[sofixa]

Quite easily actually.

PCI-DSS certified companies ( mostly based on my experience at the one I'm currently employed at in France and things I've heard) have agents on employee laptops, but there's an upfront disclaimer what it does and what data it collects ( close to none - it checks for encryption, password policy, antivirus and stuff like this, but no actual activity data is collected). In some cases work has to be done on a terminal server, so no actual PCI-DSS covered data hits the employee laptops.

And note, there was backlash against the agent being deployed, which was handled with full transparency - the scripts run by the agent are (internally) open source, there were assurances about privacy, etc. Considering the fines possible, and employee representation, employees are generally inclined to trust those assurances.