Diversity monitoring and data protection—law firms
Diversity monitoring and data protection—law firms

The following Practice Compliance practice note provides comprehensive and up to date legal information covering:

  • Diversity monitoring and data protection—law firms
  • Why is data protection relevant to diversity monitoring?
  • Do you need consent for diversity monitoring?
  • Article 6 ground for processing personal data
  • Article 9 ground for processing special category personal data
  • Processing is necessary to perform any obligation conferred or imposed by law in connection with employment
  • Processing is necessary for reasons of substantial public interest on the basis of EU or UK law
  • Processing is necessary for statistical purposes
  • Processing data fairly
  • Retaining data
  • More...

You must monitor, report (to the SRA) and, where appropriate, publish data regarding the diversity of your workforce. The SRA is prescriptive about what data you must collect and from whom—for more guidance, see Practice Note: Diversity monitoring regulatory requirements.

This Practice Note explains the data protection implications of diversity monitoring, including whether:

  1. you need consent from the individuals concerned

  2. you can fall outside the scope of the data protection regime by collecting data in an anonymised form

Why is data protection relevant to diversity monitoring?

The General Data Protection Regulation (GDPR) applies wherever you process personal data. Personal data means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing special category personal data is subject to a higher level of regulation under the GDPR. There are three main types of special category data:

  1. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership

  2. genetic data, biometric data that uniquely identifies a natural person

  3. data concerning health or a natural person's sex

Popular documents