Privacy vs. Progress: How data security impacts HR & DEI efforts

Camille Hogg, PhDDec 13th, 2023

Organizations often get stuck between wanting to make meaningful changes, and keeping their employee data on a for-your-eyes-only basis. In this week's article, we explore the challenging balance between organizational progress and the need for stringent data privacy and security.

Illustration of padlock overlayed with icon of a person. Thin lines extend from the lock like data points on a chart. The Dandi smiley logo is in the lower left corner.

Organizational change is a collective effort. It’s something that requires the participation of your entire organization, from senior leaders to the newest members of your team. 

But while collective action sounds like a great theory, it’s often less easy to do when organizations try to put it into practice.

One reason why? Data privacy and security.

Progress doesn’t happen without collective ownership. But collective ownership can’t happen without data. And in most cases, organizations struggle to balance their need for progress with their need to keep their most sensitive data secure.

Storage and tooling limitations create security and privacy challenges

It's often said that what gets measured gets managed. But if organizations aren’t able to protect their people data to begin with, then they can’t manage it. And from a tooling perspective, many organizations are grappling with the same issue. 

Many HR & DEI teams start working with data in the simplest way they know how—by working in shared spreadsheets and files, or integrating their data into existing tools, such as their HRIS or Business Intelligence platforms. The trouble is, these methods come with some severe limitations when it comes to data privacy and security.

64% of organizations store their people data within their HRIS, linked to their employee records — meaning access and privacy might not be controlled.

As teams grow, spreadsheets get shared and copied, making it difficult to know how sensitive data is being accessed, and critically, who is accessing it. Meanwhile, according to a 2022 report from Workday, 64% of organizations store their DEI data within their HRIS, linked to their employee records — meaning access and privacy might not be controlled.

And even when organizations do build a dedicated people platform in-house, there’s no guarantee that the data will stay in-house. Improper data storage and configuration may mean employees are unintentionally at risk of increased discrimination and bias. Meanwhile, limited resources can mean in-house platforms don’t get timely updates needed to keep data secure.

The vicious cycle of data privacy

Insecure tooling and methods of working with people data often lands organizations in a double bind. Theoretically speaking, they know that scaling greater access to the data means they can further progress through a collective effort, meaning everyone has ownership over building a more diverse and inclusive company.

But in reality, that doesn’t happen. Organizations get stuck between wanting to make meaningful changes, and keeping their employee data on a for-your-eyes-only basis.

This locks organizations into a vicious cycle when it comes to progress. Let’s see how it plays out.

1. Organizations limit access to data to keep it secure and private

Your employee information is one of the most sensitive data sources you have. If it falls into the wrong hands, it doesn’t just threaten your business, it threatens the people that keep your business afloat.

At an internal level, the biggest risk might be that Taylor from Accounts knows a little more than they should. But externally, this risk could be significant. In May 2023, for example, the US Transportation Department found this out firsthand when it experienced a cyber attack that breached the information of almost 240,000 current and former employees. The attack revealed sensitive information about its employees, including names and Social Security numbers. 

The need to prevent data breach events from happening quite rightly trumps the need to get work done. But this has a huge knock-on impact on your ability to make progress.

2. When nobody has access to people data, it stays siloed 

People data touches every part of your organization in different ways. It starts with who you hire and what your workforce composition looks like, sure, but it also spirals into your wider business outcomes. It extends into the product or service quality you offer, your ability to innovate, how you attract and retain customers, and your profitability and business performance. 

When only a few people are able to access your people data, the onus for all progress falls squarely on their shoulders. But workplace progress can’t just be the responsibility of a few. It needs to become embedded within your processes and systems—and it needs to connect to your wider business outcomes.

Restricting access to people data to just a few people means you can’t work with the data in the way you really need to make this work.

3. When organizations can’t act on data, they can’t set proper goals

Change depends on sustainable, continuous progress. But if you can’t get the data in the hands of the people that need to work with it or connect it to your business goals, then you can’t quantify its impact on your organization. 

That means you have no direction of travel on where to act, or what to do next. You can’t understand your biggest challenges in terms of their whole organizational impact, or how these evolve over time. Critically, you can’t identify where your biggest opportunities are to set goals that lead to sustainable change.

In the near-term, this means HR & DEI teams can’t approach their work with any level of specificity or clarity. In the long-term, it means your efforts will be unlikely to make progress at all. It’s a zero-sum game.

How to ensure privacy while accelerating progress 

To protect your employees’ most sensitive data, the answer isn’t necessarily about adding more layers of security, or putting your data in a vault and throwing away the key. 

It’s more that you need the right security protocols around who accesses the data and what they can see. You need full control of processes around data management, collection, and storage while enabling different stakeholders across your organization to analyze and share data safety while keeping employee data privacy and security paramount.

Or in simpler terms, you need to be able to give the right people the right permissions at the right time.

Screenshot of Dandi's roles and permissions interface for a marketing recruiting manager, showing access controls for feature permissions and analysis permissions.
Dandi roles and permissions controls are engineered to strike the balance between privacy and progress, allowing you to create collective ownership around people data while maintaining precise control over visibility.

Dandi’s best-in-class data protection keeps your people data secure, compliant, and protected across your entire organization. Our enterprise-grade security provides a fully encrypted, fully GDPR compliant way of collecting, storing, analyzing, and controlling access to your data. 

With built-in flexibility around access controls, organizations can personalize who accesses their DEI data and exactly what information they see, making it easier for everyone to work with people data in a safe, controlled, and compliant way.

Learn more about the Dandi security standard.