We have recently discovered growing interest in implementation of diversity and inclusion (“D&I”) programs by companies operating in Russia. D&I programs imply processing of new categories of employee personal data and new purpose of data processing. For this, Russian Labour laws do not provide for any requirement nor regulation for implementation of D&I programs. In such circumstances, employers’ processing of employee data, for purposes of D&I programs, cannot be based on legal obligation. In this letter, we would like to share our view on the measures that shall be taken by employers implementing D&I programs, in order to mitigate privacy-related risks.
The crucial issue with regard to D&I is to justify the program, by explaining of its purpose.
Russian laws lay down a general guarantee that individuals enjoy equal rights and opportunities, irrespective of their sex, race, or nationality, which entails prohibition of any discrimination.
These legal guarantees shall serve as a basis for the justification of D&I programs implemented on a company level – in no case should the purpose of a D&I program be construed as giving the privilege to a particular group on a basis of their race, ethnicity, etc.
In addition to the purpose justification, the company implementing a D&I program shall observe certain formalities, in particular it shall:
duly implement an internal D&I policy explaining the respective processes and related personal data processing activities;
familiarize the employees with the policy’s content and train them on D&I issues;
request individuals’ written consents, compliant with mandatory requirement, where personal data is not collected anonymously;
implement a procedure of timely and safe deletion of data, collected within a D&I program;
reconsider the security threats and implement additional safeguards to safeguard sensitive data;
properly localize Russian citizens’ personal data upon collection;
if personal data is processed by third parties, including affiliates, ensure legal requirements relating to a transfer of employee data to third parties, and, if applicable, requirements regarding cross-border data transfer; new personal data processing activities shall be reported to the Russian data protection authority;
implement an effective control over the operation of the program (such as internal reporting, selective internal checks, etc.).
In addition to obvious reputational concerns, inappropriate implementation of a D&I program may trigger the risks of individuals’ complaints to the supervisory authorities and courts, administrative penalties and criminal liability for the company’s officials.
The above risks are not imaginary – implementation of D&I processes has a significant impact on individuals’ privacy and employment, which is always in the spotlight of the Russian supervisory authorities. So, companies shall carefully analyze their intended practices and take all necessary steps to make them legally complaint.
Practice: Data Protection and Cybersecurity
Note: Please be aware that all information provided in this letter was taken from open sources. Neither ALRUD Law Firm, nor the author of this letter bear any liability for consequences of any decisions made in reliance upon this information.
We hope that the information provided herein will be useful for you.