It is increasingly clear that preventing discrimination and ensuring equal treatment is a very important topic, not only for individuals, the general public and authorities, but for corporations, as well.

Cases of racial injustice, age discrimination or workplace discrimination are all topics that easily hit headlines and impact our societies for years to come.

There are obviously some international conventions and national laws to prevent discrimination, but they are rarely considered sufficient and, so far, have not resulted in a comprehensive corporate response and overarching, global programs to address such risks.

This is now likely to change as there are many signs that regulators and individuals will expect much more in the future.

Before starting to address this from scratch, the companies could first look at the unique role privacy professionals are already playing in preventing discrimination and ensuring equal treatment.

With this knowledge, it will also be clear that there is huge potential for such professionals to contribute even more, both within the privacy domain itself or by expanding their competencies and areas of responsibility.

What does it look like from a practical perspective?

From a practical point of view, privacy professionals must have deep knowledge and understanding of how data is used in the company, what are the relevant business processes, what are the risks to individuals and what is being done to mitigate those risks. At the same time, they help ensure that processing personal data is justified and fair, and individual expectations are taken into consideration, the same as legal requirements, societal values and needs. This also includes any potential consequences for individuals resulting from how the data is used or how it can be misused in a lack of sufficient safeguards. With the generally recognized principle of purpose limitation, there must also be guarantees that data collected for one purpose is not generally used for any other purposes, obviously with some exceptions as to when this is authorized by law or there is an additional consent.

When all this is applied on a business process level or when privacy professionals actively contribute to some concrete interactions, complaints and cases of individuals, this should mean that an individual’s information might not be used to harm or discriminate and that there are specific controls to mitigate such risks.

By verifying that processing is fair, only the relevant data is collected and only such data contributes to the decision-making process that must be ethical by itself, many bad things could have been prevented from happening and there would be no loss of reputation or severe financial consequences for many companies both in the U.S. and in other countries, especially once the individuals impacted go to court. 

The EU General Data Protection Regulation itself refers directly to the risk of discrimination, which must be properly tackled and mitigated, such as when there might be discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status, or sexual orientation, or that result in measures having such an effect.

What are the main skills that make a difference?

First, when it comes to considering what is discrimination itself, we should keep in mind protected characteristics and sensitive data types and whether they are used in ways that result in an unjustified or unfair treatment to members of specific groups. In the broadest possible sense, age, sex/gender, gender identity, gender expression, marital status, racial or ethnic origin, national origin, ancestry, political opinions, religious or philosophical beliefs, trade union membership, genetic data, health data and medical conditions, disabilities, physical and psychical characteristics, military and veteran status, and data concerning a natural person's sex life or sexual orientation should all be in scope as potential discrimination factors and increased risk data types, which does not necessarily mean they must be considered sensitive data types under specific laws in the given jurisdiction.

We, therefore, need to be aware of these data types, how to identify them and remain abreast of all relevant regulations, specifically in the field of privacy and anti-discrimination, which contribute to define such protected characteristics and to protect the individuals concerned. We obviously also need to be cognizant of possible risks, so a risk-oriented mindset and risk management skills are of the essence, as well.

Secondly, the term of discrimination itself is broad and difficult to define, similarly as it is difficult to define privacy. Therefore, good judgment, humanistic values, sensitivity, intuition (otherwise called your "gut feeling") and a good amount of common sense are all needed. This will enable you to decide what might be considered discrimination and what should not be perceived as such. These are also qualities expected from privacy professionals successful in their roles.

So often is the case, however, that we refer only to legal and IT skills, while forgetting the most important role and contribution from us would be with ethics, sensitivity to others, willingness to help other people, cultural awareness, and communications, and this is where a big difference can be really made, both in terms of privacy protection and preventing discrimination. Having the right set of skills and being used to work to prevent harm to others is, therefore, very important.

With a good deal of knowledge and experience on building a comprehensive, overarching privacy program, privacy professionals would be also uniquely positioned to contribute to creating other frameworks and concrete programs to protect other values, as well, preventing risks to the rights and freedoms of our fellow humans and, most of all, to ensure equal treatment and nondiscrimination.  

Photo by Markus Spiske on Unsplash