Recommendations issued by the French Data Protection Authority with regard to diversity monitoring in the workplace

Partnerblog

The French Data Protection Authority (CNIL) has issued a recommendation on how to conduct diversity monitoring within companies. With this recommendation, the CNIL aims to provide tools to help achieve a balance between promoting equal opportunities and protecting personal data.

Diversity monitoring is used to evaluate the composition of a company’s workforce based on various factors such as gender (identity), age, social, geographic or cultural background, and disabilities. The goal is to use objective data to implement measures that foster a more diverse and inclusive workplace. Although such monitoring is generally done with positive intentions, it does carry certain risks in terms of data protection, privacy and discrimination. The CNIL’s recommendations aim to mitigate these risks.

Voluntary participation

The CNIL states that employers must ensure that the employees’ participation to a diversity survey is entirely voluntary and free from any form of coercion. Employees must be free to decide whether to participate, and refusal must not result in any negative consequences. According to the CNIL, this level of voluntariness must also apply to each individual question (e.g., by including a “no answer” option).

The CNIL strongly recommends using anonymous surveys wherever possible. In practice, this means that no data should be processed that could lead to the identification of the respondent (e.g., a name or an employee number).

As a best practice, the CNIL advises using broad wording and multiple-choice questions. For example, instead of asking for an exact age, surveys might ask respondents to indicate an age range (e.g. “Are you between 20 and 25, 25 and 30, or over 30?”). Open-ended questions should be avoided, in line with the principle of data minimisation.

Furthermore, the CNIL highlights two additional risks with regard to anonymous responses: (1) combining survey answers can reveal identities, and (2) in smaller companies or departments, it’s easier to identify individuals.

…but not mandatory

Nevertheless, the CNIL recognises that conducting anonymous surveys may not always be practical and confirms that diversity monitoring does not require full anonymisation to comply with legal standards.

If the diversity survey is not fully anonymous, the CNIL points out the following points of attention:

  • Legal basis: According to the CNIL, diversity metrics may be based on the employer’s legitimate interest, particularly when it is part of a policy aimed at preventing and combating discrimination. However, for special categories of personal data (e.g., religious beliefs), explicit consent must be obtained according to the CNIL. It remains questionable whether consent can truly be considered “freely given” in an employment context, given the inherent subordinate position of the employee.
  • Trusted third party: The CNIL recommends to engage an external, independent party to conduct the survey and to report the results anonymously, thereby ensuring data security and confidentiality.
  • Additional recommendations: The CNIL also emphasises the importance of full transparency towards data subjects, the establishment of clear agreements with processors and/or joint controllers, the setting of a retention period for responses (with a suggested maximum of six months), conducting a Data Protection Impact Assessment (DPIA) in advance, and implementing measures to ensure the confidentiality and security of the data.

The Belgian DPA has not yet taken a firm position on the topic but when asked, it questioned whether there can be a valid legal basis for diversity monitoring. Bearing this in mind the CNIL recommendations can serve as valuable inspiration for Belgian employers for conducting a diversity survey.

Author

Matthias Vandamme

Delen