The General Data Protection Regulation (GDPR) that came into force on 25 May 2018 includes a number of provisions that will require employers here in the UAE who process the personal data of employees protected by the GDPR, to implement new systems and processes.
In this article, Rob Flaws, Head of Technology and Data Protection at International Law Firm CMS considers the key issues that HR functions in the UAE need to be aware in relation to the compliance requirements set out under the GDPR in respect of employee data.
Scope of the GDPR – how is your business affected?
The first key question for HR functions to consider is the potential scope of the GDPR in relation to the employee data they are currently dealing with and whether this will have any impact on what they are currently doing.
The GDPR has significantly expanded the scope of current European data protection legislation so that it applies not only to EU companies but also to non-EU organisations (to the extent they offer goods or services to individuals in the EU or monitor individuals’ behaviour within the EU).
For HR purposes, if a business has employees or other staff in an EU member state or is in the process of targeting, recruiting or transferring staff from EU member states (and is subsequently collecting their personal data and monitoring their behaviour) it will almost certainly be caught by the scope of the GDPR. In this context, "staff" could include agency workers as well as potentially consultants and other independent contractors, depending on what information is controlled or processed by the HR function here in the UAE.
‘Personal Data’ in an HR context
GDPR applies to "personal data", which is information “relating to an identified or identifiable natural person (referred to as the “data subject”)”. The data subject will be identifiable where they can be identified directly or indirectly by reference to an identifier such as a name, ID number, or certain identifiers (e.g. physical, cultural, economic, genetic) specific to that person.
In an HR context, this means that much of the information employers hold on employees will be personal data, including recruitment documents, contact details, payroll information, appraisals, performance management records, expressions of opinion on employees, disciplinary records and termination documents.
The GDPR includes a separate definition of “sensitive personal data” which is afforded a higher level of protection. HR functions should be aware that this type of data will also likely be held by employers as it includes criminal record checks, medical information or examination notes, sickness records and information about spouses and dependants, all of which are routinely collected for visa and insurance purposes here in the UAE.
Consent and Data Privacy Notices
In order to lawfully process employees' data, employers will need to obtain their consent or rely on one of the statutory exemptions, which permit processing in the absence of consent. For employee data covered by the GDPR, employers must seek consent which is a freely given, specific, informed and unambiguous indication of the individual’s wishes. Consent may not be implied through silence or inaction (for example, failing to un-tick a pre-ticked box) but requires affirmative action.
It should be made clear that consent to data processing is not a condition of employment so it can be said to be "freely given". Consent under the GDPR will not be freely given if there is no genuine free choice and therefore the basis for businesses being able to use employee data covered by the scope of the GDPR, may not be available to HR functions, in the same way as it is for locally sourced employee data.
For sensitive personal data, "explicit" consent must be given, therefore HR functions should be aware that specific consent forms may be needed for collecting different types of personal data, and an effective audit trail should be maintained to identify what type of employee data is being processed and if consent is required.
The rights of individual’s as a whole have been strengthened under the GDPR, which expands upon some existing rights and introduces new rights which will apply to employees.
The new "right to be forgotten" (right of erasure) enables individuals to require that all personal data held on them be erased. This may be difficult and time consuming for HR functions in the UAE if employee data is held across a number of systems. Similarly, the "right to rectification" arises where data held by an employer is inaccurate or incomplete.
HR functions in the UAE will also need to be aware of the rights of individuals under the GDPR to make data subject access requests to obtain copies of data currently held by employers about them. These requests must be responded to within one month of receipt and HR functions will need to ensure they have systems in place to process and action these requests from employee expeditiously.
Compliance – the wider picture
The law around the way organisations use data both globally and across the G.C.C is undoubtedly changing. Currently, organisations have placed most focus on client or customer data in order to minimise risks of damage to their brand value and reputation, but increasingly the spotlight is turning to HR data.
In light of the scope and significant sanctions for breach imposed under the GDPR, and given that HR teams may well handle personal and sensitive personal data in relation to staff who have rights under the GDPR on a daily basis here in the UAE, the manner in which HR data is processed should be a focus for review and remedial action by HR functions.