3 / 6


ESG diversity and inclusion – 3 / 6 观点

ESG – diversity data and GDPR

Top tips for GDPR compliance when collecting and analysing diversity data.

  • Quick read

The 'S' in environmental, social and corporate governance (ESG) is increasingly key – but has traditionally been more difficult to measure than environmental or corporate data. Social elements of ESG range from community involvement and volunteering to charitable contributions to staff working conditions to diversity and inclusion (D&I) initiatives.

D&I initiatives have a straightforward ethical case, demonstrated in part by increasing shareholder and public expectations for organisations around ESG responsibilities. We know there is a correlation between more diverse teams, improved growth and financial performance, and better brand reputation. For example, McKinsey's May 2020 Diversity report found that companies with better gender and ethnic diversity were more likely to outperform less diverse companies. 

Collecting the right data, and doing so consistently, is essential to tracking and reporting D&I statistics and progress. UK and EU data protection law allow for this, but it is vital to get the compliance side right. 

Is D&I data sensitive data?

Much of the data collected for D&I initiatives is sensitive, or what the UK GDPR terms "special category" data. D&I data may include:

Data Special category?
Gender (whether assigned at birth or gender identity) No
Racial or ethnic origin Yes
Sexual orientation (or data about a person's sex life) Yes
Disability (as a form of health data) Yes

Special category data also includes: 

  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data (for the purpose of uniquely identifying a natural person), or other health data.

Under the UK GDPR, special category data does not include information like veteran's status, which is commonly collected in the US.

When an organisation collects D&I data, whether directly or by appointing a third party, it will be the data controller who is responsible for overall compliance with applicable data protection law. 

What should we do to comply with data protection requirements?

Data protection law requires:

  • A valid lawful basis for collecting, storing, pseudonymising or anonymising or otherwise using personal data – this might be specific legitimate interest (eg in improving D&I statistics and culture across the organisation), or compliance with an applicable law. 
  • A supplemental condition for using any special category data – in the UK, this might be explicit consent (this needs to be approached carefully in an employment context, or risk being invalid) or a condition set out in the UK Data Protection Act 2018 (DPA 18). For example, if the D&I programme is necessary to identify or monitor and enable equal opportunity or treatment for marginalised groups of people. 

Organisations should also factor in broader data protection considerations, including:

  • Conducting a legitimate interest assessment and/or a data protection impact assessment, to explore how D&I monitoring should take place in practice and identify and implement any safeguards.
  • Providing privacy information (eg in a staff privacy notice).
  • Limiting what data is collected to the minimum required for the D&I programme. What would be required for year-on-year benchmarking?
  • Only using D&I data for the reasons it was collected, like D&I monitoring, and not for new reasons. Carefully plan any D&I programme before collecting data.
  • Limiting the ability for organisations (including HR staff/survey administrators) to identity D&I survey participants. Retain raw data for the minimum time necessary, and then anonymise or delete the data. Be wary of small data sets, which can be trickier to anonymise. 
  • Keeping D&I survey participant data separate from employment files.
  • If an external organisation is appointed (which can be useful in terms of limiting internal access to sensitive data), ensuring that organisation has appropriate security measures to protect the data, and that any contractual data protection requirements are covered. 

Organisations may also be asked to share D&I information, for example when marketing their services, or may be required to publicise this information under legal or regulatory reporting requirements

Organisations should plan for each of these in advance, including explaining how data might be aggregated and anonymised. While truly anonymised data is no longer personal data, it is helpful to explain to individuals how anonymised data – like D&I statistics across the organisations, will be used. 

Getting it right

D&I data forms part of the social pillar of ESG governance and can be an invaluable tool in monitoring and demonstrating progress in this area. However, if D&I monitoring is not conducted properly, it risks individuals' sensitive information being mishandled – with all the damage to individuals, and to the organisation, that entails. The HR or other team(s) managing D&I should work closely with D&I decision makers at the executive level, including to ensure D&I goals and business strategies are aligned. 

Here to help

We can advise on how to conduct D&I data collection or monitoring. Please get in touch if you would like to discuss this further.



前往 Interface主页