented.
2. “Can we use productivity data?”
   Yes, as long as it is directly linked to work activity, employees are informed about it, and it is relevant to the intended analysis.
3. “What happens if we make automated decisions?”
   The GDPR prohibits decisions based solely on algorithms; but ONA does not have to be used in an automated way—in fact, it should not be used that way, but rather as support for human decisions.
4. “What if we get sanctioned?”
   The truth is that by applying measures of proportionality, data minimization, and transparency, the legal risk is very low. Moreover, ONA can be carried out using data sources that involve no legal risk at all.

The legal framework: more guidance than obstacle

The General Data Protection Regulation (GDPR, EU Regulation 2016/679) and the Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD, Organic Law 3/2018) do not prohibit organizational network analysis. What they do is establish the rules of the game to ensure that workers’ privacy is respected and that the use of their data is proportional and transparent.

Within this legal framework, the main articles affected would be: Article 5 of the GDPR, which sets the basic principles: lawfulness, fairness, transparency, data minimization, and storage limitation. Article 6, which establishes when data processing is lawful; based on this, the legal basis for ONA is usually the legitimate interest of the company, provided there is a proportionality test showing that the organizational benefit outweighs the impact on privacy. Article 22, which allows profiling but reminds us that relevant decisions cannot be based solely on algorithms—there must be human oversight. And Article 35, which requires a Data Protection Impact Assessment (DPIA) when there is a high risk to individuals’ rights, such as in the case of analyzing employee interactions.

In Spain, the LOPDGDD introduces additional rules that are sometimes also cited: Article 87 protects privacy in the use of digital devices. It should be noted that information about the use of a corporate email does not require auditing the employee’s digital device, which would otherwise give the company access to other communication apps installed by the employee, photos, internet browsing, etc. The data is obtained directly from the use of the corporate email, so I understand that this article, although frequently cited, would not be applicable.

We should note that the Workers’ Statute, in Article 20, grants the employer supervisory powers as long as employee dignity is respected, and in Article 64.4 d) requires informing the works council if algorithms are used that could affect working conditions, access to employment, or continued employment.

Read this way, the legal framework stops being an obstacle and becomes a compass: it doesn’t say “you can’t do ONA,” but rather “do it with proportionality, transparency, and respect for employees’ rights and dignity.” It simply says “Do it right.”

What is private and what isn’t? The cultural factor

One aspect that is rarely brought to the table is the cultural factor in the perception of privacy. Not all workplace interactions are experienced the same way by employees, nor do they carry the same sense of intimacy. For example, we tend to assume (especially in Europe) almost automatically that corporate email is a private space subject to strong legal protection, while we hardly notice that a company can audit and thoroughly analyze all communications taking place in its incident management system or project management system. What’s the difference? Is it simply because it’s considered a management process separate from the rest?

Beyond the legal aspect, I believe the employee’s cultural expectation comes into play: it is assumed that a professional email may contain personal or sensitive messages—which, by the way, should not be the case—whereas in an incident management system or a project management tool, it is understood that the information fully belongs to the job. The same happens if we compare an internal quick chat with email: the line that defines what workers perceive as “personal” and what as “work-related” is blurry and depends on the cultural context, how internal policies are communicated, and the level of trust within the organization. That’s why managing ONA is not just about complying with the law, but also about taking care of the organizational culture and expectations of fair data use.

Would anyone object if the analyzed interactions came from the internal project management tool instead of email communications? I’ll leave it at that.

Aggregate and individual ONA: two possible approaches

A common fear is also the belief that ONA can only be done in the form of aggregated reports, when in fact it is also possible to create visualizations at the individual level. Both options are valid, as long as legal requirements are met.

Aggregate ONA, which shows networks by teams or departments, is very useful for detecting silos, measuring cross-functional collaboration, or analyzing cohesion between areas. It is the most commonly used approach and the one that raises the fewest privacy concerns.

