06/04/2023 - “Diversity wins: how inclusion matters” is the title of a report published by McKinsey in 2020. Their analysis reveals that “companies in the top quartile for both gender and ethnic diversity are 12 percent more likely to outperform all other companies in the data set”.
Thus, there is clearly a compelling case to invest in diversity and inclusion (D&I) programs. Despite organizations recognizing this, organizations are struggling to find reliable methods of measuring success to understand if their programs are truly working. In practice, such methods involve collecting diversity data from employees to understand the situation of today and how their programs effect the situation of the future. Due to the variation of the data protection laws globally when it comes to processing “special category” data the solution is not so simple, especially for organizations operating in multiple countries.
Are you considering diversity and inclusion assessments across your organization? In this blog I will focus on some of the privacy challenges and what organizations can do to mitigate their compliance risk.
Under the General Data Protection Regulation (GDPR) any processing activity involving personal data must satisfy a legal basis under Article 6 of the GDPR. Additionally, the GDPR identifies certain types of personal data as ‘special categories’ warranting specific protections, as the nature of these categories means their processing could create significant risks to individuals’ fundamental rights and freedoms. This type of data processing is in principle prohibited unless an exemption can be satisfied under Article 9(2).
In the context of conducting D&I surveys it is probable, if not certain, organizations will have an interest in collecting and processing special category data from their employees to determine levels of diversity across the different categories. This means in addition to establishing a legal basis under Article 6 GDPR an exemption must be satisfied under article 9(2) GDPR to ensure D&I assessments are conducted lawfully.
Not all D&I surveys will involve processing special category data, but such assessments would typically involve some or all of the following special categories of data:
It is worth noting that in principle gender or data regarding sex does not qualify as a special category data. However, it is less clear how ‘gender identity’ should be classified under the GDPR. Although, arguably not inherently sensitive it is conceivable that inferences revealing special categories (health or sexual orientation) of personal data may be drawn. For example, in Norway the data protection authority in a case against Grindr found that information that someone is a Grindr user is a special category of personal data, because it strongly indicates that they belong to a sexual minority. To learn more about when personal data may qualify as special category data by way of inference please refer to my earlier blog on ‘Special Category’ data by way of inference.
Organizations are strongly encouraged to carefully assess if the data they plan on collecting may qualify as special category data, either due to their inherent sensitive nature or by way of inference. This assessment is a prerequisite to determining what legal basis may be required.
This is where a varying data protection legal landscape complicates matters. Article 9(2) of the GDPR provides exemptions to the prohibition of processing special categories of personal data, including (i) consent and (ii) where processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or the data subject in the field of employment and social security and social protection law. The latter may result in additional specific exemptions to the GDPR that vary in each member state.
In the Netherlands, for instance, under the UAVG (Dutch Implementation Act GDPR) there is an exemption that permits the processing of race and ethnic origin if certain conditions are met. In support of this exemption at the request of the Ministry of Social Affairs and Employment (SZW), Statistics Netherlands (CBS) has developed the cultural diversity barometer to measure this, providing that organizations have more than 250 employees.
The existence of country specific exemptions or country specific obligations that either permit or require the collection of D&I data, results in a situation where often one size does not fit all, and global D&I initiatives run into difficulties. Upon realizing this, the temptation is then to explore the possibility of relying on employee consent. However, the issue here is that consent in contexts such as this are rarely considered to be freely given under the GDPR due to the assumption that there is an imbalance of power between employers and employees.
Below are some practical recommendations to keep in mind if you are considering D&I surveys:
Are you planning to conduct D&I surveys across your organization, looking for practical advice to ensure you D&I survey complies with the GDPR? Or do you need support conducting a D&I DPIA? Do not hesitate to contact us.