DEI is (Still) Hot. But Are You Managing the Data Safely?

Author: Helena Oroz, Legal Editor, XpertHR

September 12, 2023


Diversity, equity and inclusion (DEI) initiatives have been around, in various forms, since the 1960s, when federal EEO laws were new and corporate America was first trying to train away workplace discrimination.

Over the intervening decades (and especially the last few years), DEI has changed, been renamed (some to "DEIB" to include "belonging"), evolved and been the subject of much debate. But at least one component of DEI isn't up for debate: the large amounts of data potentially involved.

Data collection and analysis is integral to any comprehensive DEI effort, but data management is critical. Any organization that intends to collect DEI data to measure the success of its DEI strategy must ensure that data privacy and security are part of the program from the outset.

DEI Data

When you think about DEI, you're likely thinking about things like:

  • Big picture goals,
  • Recruitment and retention strategies,
  • Equal employment opportunity and nondiscrimination policies,
  • Pay equity,
  • Training and education,
  • Stakeholder communications, and
  • Legal compliance,

…all of which can be important components of a comprehensive DEI strategy. But are you thinking about the data?

DEI data is exactly what it sounds like - any information connected to any aspect of an organization's diversity, equity and inclusion initiatives. (In some cases, the same types of data may be collected for legal compliance purposes, like EEO-1 reporting.) Many organizations focus heavily on the diversity piece, especially in early-stage DEI initiatives, which often means looking closely at applicant and employee demographics. Diversity-related data generally includes highly sensitive identifying information about employees and applicants, such as:

  • Ethnicity;
  • Race;
  • Gender;
  • National origin;
  • Gender identity;
  • Sexual orientation;
  • Disability;
  • Veteran status; or
  • Other key identifiers.

Data related to equal opportunities within an organization or how included employees feel there can also reveal personal identifiers and sensitive information, depending on the manner and extent of data collection. Employee surveys are widely used to collect this information.


Organizations that are serious about DEI goals are serious about DEI metrics. Metrics are contextualized measurements that shed light on the potential reasons for certain outcomes. An organization examining its recruitment efforts, for example, may need to know not only the total number of applicants recruited, but also the recruitment breakdown by ethnicity or gender.

But before that organization starts planning out the collecting or measuring, it needs a plan for its data.

Privacy and Security Compliance

DEI-related data may be subject to heightened privacy and security requirements under certain data privacy, consumer protection or other applicable laws.

For example, certain data protection laws may define these types of data points as personal information or sensitive personal information, thereby bringing them within the law's coverage. Organizations (including those in the US) subject to the EU's General Data Protection Regulation are already well-versed in these concepts.

A national comprehensive data protection law does not (yet) exist in the US. Certain federal laws protect specific types of data and apply in limited contexts. Examples include the Health Insurance Portability and Accountability Act (HIPAA), which restricts how covered entities use and disclose protected health information; and the Family Educational Rights and Privacy Act (FERPA), which protects the privacy of student education records.

Although a national data protection law remains absent from the US legal landscape, individual states are stepping in to fill (or, more accurately, create a compliance web in) that void. An important note on this point, though: at this time, in the US, only California has a state-wide comprehensive data protection law that covers employment-related information. (The other states that have recently passed data protection laws exempt from coverage individuals acting in, or data processed or maintained in, the employment context.)

This means that covered businesses under the California Consumer Privacy Act (CCPA) have the same compliance obligations with respect to applicant, employee and independent contractor data as they do with respect to other consumer information (e.g., customer data). For example, employers that are CCPA-covered businesses must have a privacy policy, but also must ensure that they have a workplace privacy policy geared toward applicants, employees and independent contractors that addresses employment-related personal information.

Privacy and security for DEI data should be top of mind for any organization that could experience a data security incident - which is literally any organization. In 2023 alone, organizations that disclosed cybersecurity attacks include Twitter, Chick-fil-A, PayPal, T-Mobile, Reddit, OpenAI, Yum! Brands, Discord, the US Government, American Airlines, and even law firm Bryan Cave. Data breaches are an unfortunate reality of our data-drenched world, so DEI data needs to be a part of an organization's data security program.

Employee Buy-in

Beyond compliance, organizations that want their employees to participate in DEI surveys, questionnaires and other data collection exercises must ensure that their employees feel secure about sharing their very personal information.

Just a few ways that employers can build trust with employees include:

  • Communicating the organization's ethics and values with respect to employee data;
  • Stating how the data collection aligns with the organization's values;
  • Clearly disclosing collection purposes;
  • Explaining how their information will be used;
  • Obtaining their consent;
  • Maintaining strict privacy and security protocols; and
  • Being transparent and communicative about everything involving their data.

What Employers Need to Think About

Creating a diverse, equitable and inclusive workplace is a laudable goal - but goals without plans are just nice ideas. Strategic employers will want to think about DEI-related data first:

  • Why are we collecting this data? Whether it's an initial diversity assessment, legal compliance or specific DEI goals - have a clear understanding of the reason that the organization needs the data, which should guide every step that follows.
  • What are we collecting, and how are we using it? Think about categories of data to collect, from whom, and whether collection and use align with the organization's culture and values.
  • How will we manage the data we collect? A good data management plan will outline an organization's requirements for employee and applicant data use, access, retention, privacy, security and legal compliance.
  • Do we need expert help? Experienced professionals, including effective DEI and data privacy counsel, can help guide an organization through tough compliance puzzles.

A Final Thought

Don't forget to make data privacy and security part of your organization's DEI strategy. A little data management planning (okay, a lot of detailed and careful planning) will go a long way towards meeting DEI goals while protecting employees' personal information.