Diversity Monitoring in the Workplace - Recommendations from the French Data Protection Authority (CNIL)

The French Data Protection Authority (CNIL) has issued a recommendation on how to conduct diversity monitoring within companies. With this recommendation, the CNIL aims to provide tools to help achieving a balance between promoting equal opportunities and protecting personal data.

Diversity monitoring is used to assess the composition of a company’s workforce based on various factors such as gender, age, social, geographic or cultural background, and disabilities. The goal is to use objective data to implement measures that foster a more diverse and inclusive workplace. Although such monitoring are generally done with positive intentions, it does carry certain risks – particularly in terms of data protection, privacy and discrimination.

In a previous newsflash, we discussed the position of the Belgian Data Protection Authority on this topic and the complexities it presents for employers. The CNIL’s recommendations may serve as a useful complement.

Voluntary participation

The employer must ensure that participation in the survey is entirely voluntary and free from any form of coercion. Employees must be free to decide whether to participate, and refusal must not result in any negative consequences. According to the CNIL, this level of voluntariness must also apply to each individual question (e.g., by including a “no answer” option).

Anonymous surveys are strongly recommended…

The CNIL strongly recommends using anonymous surveys wherever possible. In practice, this means that no data should be processed that could lead to the identification of the respondent – such as the name of the respondent, the date of birth, the address, the IP address, or the employee number.

It is also important to consider the risk of re-identification through the combination of answers to different questions within the same or even across different surveys. While individual answers may be anonymous, they could still lead to identification of the respondent when combined.  

As a best practice, the CNIL advises using broad wording and multiple-choice questions. For example, instead of asking for an exact age, surveys might ask respondents to indicate an age range  (e.g. “Are you between 20 and 25, 25 and 30, or over 30?”). Open-ended questions should be avoided, in line with the principle of data minimisation.

Finally, the CNIL points out that the size of the company or specific departments can significantly impact the risk of re-identification. An anonymous survey in a department with only 10 employees could quickly lead to the re-identification of respondents. 

 …but not mandatory

However, the CNIL acknowledges that anonymous surveys are not always feasible and confirms that diversity monitoring do not need to be fully anonymised to be legally valid.

If the diversity survey is not fully anonymous, the GDPR applies. This has then several consequences:

a) Legal basis

According to the CNIL, diversity metrics may be based on the employer’s legitimate interest, particularly when it is part of a policy aimed at preventing and combating discrimination. The CNIL provides some recommendations to ensure a fair balance between employees’ rights and freedoms and the employer’s interests.

b) Trusted third party

It is recommended to engage an external, independent party to conduct the survey and to report the results anonymously, thereby ensuring data security and confidentiality. However, involving a trusted third party is not a legal requirement. A survey conducted without such a party can still be lawful, provided that other safeguards are in place, specifically that the data and survey responses are only accessible on a strictly need-to-know basis.

c) Special categories of personal data

For the collection of special categories of personal data – such as ethnic origin or religious beliefs – explicit consent must be obtained. This consent must be freely given, specific, informed, and unambiguous. However, it remains questionable whether consent can truly be considered “freely given” in an employment context, given the inherent subordinate position of the employee. 

d) Additional recommendations

The CNIL also emphasises the importance of full transparency towards data subjects, the establishment of clear agreements with processors and/or joint controllers, the setting of a retention period for responses (with a suggested maximum of six months), conducting a Data Protection Impact Assessment (DPIA) in advance, and implementing measures to ensure the confidentiality and security of the data.

Key message

For Belgian employers, the recommendations outlined in our previous newsflash remain fully relevant. However, the CNIL’s guidelines can serve as valuable inspiration for setting up a diversity survey:

• Ensure that participation is entirely voluntary and free from any form of pressure.
• Anonymise data collection wherever possible from data collection onwards.
• Clearly inform participants about the purpose of the survey and their rights.
• Only collect the data strictly necessary for the survey’s objectives.
• Obtain explicit consent for the processing of sensitive personal data.
• Consider engaging an independent third party.