Out-Law / Your Daily Need-To-Know

Data protection risk with FCA's diversity targets, warns lawyer

Out-Law News | 12 May 2022 | 9:29 am |

Katy Docherty tells HRNews about protecting privacy rights when collecting data in line with FCA’s diversity targets
HR-News-Tile-1200x675pxV2

We're sorry, this video is not available in your location.

  • Transcript

    As we highlighted last week, the FCA has finalised rules requiring UK listed companies to set out in their annual reports whether they have met board diversity targets. Firms will have to meet minimum targets for the representation of women and people from a minority ethnic background on their boards and in their senior executive teams or explain why they have not done so.

    Kate Dodd and Tom Proverbs-Garbett review the new rules in their Outlaw article: ‘FCA finalises ‘comply or explain’ diversity rules for listed companies.’ The proposed benchmarks are at least 40 per cent of the board to be women, at least one of the senior board positions (chair, chief executive officer, chief financial officer or senior independent director) to be a woman and at least one member of the board to be from a non-white ethnic minority background.

    Clare Cole, director of market oversight at the FCA is quoted in the FT Advisor. She says: “There is a current lack of standardised and mandatory transparency about diversity on listed company boards, particularly outside the FTSE 350 who do not provide data to the voluntary initiatives in this area. She says: ‘The FCA is also encouraging companies to provide further data on the result of their diversity policies considering these wider aspects where possible.’

    So clearly the collection of data is central to this so let’s get a view on that. Katy Docherty is a data protection specialist and she joined me by video-link from Glasgow to discuss it:

    Katy Docherty: “So what I think what is quite interesting is the fact they are saying you either have to comply with these new rules are you have to explain why you're not, and I think that a slightly less obvious angle that is interesting about that is, of course, the data protection element because whilst the focus is of course on complying with this, or explaining why you're not doing it, and looking at improving diversity at a board level, of course what you are doing about these individuals on the board is gathering in personal data about them, and in the context, particularly of race and ethnicity, that, of course, is special category data. So, what companies do need to have as part of their ‘game plan’ for how they're going to deal with this new requirement is, of course, looking at how they make sure they protect the privacy rights of those at board level when they are processing, and potentially reporting on, this data.”

    Joe Glavina: “We know that companies will have to publish data on the sex, gender identity and ethnic diversity of their board in a table and it’s up to them how they go about it. What ‘s your advice to HR on tackling that?”

    Katy Docherty: “So, I think the fact that the FCA has put it back on companies to decide whether they're going to report on the basis of gender identity or sex is quite an interesting angle and I think it's one of the trickiest issues that HR will have to deal with here because, obviously, the basis in which you decide to report affects the type of information that you are potentially gathering in about people at that senior level and it's potentially very sensitive to them, potentially very private, and, obviously, there's going to be potentially some element of having to disclose, to some extent, because you're either going to have to show that you've complied with the rules, or explain your approach, if you haven't, and this idea of explaining and being transparent about your methodology is, on the face of it, at least a bit at odds with the fact that you're potentially gathering in very private and very personal data. So, I think that at the outset when companies are deciding which approach they're going to take - report on the basis of gender identity or sex - one of the key questions that they're going to have to have in mind is protecting the privacy rights of those individuals at that senior level. I think a really useful way to help deal with this would actually be to carry out a Privacy Impact Assessment. Now, in an instance like this I think that the value in that exercise would be in allowing companies to properly think through the data protection implications of what they are proposing to do but the other point that I would make is that this question around gender identity and sex, clearly, that is not something that just your data protection teams should be looking at when they're pulling together the Privacy Impact Assessment. They should definitely be getting input from equality specialists and from the HR team on the appropriateness more broadly of whichever category you choose. So, I think using the data protection tool here as a way of showing you're working, and working out which approach may be best for you as a company, is very important and I also think that doing it in that context, which allows you to think through each stage of what you're going to do, the implications for the individuals, how this data is going to be disseminated, or shared, or reported on, is all really helpful in allowing companies to either comply or explain and to do that in a measured way which shows they've thought through all of the implications.”

    Kate and Tom’s review of the new rules is: ‘FCA finalises ‘comply or explain’ diversity rules for listed companies’ and it is available from the Outlaw website.