When we talk about diversity, equity, and inclusion, we are simply talking about the way we treat people. And where there are people, there is data – lots of it. How we treat data also links directly to how we treat people. It’s impossible to separate the two.
There is a saying, ‘If you can’t measure it, you can’t manage it’, and there is some truth to that. Seeing the numbers in black and white in areas such as gender pay or ethnic diversity can be sobering and impactful. It can also give us a baseline from which to aspire for and demand better.
However, we also need to understand the responsibilities of collecting information about individuals, not only because there is a legal imperative but also because there is an ethical one.
If we manage data well, individuals can trust and have confidence in organisations, people, and processes. If we mishandle it, lives can be impacted, and reputations damaged.
Data protection legislation provides a framework of governance, accountability, rights, and responsibilities.
One of the first things we must do is ensure absolute clarity about what we want to do, why we want to do it, what information we want to collect, and how we will ensure that information is handled correctly. It’s too easy to launch into gathering information, which, in this digital era, is easier, faster, and cheaper than ever before. But just because we can, doesn’t mean we should.
We also need to be very aware of the potential for unintended consequences. Even with the best intentions, things do not always go to plan.
A great example of this is when, back in 2018, Amazon used artificial intelligence (AI) to help with its recruitment process. Before long, it became clear that the system was discriminating (a lot!) against women. This happened because the machine learning models had been trained to vet applicants by reviewing the CVs of people who had successfully applied for jobs at the company previously.
It’s no secret that men dominate the tech industry, so the CVs that were seen as the ‘gold standard’ were almost exclusively those of male employees. Unsurprisingly, Amazon scrapped the recruiting tool, although there’s still evidence that many businesses are using AI-supported tools less critically. This may not have been intended, but unintended is not the same as unforeseen. We need to think, and we need to build governance and ethics into the process from the start.
With that clarity, we can take steps to engage better with the other important compliance requirements, which include:
Data protection by design
Understand and engage with the data protection requirements from day one. Waiting until the project is up and running to consider these requirements usually ends badly. Approach compliance as a core basic ingredient rather than something to tick off as having been done.
Data protection impact assessment
Particularly if you will be collecting ‘special category data,’ assess the impact from a data protection perspective and document it. Impacts are not always obvious, so encourage thinking ‘outside the box’ to really work through any unintended consequences and ensure you do everything possible to minimise the potential for adverse outcomes. Remember, unintended is not the same as unforeseen, so we must hone our ‘foreseeing’ skills.
Legal basis
Establish the legal basis for the processing. If it involves ‘special category data’, such as sexuality or race, make sure you have identified the specific legal basis because information of this nature is afforded much higher protection.
Accountability
This is a core principle for the handling of all personal data. Be accountable. It’s not rocket science, but it does require care and attention to get right. Imagine it’s your private information – how would you want it to be handled?
Openness and transparency
When you collect their data, you must provide individuals with the information they are entitled to. This includes the reasons for the processing, possible disclosures, and details of how they can exercise their rights.
Security
Holding other people’s information is a privilege and a responsibility. Look after it accordingly. Security risks are real, and not paying attention to them will impact the individuals and your business.
Individuals’ rights
We all have rights over our personal data. Proactively communicate these rights to the individuals whose data you have, and be ready (and willing) to respond promptly to any requests.
The legislation protecting our personal data is not designed to make life difficult or prevent you from conducting lawful, legitimate business activities. It is there to ensure that we treat each other with respect and care, and in turn, treat our personal data with respect and care.
Handling our data in the context of DEI carries with it special responsibilities. It has the potential to support better outcomes, and it has the potential to do the opposite. It is up to us to decide which.
Need some help?
We’ll work with you to create a flexible DEI policy that has data protection compliance built in from day one.
