Is data protection law a barrier to implementing I&D strategies?
Locations
Different sized companies across the banking, real estate, engineering and consulting sectors, contributed to a discussion on the challenges of collecting diversity, equality and inclusion (DEI) data.
One of the biggest issues encountered by organisations when collecting diversity, equality and inclusion (DEI) data is the challenge of ensuring compliance with data protection law.
Organisations take different approaches to this exercise. Here are three of the lessons learned in the process:
1. Data protection is not and should not be seen as a barrier to collecting DEI data
Sometimes data protection is used as an excuse for doing or not doing certain things.
While it is important to ensure DEI data is obtained in compliance with data protection laws, it should not be regarded as an additional "hurdle".
Rather, it is about designing a system for collecting this data in a way that guarantees data protection requirements, including making sure collection or personal data is fair and within the realms of what employees would expect, are met.
2. DEI surveys are not "one size fits all" although in practice a risk-based approach in this is commonly taken
DEI collection comes in many shapes and sizes and will therefore vary depending on a number of factors such as the size of the organisation, the locations of the employees and how the data is being collected.
For example, reliance on explicit consent might be the most pragmatic lawful basis to rely on to process personal data for some organisations that may be looking to run a global DEI project.
This is because there can be variances in local data protection laws on what constitutes an appropriate lawful basis.
A UK-based organisation, on the other hand, may find another lawful basis more suitable to this exercise.
Risk appetite of the business is also an important factor.
3. Data Protection Impact Assessments (DPIA) are key to compliance
Even if not mandatory (which is often the case, as DEI surveys often involve large scale processing of sensitive data), carrying out a DPIA helps identify, analyse and minimise the data protection risks associated with DEI personal data processing.
Various mitigation steps can be implemented to ensure as much data as possible is collected, such as making sure there is a clear and justifiable purpose for collecting DEI personal data, limiting open text fields, having strict access rights to DEI datasets which are separate to other datasets, using a third party and aggregating/pseudonymising data as soon as possible.
This article was authored by Kirsten Whitfield, Data Partner, and Alex Beresford, Associate, from Fieldfisher's Data and Privacy team and is based on a workshop held as part of Fieldfisher's Inclusiveness & Diversity Summit for clients held at the firm's London office.