Diversity monitoring and data protection—law firms

The following Practice Compliance practice note provides comprehensive and up to date legal information covering:

  • Diversity monitoring and data protection—law firms
  • Why is data protection relevant to diversity monitoring?
  • Do you need consent for diversity monitoring?
  • What is consent?
  • What is explicit consent?
  • Can we rely on explicit consent?
  • Should we rely on explicit consent?
  • How should we obtain explicit consent?
  • Article 6 ground for processing personal data
  • Article 9 condition for processing special category personal data
  • More...

Diversity monitoring and data protection—law firms

You must monitor, report (to the SRA) and, where appropriate, publish data regarding the diversity of your workforce. The SRA is prescriptive about what data you must collect and from whom—for more guidance, see Practice Note: Diversity monitoring regulatory requirements.

This Practice Note explains the data protection implications of diversity monitoring, including whether:

  1. you need consent from the individuals concerned

  2. you can fall outside the scope of the data protection regime by collecting data in an anonymised form

Why is data protection relevant to diversity monitoring?

The UK General Data Protection Regulation (UK GDPR) applies wherever you process personal data. For a definition of personal data, see below: Anonymising diversity data.

The type of data organisations collect when monitoring diversity is very likely to constitute special category personal data under the UK GDPR. There are three main types of special category data:

  1. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership

  2. genetic data, biometric data that uniquely identifies a natural person

  3. data concerning health or a natural person's sex life or sexual orientation

Collecting, reporting and publishing diversity data inevitably involves ‘processing’ special category personal data, meaning the UK GDPR applies. This is subject to the proviso that the UK GDPR will not apply where you collect, report and/or publish diversity data in an anonymised form——see

Popular documents