06/04/2023 - “Diversity wins: how inclusion matters” is the title of a report published by McKinsey in 2020. Their analysis reveals that “companies in the top quartile for both gender and ethnic diversity are 12 percent more likely to outperform all other companies in the data set”.

Thus, there is clearly a compelling case to invest in diversity and inclusion (D&I) programs. Despite organizations recognizing this, organizations are struggling to find reliable methods of measuring success to understand if their programs are truly working. In practice, such methods involve collecting diversity data from employees to understand the situation of today and how their programs effect the situation of the future. Due to the variation of the data protection laws globally when it comes to processing “special category” data the solution is not so simple, especially for organizations operating in multiple countries.

Are you considering diversity and inclusion assessments across your organization? In this blog I will focus on some of the privacy challenges and what organizations can do to mitigate their compliance risk.

Not one but two legal bases? 

Under the General Data Protection Regulation (GDPR) any processing activity involving personal data must satisfy a legal basis under Article 6 of the GDPR. Additionally, the GDPR identifies certain types of personal data as ‘special categories’ warranting specific protections, as the nature of these categories means their processing could create significant risks to individuals’ fundamental rights and freedoms. This type of data processing is in principle prohibited unless an exemption can be satisfied under Article 9(2).

In the context of conducting D&I surveys it is probable, if not certain, organizations will have an interest in collecting and processing special category data from their employees to determine levels of diversity across the different categories. This means in addition to establishing a legal basis under Article 6 GDPR an exemption must be satisfied under article 9(2) GDPR to ensure D&I assessments are conducted lawfully.

What D&I qualifies as a special category data? 

Not all D&I surveys will involve processing special category data, but such assessments would typically involve some or all of the following special categories of data:

  • Racial or ethnic data
  • Political opinions
  • Religious of philosophical beliefs
  • Sexual orientation or a person’s sex life
  • Health related data, such as disabilities

It is worth noting that in principle gender or data regarding sex does not qualify as a special category data. However, it is less clear how ‘gender identity’ should be classified under the GDPR. Although, arguably not inherently sensitive it is conceivable that inferences revealing special categories (health or sexual orientation) of personal data may be drawn. For example, in Norway the data protection authority in a case against Grindr found that information that someone is a Grindr user is a special category of personal data, because it strongly indicates that they belong to a sexual minority. To learn more about when personal data may qualify as special category data by way of inference please refer to my earlier blog on ‘Special Category’ data by way of inference.

Organizations are strongly encouraged to carefully assess if the data they plan on collecting may qualify as special category data, either due to their inherent sensitive nature or by way of inference. This assessment is a prerequisite to determining what legal basis may be required.

What legal basis can you rely on? 

This is where a varying data protection legal landscape complicates matters. Article 9(2) of the GDPR provides exemptions to the prohibition of processing special categories of personal data, including (i) consent and (ii) where processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or the data subject in the field of employment and social security and social protection law. The latter may result in additional specific exemptions to the GDPR that vary in each member state.

In the Netherlands, for instance, under the UAVG (Dutch Implementation Act GDPR) there is an exemption that permits the processing of race and ethnic origin if certain conditions are met. In support of this exemption at the request of the Ministry of Social Affairs and Employment (SZW), Statistics Netherlands (CBS) has developed the cultural diversity barometer to measure this, providing that organizations have more than 250 employees.

The existence of country specific exemptions or country specific obligations that either permit or require the collection of D&I data, results in a situation where often one size does not fit all, and global D&I initiatives run into difficulties. Upon realizing this, the temptation is then to explore the possibility of relying on employee consent. However, the issue here is that consent in contexts such as this are rarely considered to be freely given under the GDPR due to the assumption that there is an imbalance of power between employers and employees.

What should you be doing today? 

Below are some practical recommendations to keep in mind if you are considering D&I surveys:

  • Carefully define the purposes of your D&I surveys.
  • Limit the data collected to what is necessary for these defined purposes.
  • Where possible, aim to acquire the necessary information through truly anonymous surveys.
  • Assess if the data you wish to collect qualifies as special category data.
  • Determine what legal basis (per jurisdiction) is appropriate for the categories of data collected.
  • Avoid free text survey answers that may reveal special category data that goes beyond your defined purposes.
  • Conduct a DPIA to ensure compliance with the privacy principles and that individuals’ rights are adequately protected.
  • Include employees in the consultation period to obtain their views on such data collection.
  • Ensure you have the support of the works council if your organization has one.
  • Ensure D&I processing activities are recorded in your records of processing activities.
James O'Neill Legal Manager

Want to know more?

Are you planning to conduct D&I surveys across your organization, looking for practical advice to ensure you D&I survey complies with the GDPR? Or do you need support conducting a D&I DPIA? Do not hesitate to contact us.