D&I: 6 Important Data Privacy Mistakes Most Organisations Make

If you're ready to embark on collecting data to help build or enhance your D&I strategy, it's essential to: 

• Understand the regulations you need to follow, 
• Establish the proper protocols
• Make sure you have the right security systems in place to store data securely.

At HR DataHub, we work with large, medium and small businesses throughout the UK. For this reason, we have front-row seats to witness all the things successful organisations do well, and there is a lot one can learn from them to avoid common data collection mistakes.

We’ve put together this quick read to highlight the most common mistakes and tell you how to avoid them as you begin your data collection journey.

6 Most common mistakes in collecting diversity and inclusion data

1. Not considering the lawful basis for the data

An employer has to have established a legal basis for collecting, analysing, sharing or processing any employee's data. 

Under Article 6 of the UK GPDR, there are several grounds you can consider choosing, which include:

• There is an obvious need for data that relates to the performance of the employment contract.
• It's necessary to have the data to comply with a legal obligation.
• Where you're processing in the legitimate interests of the employer (or a third party).

When dealing with 'special category' data

This falls under Article 9, which is more restrictive than Article 6.

Special category data relates to an employee's racial or ethnic origin, sexual orientation, religious or political beliefs, disability, gender where it refers to gender identity or reassignment, or other information that concerns an employee's health.

Too many organisations fail to consider the lawful basis for processing D&I data, which means they don't necessarily satisfy the condition for processing special category data, which could leave them in breach of the principles and potentially subject them to substantial fines.

Two main conditions are relevant for most employers to ensure you comply:

• Monitoring data to prevent workplace discrimination based on protected characteristics and monitoring and facilitating equal opportunities. 
• Identifying and reviewing equality of opportunity and treatment between identified groups.

Depending on which is most relevant to your organisation, you'll need to create privacy documents and policies and record your data processing activities to rely on using these conditions. Working closely with your Legal or Risk team to establish these before collecting any data is essential to ensure that you comply with the conditions set out in the UK GDPR.

2. Relying on employee consent 

Some employers think they can rely on their employees' consent to share their information to meet the conditions of the UK GDPR. 

This is not enough.

Due to the evident power imbalance between employers and employees, consent isn't a valid condition. 

You’ll need to establish a valid condition under either Article 6 or Article 9 of the UK GDPR, depending on the type of data you’re collecting.

3. Collecting data that causes distress

Sometimes, organisations unintentionally collect data that may cause substantial distress or even damage their employees. 

When this happens, it automatically can invalidate your Article 9 condition for processing the data.

A thorough Data Protection Impact Assessment (DPIA) can help avoid this by identifying and minimising risk before collecting D&I data. There's an element of risk whenever a business collects, stores, or uses personal data. These risks can involve data being stolen, released or used for unknown purposes by your organisation. A DPIA helps identify those risks to minimise them early on. It's also valuable to show your compliance with the UK GDPR.

It's also essential to communicate with your employees about why you're collecting their data and how it will be used and stored. It's important to allow employees to request that you don't process their D&I data if they don't feel comfortable sharing this with you. Creating a workplace where all employees understand your D&I strategy and goals and can see support at all levels of your organisation can help build trust and encourage your employees to share their information.

4. Not considering how anonymous data impacts your analysis

While collecting data anonymously can be helpful to encourage employee participation and means you aren't required to meet the conditions under the UK GDPR, it has its limitations when it comes to insightful analysis. Relying solely on anonymous data can give you some high-level insight into the diversity and inclusion challenges your business faces. Still, it doesn't allow you to drill down to determine what levels of your organisation, business units or teams are the priority areas to address. 

There are also some challenges that smaller businesses or teams face when collecting data anonymously. For instance, if there’s only one female team member in an IT team, some of the data you collect won’t truly be anonymous anymore.

Easier ≠ better

It's important not to rush into an anonymous survey because it's an easier option. Instead, consider what you're trying to achieve by collecting the data and whether anonymous data will support your diversity and inclusion strategy. It may be a good approach if you're just starting your D&I journey to build a data set. Still, if you're looking at building targeted and measurable activities to improve your D&I culture, then it may not be the right option for your business.

Where you can't collect anonymous data, remember it's essential that the personal information you collect shouldn’t be linked to the employee for any longer than is necessary.

5. Using data analysis to make decisions about specific employees

If you’re using the equal opportunity and treatment condition under Article 9 for processing your D&I data, a common mistake for many employers is using data to make decisions about particular employees.

For example, placing an individual on a talent programme that can lead to greater diversity in your leadership team without assessing their capabilities or career goals. Or making assumptions about groups of employees, such as ‘all female employees wanting more leadership opportunities or part-time work’. 

While your intentions may be good, it's not permissible under UK GDPR.

Instead, aim to keep the focus of your analysis away from the individual employee level. Look at business units in your organisation, job roles, and responsibilities. Consider grouping together different characteristics to analyse your data to drive your D&I strategy rather than looking at elements affecting specific employees.

6. Data storage mistakes

A typical storage mistake when it comes to D&I data is storing it for longer than is necessary for the stated D&I purpose. For instance, many organisations don't have established processes to review the data to ensure it's kept up to date. In practice, inaccurate or incomplete data should be amended or erased within 30 days.

Establishing processes about how you'll store the data before you collect any personal information is a valuable step to take. Methods should include: 

• Implementing protocols for reviewing the data regularly, 
• Highlighting which individual or team handles this review
• Assessing how you'll delete inaccurate or incomplete data within the timeframes.

Aim to incorporate this into established workflows so that it becomes part of your IT or HR team's daily activities. Where possible, consider incorporating these activities into team KPIs to drive support.

Ready to embark on your D&I data collection journey?

With the proper protocols in place, it's easy to overcome data collection mistakes and ensure that your processes are compliant. 

If you need any assistance, we're here to help!

Get in touch with us to find out how we can support you with your D&I data collection journey to help you build a workforce focused on improving diversity and inclusion for your employees.