GDPR compliance and inclusion: striking the right balance The General Data Protection Regulation (GDPR) generally prohibits the processing of sensitive data relating to, e.g., an individual’s sexual orientation, religious affiliation, health information or ethnic background unless certain prescribed exceptions are met. In practice, this can be an obstacle for inclusion and diversity initiatives.
In today’s challenging labor market, companies are asking themselves how they can become even more attractive to applicants and employees from diverse backgrounds, to harness untapped talent pools. Well planned diversity and inclusion initiatives can improve participation of underrepresented groups in particular roles or functions, and support inclusion from a wider community perspective.
Equal treatment and positive action
Equality laws across Europe protect individuals from discrimination because of certain personal characteristics. Although some jurisdictions go further, the EU and UK protect as a minimum sex, race, religion or belief, disability, age and sexual orientation. Discrimination may be direct (where a person is treated worse than another because they have, or are perceived to have, or are associated with a person who has a particular protected characteristic) or indirect (where, although the same rule or practice is equally applied to all, it places those of a group which hold a specific protected characteristic at a disadvantage). For example, a company retreat scheduled on the Saturday on which the Pride parade takes place would not appear to be a scheduling conflict to many employees, while members of the LGBTIQ community (and those who advocate for them) might perceive this as a discriminatory restriction on private activities. Similarly, an internal company policy on “paternity leave” might be perceived as discriminatory unless it also applies to mothers who did not give birth to the child.
Positive discrimination (discriminating in favour of a particular under-represented group) is generally unlawful. Despite that, employers are permitted to take general positive action measures where they have identified that individuals who form part of a group with a particular protected characteristic, such as sexual orientation, suffer a disadvantage related to that, have disproportionately low participation levels in an activity, or have bespoke needs. An employer considering positive action should be clear what the specific outcome it seeks is, assess whether the proposed action is proportionate, and set a time frame after which the results will be reviewed. An employer might, for instance, discover through data analysis that a disproportionately low number of managers identify as disabled relative to their numbers in the organisation, and decide to introduce a mentoring scheme to encourage talented individuals from that community to seek promotion.
To better understand the extent of the challenges within their own organization, companies should ask employees to share relevant personal data and leverage that data across the business to analyse barriers to progress at every stage. The outcome of that analysis can then be used to direct resources effectively to the most impactful IDE initiatives. After all, only those who know where the challenges lie can tackle them effectively. For example, if the organization loses an above-average number of disabled employees, it should investigate the reasons for this to determine whether there is a discriminatory factor at play, and to identify what action should be taken.
Staff surveys and data protection
Inevitably, this will mean collecting information that qualifies as “sensitive” data under the GDPR. This might include, in particular, ethnic origin, religious beliefs, health data or data relating to sexual orientation. The GDPR only permits the processing (and therefore the collection) of this data in very limited cases, and local laws may have their own further restrictions.
To process personal data lawfully under the GDPR, there needs to be a lawful basis, for example, where the processing is necessary for complying with a legal obligation. Although many European jurisdictions prohibit discrimination against certain protected characteristics, the duty does not necessarily extend to a legal obligation to actively promote diversity and inclusion as an employer s (although in some, such as France, there is a duty to carry out equal opportunities and diversity monitoring). This means that in some jurisdictions, an employer cannot use “necessary for a legal obligation” as the lawful basis for diversity data processing .
In addition, processing sensitive personal data e.g. relating to ethnicity, religious belief, health, and sexual orientation needs to satisfy a further “Article 9” condition so as to be lawful under the GDPR. In the context of diversity data monitoring, the most commonly used condition is processing with the data subject’s explicit consent, although again, this does not apply uniformly across the EU, with Italy, Spain and Poland being particularly high risk. There is always an inherent risk of whether consent can be said to be freely given in an employment relationship, and even if there is, the consent can be withdrawn at any time. In the UK, special category data can be processed under the additional condition of “substantial public interest”, which for employment purposes includes equality of opportunity or treatment, and racial and ethnic diversity at senior levels of organisations. But this is unique to the UK.
For companies that aim to comply with the GDPR, another option in those jurisdictions where other options are not available is to resort to a works agreement (i.e., ”collective agreements” as provided for in Art. 88(1) GDPR). According to Art. 88(1) GDPR Member States may, by law or by collective agreements, and within the guardrails of Art. 88(2) GDPR inter alia, provide for more specific rules as regards the processing of personal data in the employment context including for the purposes of equality and diversity in the workplace. Insofar as employer and works council agree to allow the company to process the aforementioned sensitive data to promote diversity and inclusion, companies can indeed collect this data and respond to the associated special needs of the employees. This ranges from the consideration of religious dietary requirements in Islam or Judaism to religious fasting periods, for example in Ramadan or before Easter in Christianity, to the needs-based individualization of working hours. While this option sounds promising the ECJ has recently shown a critical attitude when it comes to Member States’ (in the specific case, Germany’s) use of the opener clause in Art. 88(1) GDPR (cf., in C-34/21 of March 30, 2023) and, moreover, a collective agreement always has to respect the employees’ fundamental rights (cf. Art. 88(2) GDPR). In our experience, this is not a common approach in practice.
That said, if no works council has been established or if the national law in the respective member state does not recognize the institution of a works council, the collection of such data about the company’s employees is, in principle, inadmissible. In addition, in countries where the processing of such ”sensitive data” is only allowed when mandated by law and there’s no such law in place, this processing would be unlawful.
A legislative amendment is needed
In order to improve the current legal situation, it would be worth introducing explicit legal provisions that allow the collection of sensitive data for the purpose of promoting diversity and inclusion. In view of preventing misuse, certain data protection and data security requirements, which must be strictly defined, would have to be met. The existing rules on data processing for statistical purposes could serve as a point of reference, but require some clarification. According to the wording of the law (Art. 89 GDPR), the collection of sensitive personal data for statistical purposes is currently only permitted in limited circumstances. However, as this approach is often not realistic, improvements would have to be made here.
Diversity and inclusion objectives constantly require us to question traditional structures and look for improvements. This also holds true for established legal or regulatory frameworks such as the protection of sensitive personal data under the GDPR. Without this critical examination, we risk settling for good intentions instead of achieving genuine inclusion.
This is the second post in our three-part blog series. You can find our first article at the link below – look out for the final instalment next week.