Individual ONA, on the other hand, makes it possible to identify informal leaders, key experts, or people at risk of overload. This approach is not prohibited: it is perfectly viable as long as three conditions are met. First, the purpose is clearly justified and communicated, for example, in a succession plan or a knowledge management program. Second, the data used is proportional—for instance, interaction metadata without ever accessing the content of messages. And third, relevant decisions are not based solely on the graph results but include human intervention and validation.

In this way, individual visualization is not a taboo but a valuable tool to enhance talent and improve the organization, always applied with transparency and respect for employee dignity.

How to comply with the law without hindering innovation

1. Choose the right approach

There are two ways to do ONA:

• Active ONA (surveys): employees answer who they collaborate with, who they ask for help… It is transparent, consensual, and with minimal legal risk since the survey itself requests approval for the use of responses. The employee has no expectation of privacy.
• Passive ONA (digital metadata): usage data from email, Teams, calendar, etc. is analyzed. Here there are more legal requirements, but it can be done in compliance with the regulations.

2. Apply the principles of the GDPR

• Clear purpose: for example, “detect manager overload” or “improve collaboration between departments.”
• Minimization: use only strictly necessary data (for example, use metadata, never the content of messages).
• Time limitation: analyze limited periods (e.g., three or six months), a period tied to the study being conducted, not the full historical record.

3. Transparency and trust

Internal communication is the best safeguard:

• Inform employees about what data is collected and what is not.
• Explain that the results will be seen as a source for process improvement and never for sanctioning or penalizing. The goal is to understand how the organization works.
• Involve employee representatives in the process.

When employees understand that ONA aims to improve their work environment and not to monitor them, resistance tends to disappear. Most people like to be seen in their work and not remain invisible in the tasks they perform.

4. Other safeguards that provide security to the process

• DPIA (Data Protection Impact Assessment): a mandatory document when profiling is involved, but one that also helps to structure and justify the project.
• Human oversight: decisions should never be automatic; ONA must be a support tool, not a decision-maker.
• Data security: protect data with encryption, limited access, etc.

In addition, building networks within an organization does not have to rely solely on digital communications. There are multiple sources that allow mapping relationships in an equally or even more enriching way, and with much lower legal risk. For example, networks can be built from collaboration on common projects, joint participation in training courses, or membership in internal communities of practice or innovation, information from issue tracking and resolution systems or from a project/commercial opportunity manager. These approaches show how knowledge and experience flow within the company, provide complementary perspectives to communication networks, and, by not involving the processing of sensitive data or access to private interactions, minimize legal and privacy implications.

See ONA as an opportunity, not a threat

I conclude, therefore, by trying to convey the idea that Organizational Network Analysis is not a surveillance tool: it is a mirror that reflects how collaboration truly flows. Legal risks exist, but they are not an insurmountable wall; on the contrary, the GDPR and LOPDGDD provide a framework that, if applied with transparency and proportionality, builds trust for both the company and employees.

Organizations that dare to take this step will be able to make smarter decisions, reduce hidden costs, empower invisible talent, and improve employee well-being.

The fear of not complying with the law should not hinder innovation; on the contrary, there is currently legal certainty that allows us to work in this area. With transparency, trust, and clear objectives, ONA can be a strategic ally in many organizations that need to bring clarity to their workflows.

HRscout es una solución que te ayuda a gestionar estos proyectos de ONA de tal manera que la información es utilizada y analizada por los expertos en gestión de personas directamente, lo que crea un contexto mucho más seguro a los datos y al análisis al permanecer estos en el ámbito de gestión únicamente de los gestores de recursos humanos.

If you’re interested in learning more or would like to see practical examples, contact us and we’ll explain how, in a simple and quick way, you can carry out this type of analysis in your company.

Contact HRscout

Use Case References:

• Cross, R. & Parker, A. (2004). The Hidden Power of Social Networks. Harvard Business Review Press.
• David Green. The Role of Organisational Network Analysis in People Analytics
• Kienbaum Consulting – Organizational Network Analysis – Case Study
• Lorraine Shirley – Unleashing the Power of Organizational Network Analysis (ONA) for Large-Scale Organizational Transformation
• Dr Peter Mellalieu – Using Organizational Network Analysis to Help Drive Knowledge-Centered Service Adoption