As companies examine and refine their diversity and inclusion strategies, having access to information about the makeup of a workforce has never been so important. The privacy issues that arise in the process of collecting this information can prove difficult for privacy professionals to navigate. These challenges are not just to comply with the law; in practice, it may be as difficult to manage the expectations of stakeholders in terms of what can be achieved and act as a check and balance on the ambitions of senior management.
This article looks at some of the common issues an organization embarking on a data-gathering project for D&I should bear in mind, and how you can set your program up for success.
The legal issues
There are compelling moral and ethical reasons for companies to champion D&I initiatives. In some sectors, regulatory requirements may necessitate such action to be taken. In the U.K., the Financial Conduct Authority, the Prudential Regulation Authority and the Bank of England issued a joint discussion paper in July 2021 indicating senior leaders may become directly accountable for D&I within their firms. In the eyes of the law, however, these ends do not always justify the means of data collection, and complex issues can arise under both data protection and employment law.
Much of the information gathered through a D&I project will amount to “special category personal data” for the purposes of the EU General Data Protection Regulation, or will be subject to similarly high levels of regulation in many other jurisdictions. The collection of these categories of data is one area the EU Member States have significant discretion to build upon or (in relatively few instances) relax the requirements of their domestic law. The approaches of supervisory authorities in this area also vary widely, and in many countries, there is little if any regulatory guidance available directly addressing the topic.
This fragmentation across countries can make it very challenging, if not impossible, to identify a lawful basis for processing that will work in all jurisdictions. This can mean adopting a “global” approach to a data capturing project may carry an unacceptably high level of legal risk. The differences that exist in the laws of jurisdictions will commonly reflect expectations among employees and the wider societies. Adopting an approach that raises no eyebrows among employees in the U.K. may evoke a very different response when rolled out elsewhere, leading to a higher risk of complaints or non-participation. Employment law issues arising from survey exercises may also vary between jurisdictions, including whether to involve works councils in any exercise (by way of example).
Involving stakeholders
The complexity of the legal issues at play, along with the level of risk these projects can carry, means it is important to engage with a variety of stakeholders. There will often be a range of views within an organization about how a D&I project should be run. Executive teams, HR departments and internal affinity groups are all likely to have valuable input. The success of a project will be dependent on the ability of these groups to be involved in analyzing and navigating any issues that arise. It will also be important to achieve a successful roll-out of the project. For organizations with a large global footprint, involving colleagues in a number of jurisdictions can also be helpful in identifying any issues that are likely to arise among local populations.
Identifying and recording objectives
In the process of designing a data-capturing process, difficult conversations are likely to arise and the legal answer to “Can we even ask this question?” may not always be clear. Gaining clarity at an early stage over the objectives stakeholders are looking to achieve can provide a valuable roadmap in such situations. For privacy professionals, who are likely to be thinking about compliance with transparency requirements, this information is also vital in the data-capturing process itself to ensure that any information captured can be lawfully used in the future while also managing expectations about the scope of such future use.
Technical implementation
Companies often engage service providers to assist in the data-capturing process whether due to a lack of internal resources or specialist services that those third parties provide (such as analysis of the data obtained). Whether the process of sending surveys to employees will be run in-house or by a provider, the timeframes needed to make this happen should be kept in mind in the context of the overall project (including the time needed to negotiate any necessary service agreements). Companies should also keep in mind that just because a service provider offers particular functionalities, this does not mean the deployment of those functions will be lawful in all jurisdictions; the “buck” for making this determination stops with the relevant company.
For organizations embarking on a D&I project for the first time, collecting these categories of data may require existing policies and other internal documentation to be updated. This will include transparency notices and records of processing, but specific requirements may also exist in certain jurisdictions. Under the U.K. Data Protection Act 2018, a company relying on the “Equality” exemption under Schedule 10 to collect data will be required to have an “appropriate policy document” that, for example, must set out the company’s practices relating to data retention. As the role of data ethics in processing activities continues to develop, companies should also consider whether historical practices should be reviewed in the light of emerging trends.
Conclusion
The issues above are far from exhaustive, and the challenges faced by any company will vary depending on the countries it operates in. As companies look to make progress with D&I inequities, privacy professionals will have a significant role to play in paving the way for their success.
Editor's note: Kate Brimsted will be chairing a panel on measuring global D&I at the forthcoming IAPP Congress 18 Nov. with senior privacy participants from Mastercard, Walgreens Boots Alliance and the London Stock Exchange Group.
Photo by Daria Nepriakhina on Unsplash