Embedding Privacy by design into D&I initiatives
Trace’s Founder SPoke to Laura BosWorth at NetWomen’s Fireside chat
How can we embed Privacy by Design when collecting and using data for Diversity and Inclusion (D&I) initiatives? How can we build and sustain trust when using employee data?
Trace’s Founder, Sorcha Lorimer joined Netwomen’s Laura Bosworth for a fireside chat to share insights and tips for global organisations seeking to legally, ethically and securely collect and store employee data for D&I initiatives. This article presents back the key points and topic areas but is not a transcript of the conversation (our video will be shared).
Laura: businesses are facing increased pressure to be transparent about their D&I metrics and progress. However, they must balance that with data protection compliance. Can you explain how do a business can collect data ethically, legally and sensitively for diversity and inclusion?
Sorcha: Any data collection campaign - whether a survey or push to have employees update HR profiles - needs to be planned, designed with the right guardrails and context, and executed sensitively.
To do that, a business first needs to look at which countries their employees - their data subjects - are from, and which corresponding national laws on data protection or diversity data reporting apply. There may be local and cultural sensitivities or language nuances to consider too . All of that needs to be mapped up front: what really needs to be collected, and why (i.e. what’s the business objective) and does that align with the law and with what people are willing to share?
A robust Data Protection Impact Assessment (DPIA) early on is key for compliance and allows a proactive analysis and exploration of:
relevant global (and then local) privacy laws and the lawful basis for the processing
the threats to ensure that risks are mitigated early - e.g. what system will be used to process data, and is it safe? And how data will be secured and will be well governed end to end?
the communications around the initiative - is the right to be informed being upheld? Are ethical principles applied? Is the use of data proportionate and transparent?
Overall, whether (as a business) your employees will share data with you for a D&I initiative, or not comes down to trust. When there is faith that data is being processed with good intentions and will be looked after, trust that it’s a secure system to collect data (e.g. the survey app), and assurance that the initiative is not about surveillance or another nefarious agenda - then people will share their information IF that aligns with their own data sharing and privacy boundaries.
Comms is thus an essential pillar to any D&I survey or initiative - as a business you need to explain why people should participate, how data will be used and kept safe, what their answers will be used for, how long the data will be kept. Strong comms supports this trust bridge between the business and the employee.
Laura: are there strategies and practices that can be implemented to ensure that data collection respects employees' privacy? What is the role of consent, anonymisation, and data security in maintaining privacy while gathering valuable information?
Sorcha: The key to embedding privacy safeguards early and taking a Privacy and Security by design approach is to have privacy expertise be part of the project early on an in the requirements stage so that the survey or data gathering exercise can bake in privacy safeguards from the outset, and apply policies actively.
An example of that is the design of forms - are they asking too much, are the answers to open, is there a link to the privacy notice which explains how data is used? And is the online form hosted on a secure link? Is that data being collected directly to a restricted access google drive for example, rather than firing to someones email? How slick is the end to end data flow? This all needs to be considered, and this is where the compliance team become part of the solution, it should be a collaboration.
The other factor to consider is the nature of the data - how sensitive is it? Surveys might be collecting not just personal data but special category data such as religion so there needs to be a lawful basis - and where it’s a special category we need a second basis under GDPR.
The DPIA (and vendor assessment) will help to map this legal pathway and to assess the security safeguards in place of the system. A robust DPIA will also to look at not only the data flow but the data model: what is planned to be collected. The Privacy lead or DPO will consider that plan through a a data minimisation lens - is it all needed? How will it be governed? Will the data be anonymous or pseudonymous? The difference is nuanced but crucial under GDPR.
In terms of consent, it’s worth noting that the employer-employee situation is generally considered as an imbalanced relationship - an employer naturally has the power here so in most cases can’t be used, so the DPO will look at other basis.
Laura: Let’s talk about trust a bit more. How can organisations be open about their data practices and reassure employees that their data will be used responsibly?
Sorcha: Transparency is a big word and it’s an essential ingredient in all of this, but it’s important to say that transparency is a journey it’s almost impossible to be transparent about everything all the time.
Transparency is not as simple as sharing everything, it’s about making things clear to the audience, and that can take some time to make things concise and clear. So it’s about being open as a business, which might include the fact that you might need time to create communications.
Transparency is closely related to the right to be informed - the data subject/the employee needs to be notified with relevant employee privacy statements when the data is collected (that’s enshrined in GDPR and CCPA where the subjects are European or Californian residents for example). So when you’re running a survey or other campaign which involves D&I data collection, it is vital to have a privacy notice which is easy to understand and explains what is being collected, why and how it will be used - with a link to an up to date employee privacy notice as part of a just in time approach.
Transparency underpins trust, and how trusted you are as a business reflects your culture - how do you talk to your people? Do you keep promises, including when it comes to the use of information? Have you been accountable for other areas - and here’s where there may be an opportunity to re-build trust where it’s low or has been damaged through this true accountability. Be honest about past mistakes and create an open dialogue about how you will address these or change processes or strategies.
Trust is dynamic and according to Edelman’s 2023 trust barometer businesses are seen as more trusted than NGOs, the media or government. Your employees want to trust you, which is a gift which needs to be nurtured and work to be maintained, whether that’s through comms or maintaining data management processes.
Laura: Can you share the practical steps and tips that organisations can take to utilise data for inclusivity efforts.
Sorcha: In terms of key steps and tips, what I suggest here is:
Involve privacy and data security expertise early when planning a D&I data gathering or use campaign - to look at the data model, consider what can and should be included, consider the systems’ security and planning the communication in line with transparency
Start a DPIA early and keep it active to flush out and manage risks
Check your objectives are feasible - make sure the data or analytics can be used be the organisation, or published - for example by anonymising data and taking it through disclosure control so any published reports are insights, not data.
Laura - considering the legal and regulatory frameworks surrounding data privacy and ethics, such as GDPR or CCPA, how organisations can align their data practices with these regulations to ensure compliance?
Sorcha: GDPR and other data protection regulations such as CCPA have certain compliance requirements which a D&I programme will need to map to and follow, and I’d advise GDPR is the starting point in this example given its extraterritoriality, but there are nuances with other regulations (for example CCPA’s toll free number requirements, or the CCPA/CPRA do not sell/do not share mechanisms) which can’t be ignored. We specialise with global organisations, we we’re used to this process at Trace.
However, it’s important to be pragmatic. A detailed legal and technical mapping documented analysis can be burdensome so we find that a joined up and collaborative approach - for example by starting with a round table and using generalist experts is a good way to get started.
————
For more about information about Trace’s boutique privacy and data governance services, see our client brochure here.