Collecting Diversity, Equity and Inclusion Data Under GDPR

Q: Our association is interested in collecting data to further our efforts on diversity, equity and inclusion [DEI]. However, one of our European members has said that we may not be able to do that because of the General Data Protection Regulation [GDPR]. Is that true? Does Brexit change anything for our British members?

A: The GDPR, which was adopted by the European Union (EU) on May 25, 2018, regulates the collection, use, storage and maintenance of “personal data” belonging to EU residents. As defined by the GDPR, “personal data” includes, for example, individuals’ names, email addresses, photographs, bank details, social media posts, medical information and Internet Protocol (IP) addresses. By its terms, the GDPR regulates entities located both within and outside the EU, including those in the United States, that obtain personal data of EU residents in connection with goods and services provided to them. Goods and services include those for which payment is made (e.g., membership; conference registration), as well as those freely available on an association’s website (e.g., online communities). 

GDPR regulates the processing of all personal data, but it applies stricter rules to “special categories of personal data,” which include data concerning race and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data identifying an individual, health data and data concerning one’s sex life or sexual orientation. Special category data is considered particularly sensitive because of its potential to be used for unlawful purposes, such as discrimination or curtailment of individual freedoms. As a result, GDPR prohibits its processing altogether unless certain exceptions apply.

Those same “special categories of personal data” are exactly what associations are increasingly interested in collecting and using for DEI initiatives. Associations may process such information only if they comply with the terms of one of the exceptions set forth in the regulation. For example, associations can obtain explicit consent from the individual subjects of the data request. For the consent to meet GDPR requirements, the association must advise the individuals of the purpose and length of time for which it is requesting the data and make clear that they may elect not to respond. As a practical matter, an association may meet the explicit consent requirements by: (i) highlighting the relevant question(s) (e.g., by using pop-up or similar online technology that allows the data subjects to review individual requests for information and either “accept” or “decline” the opportunity to respond); (ii) stating the purpose for which the information will be used (e.g., to improve annual meeting programming; to increase diversity among board and/or committee membership); and (iii) advising the data subjects that responses are voluntary and they may withdraw their consent at any time. 

When an association wishes to obtain special category data only for the organization’s internal purposes, it may process the data under a separate “not-for-profit” exception. Specifically, the data processing must relate only to association members, former members or persons in regular contact with the association in connection with its purposes and must be carried out “in the course of [the association’s] legitimate activities with appropriate safeguards” in place. The data processed cannot be disclosed outside the association without the consent of the data subjects. This exception arguably is less cumbersome for an association to meet than obtaining explicit consent; however, the allowable use of any resultant data is more restricted. In addition, such processing lacks the transparency associated with obtaining explicit consent. As a result, associations processing special category data to further DEI efforts may decide that it is more prudent to seek explicit consent.

Regardless of the exception relied upon, associations processing special category data should document plans for retaining the data for only as long as it is used and in no event longer than the period for which it obtained data subjects’ consent. In addition, associations should seek guidance from appropriate technical personnel as to how such data may be isolated and deleted (or de-identified) within the established time frame.

While the United Kingdom officially left the EU last year, GDPR-type requirements continue to protect the personal information of U.K. residents. The U.K. adopted its own Data Protection Act in 2018 (DPA 2018), which was amended as of Jan. 1, 2021, to reflect the U.K.’s status outside the EU. DPA 2018 includes the U.K. GDPR, which, as the title suggests, broadly adopts the principles of the EU GDPR. Accordingly, the rules for processing personal data belonging to U.K. residents are substantially similar to those for EU residents.

There are many positives associated with collecting demographic data to further DEI efforts within associations and the industries and professions that they represent. So, too, are there benefits to protecting members’ (and others’) most sensitive information from use for discriminatory purposes. The real challenge for associations is to understand what data they can collect, and the manner in which they may collect it, so as to protect individual rights while furthering their broader societal goals. With careful planning, along with legal and technical support, associations can do both.