How Can We Conduct a Board Diversity Audit and Share Our Findings in Compliance with GDPR?
Understanding personal data in relation to auditing and effectively communicating board demographics.
What is this advice about?
Heritage boards sometimes struggle with compliance considerations around equality reporting. This advice is designed to give you guidance on how to audit and communicate about board demographics in ways that are compliant with General Data Protection Regulation (GDPR).
The advice in this resource was produced on behalf of Historic England by Getting on Board.
It forms part of a wider strand of work around heritage board diversity. For other resources in this series, see the 'Inclusive governance boards and diverse trustees' section of the Inclusive Heritage Advice Hub.
What are the key points?
- A board diversity audit is key to identifying the voices that are and are not present in your organisational governance
- Many funders or support organisations request diversity information as part of applications or monitoring processes
- It is important to set a clear and purposeful intent to diversity auditing and identify your reasons for conducting an audit alongside your proposed strategy for the resulting data
- GDPR considerations around 'special category' data must be carefully considered, with extra training put in place if necessary
- A data protection statement is an essential document when conducting a diversity audit
Why should we audit the diversity of our board?
Among interviewees for Historic England's 'Barriers and Enablers to Board Diversity in the Heritage Sector' report, there was a consensus that their organisations lacked insight into the demographics of their membership and the diversity of their current boards. They said data was not systematically collected and, where it was available, it was not comprehensive (for example, data extrapolated from an annual survey of members had a limited response rate).
Perhaps your funder has asked you for this information. For example, Arts Council England publishes overall equality information about board demographics of the organisations it funds. Its Relationship Managers closely monitor the board diversity of its National Portfolio Organisations and other funded organisations.
Where do we start with a board diversity audit?
Board diversity audits can be treated similarly to employee equality audits. Start by asking: "What do we want to record, and why?" and "What data is appropriate to collect, and why are we collecting it?"
In this context, the equality data you provide is anonymised, and by its nature, individuals cannot be identified. Therefore, it is not classed as personal data and is not covered by GDPR.
Personal data relates to an identified or identifiable natural person (a person who can be identified by reference to identifying information, which can include protected characteristics such as the ones listed below).
Equality or demographic data is subject to further protection under 'special category data' and requires both consent and an additional legal basis upon which to collect it. You can learn more on the Information Commissioner's Office (ICO) website.
This data requires both consent and an additional legal basis upon which to collect this data, including:
- Some categories of impairment within disability status
- Race/ethnicity
- Gender reassignment
- Religion and belief
- Sexual orientation
You will also need to ensure that this data does not identify individuals by reference to any other information. For example, data collected on marriage and civil partnership may have implications for data on sexual orientation.
When you undertake board diversity audits, seeking written permission and maintaining records for the special category data mentioned above is important. GDPR enhances the rights of 'data subjects' (the people the personal data is about) and sets out clear conditions for collecting, storing, processing, and transferring personal data (including special category data).
Getting written consent from all people whose data you hold is good practice. It's worth seeking legal advice to clarify any areas of contention, as GDPR is a specialist area.
It is also worth noting that there are other characteristics that may not be recorded in an equality audit but contribute to Board diversity and are underrepresented across the sector as a whole. These characteristics include accent, class, living outside of London and the Southeast, and working patterns (including freelancers and people on zero-hour contracts).
Sample data protection statement
[Organisation name] is committed to promoting an inclusive environment for all board members by identifying and removing barriers in our practices. Providing equality data will help us achieve this.
You will be asked about your [characteristics that you have decided to audit and report on, such as: age, race, sex, gender reassignment, disability, marriage or civil partnership, religion or belief, sexual orientation, pregnancy or maternity].
While disclosing this information is voluntary, and this audit relies on your consent, the information provided will enable us to better understand the composition of our board. Your answers will be treated in the strictest confidence, and all data disclosed will comply with the Data Protection Act 2018. [Insert additional statement about your organisation's privacy policy.] Those who will have access to this data include [insert job roles of people with access to the data].
Your anonymised data may be shared with [funder X, funder Y] as part of our funding agreements. [Insert information about where and how the data will be stored and how long it will be stored for.] To find out more about how your data is protected, please contact [data protection officer]. If you have a question or wish to make a complaint, please contact [name and contact details].
Please note that you have the following rights in relation to your data: to be informed about the processing of your data; to access your data; to rectify inaccurate or incomplete data; to request erasure of your data; to request processing restrictions on your data; and to obtain and reuse your data.