Environmental, Social, and Governance (‘ESG’) criteria play a key role for businesses from different perspectives, such as investing and reputation. Stakeholders including consumers, investors and governments are increasingly informing their decisions based on businesses ESG credentials. Within this framework Diversity, Equity, and Inclusion (‘DE&I’) initiatives are critical aspects of the social component of the ESG criteria, although they often lend themselves to all three ESG categories.

Powered by the impetus brought by the United Nations Sustainable Development Goals (SDG), especially SDG 10 that refers to the reduction of inequalities among countries, an ambitious target has been set to 2030 to empower and promote the social, economic and political inclusion of all, irrespective of “age, sex, disability, race, ethnicity, origin, religion or economic or other status”. In addition, there is a growing expectation that companies take an active role in this regard, there are a number of initiatives that seek to ensure that the DE&I initiatives that are implemented into business practices and are no longer merely included as part of companies’ statements or policies.

We recently shared Top 10 tips for Diversity and Inclusion in the workplace blog.

A successful DE&I campaign will have the collection of personal data (including race and ethnic origin, sexual orientation, disabilities, etc.) from employees and prospective employees. This data includes sensitive personal data (‘SPD’), which under the EU General Data Protection Regulation (‘GDPR’) requires additional protection. The dilemma is balancing the collection of data related to diversity with data privacy laws. As such companies must act with caution to achieve DE&I without running afoul of privacy legislation, as explained in the blog Diversity and privacy go hand in hand.

We believe privacy and DE&I goals are complementary. With the right guidance, companies can achieve the two simultaneously.

Legal & Regulatory Considerations

Article 9 of the GDPR prohibits the collection and processing of SPD such as data relating to racial, and ethnic origin and data concerning sexual orientation. These data sets are critical components of achieving DE&I initiatives and further policies against non-discrimination. Article 9(2) allows the collection and processing of these types of data if consent is granted by the employee and if the collection and processing of the SPD are “necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment”.

A good overseas example is the United States where companies with 100 or more employees are required to submit an EEO-1 data report to the Equal Employment Opportunity Commission (‘EEOC’). This requires collecting data on race and gender to help the EEOC to identify potential discriminatory employment practices.

Sometimes companies may find themselves in a position where it needs to collect diversity data not just to fulfill a legal obligation, but to fulfill its social obligation as a good corporate citizen. If data is being collected for this reason, most frameworks require the explicit consent of the employee.

This is problematic. EU Data Protection Authorities (‘DPAs’) have emphasised that the use of employee consent requires careful evaluation. The GDPR specifically requires consent to be “freely given, specific, informed and unambiguous.” Naturally, where there is some imbalance of power between the controller (employer) and the data subject (employee), it becomes difficult to determine whether consent was “freely given.”

Aside from challenges around employee consent, the employer needs to ensure that it exercises data limitation and minimisation. This means that the employer should refrain from collecting personal data that is not directly relevant to and necessary to accomplish a specified purpose. The most appropriate tool to achieve this is the use of a data protection impact assessment.

The European Commission has also provided some guidance on promoting DE&I through the publication of the European Handbook on Equality and Data in 2016. The handbook acknowledges the interplay between the collection of sensitive data for anti-discriminatory purposes and data protection legislation. The handbook suggests collecting diversity and inclusion data from employees anonymously through workforce surveys. This method is likely to make employees more comfortable and according to the handbook, it tends to result in higher response rates.

Key takeaways

There is no doubt that DE&I initiatives can increase the risk of violating data protection laws without appropriate safeguards.

The following tips may facilitate a compliant approach

  • Where possible aim to acquire the information through anonymous surveys
  • Keep questions as precise to the objective that one wants to achieve as much as possible. Meaning employers should not be asking questions about an employee’s diet if the objective is to see whether they have a reasonable distribution of minorities among their workforce population.
  • Seek support from your DPO in conducting a robust DPIA to ensure individuals rights are adequately protected.
  • Communication and transparency are key to the success of any DE&I initiative.

An effective DE&I program protects and enhances a company’s reputation. When conducted appropriately, a DE&I initiative can strengthen the relationship with stakeholders such as customers, employees, investors, and the public.

If you want to learn more about how HewardMills can help your organization to achieve your DE&I goals in accordance with data protection laws, please contact us at dpo@hewardmills.com.


If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.