This is part one of a two-part article. In this section, we discuss how Data Governance can be leveraged to support data-driven diversity, equity, and inclusion (DEI). In the next section, we will look at how to manage DEI data risk.
Diversity is recognized as key to increasing performance within organizations. Chief diversity officers face challenges, however, when attempting to take a data-driven approach to diversity, equity, and inclusion (DEI). One significant roadblock is risk arising from DEI data and metrics. Although many companies have protocols in place that address the collection and use of sensitive data, DEI advocates may not know how to implement these practices to mitigate risks. This article explores how chief diversity officers can more effectively partner with data professionals to leverage data practices and advocate for data-driven DEI.
Modern organizations use data to improve operations, expand offerings, and more effectively connect with customers. Typically, these data initiatives begin by defining what they want to achieve, identifying relevant metrics and then forming teams to experiment with the data. These metrics are essential for teams to establish baselines, identify challenges, and measure progress towards their goals. Metrics in the form of key performance indicators (KPIs) are also essential to maintain visibility with (and support from) leadership. The importance of metrics has led to famous sayings like “what gets measured gets managed” and “if you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it.” Although these data and metrics are recognized as key to increasing diversity, equity, and inclusion (DEI), most organizations have yet to adopt evidence-based, data-driven DEI. 
DEI Data and Metrics
Many people assume that diversity only answers questions related to “body count” – e.g., how many women, people of color, and other underrepresented groups are employed and in what positions? These types of data are called “outcome metrics” and are potential indicators of bias that can be used for establishing a baseline against which progress can be measured. They may also be important for assessing the effectiveness of various interventions.
This raises our first Data Governance concept that will assist DEI advocates: metrics. From a Data Governance perspective, metrics can be both quantitative and qualitative assessments that leaders use to measure, manage, track, benchmark, report on, and improve their program and its components and to establish transparency and trust. Many data teams adopt the SMART Framework (Specific, Measurable, Actionable, Relevant, and Time-Bound) to create SMART metrics to assess their capabilities and fulfill objectives.
When selecting the right metric, DEI advocates will need to choose between outcome metrics and more granular process metrics. Although outcome metrics indicate whether a problem exists, they are not very helpful in providing actionable insights to correct issues and bring about meaningful change. To improve DEI outcomes, advocates need to consider process metrics that pinpoint problems in areas such as hiring, evaluation, promotion, and executive sponsorship. Examples of these metrics include the speed at which people of color move up the corporate ladder and the salary differential between men and women in comparable jobs. Such process metrics may reveal biases that negatively impact diversity. When choosing metrics, bear in mind that the metric cannot be more mature that the program it is measuring; therefore, if you do not have formal outcomes and processes with documented roles, responsibilities, etc., you will not be able to establish meaningful metrics.
Data Practice Maturity
When considering an evidence-based, data-driven approach to DEI we need to consider what it really means to be “data-driven.” This brings us to the next data concept to consider: maturity. Data practice maturity ensures that people know how to consistently deliver outcomes from formal (i.e., written) procedures. Data practice maturity can be measured along a continuum:
1. Unaware: People do not yet understand and support formal data practices.
2. Aware: People understand and support the formal exercise of authority and control over data.
3. Define: Formal responsibilities have been defined and related activity metrics are captured.
4. Manage: People effectively execute formal procedures and analyze related metrics to discover trends.
5. Optimize: People identify best practices, improve performance, and automate processes and use metrics to manage outcomes.
To say that an enterprise is “data-driven” means that it has optimized its data practices across the entire company. Generally, this means that data is defined as “everyone’s job” – i.e., everyone uses data every day to drive actions, deliver outcomes and determine “how can we make it happen?” Data cannot be “everyone’s job,” however, if clear responsibilities have not been defined in formal policies and procedures. Such mature data practices contrast with less mature organizations that are merely “data-aware” – i.e., where only executives use reports to determine “what happened.” It is also in contrast to moderately mature organizations that are “data-informed” – i.e., where functional experts analyze data to find patterns and determine “why did it happen.” Knowing where your organization stands with regards to data maturity is an important step in determining what type of risk you can (and should) accept.
DEI Data Lifecycle
Workplace data including DEI data can be collected at any point in the employment lifecycle – i.e., before, during, and after employment. Data relevant to DEI goals may also be collected from a variety of sources and processed in a variety of situations. For example, employers and educators who support DEI require thorough and accurate data about their talent pool whether it is a workforce, student body, etc. This may include breakdowns by characteristics such as race and gender generated by self-identification campaigns and used for the purposes of diversity analytics.
These activities introduce the next Data Governance concept DEI advocates must consider: lifecycle. Lifecycle management processes require stewardship so that people understand how to properly collect, process, and use DEI data. Advocates for data-driven DEI should work with data professionals to establish formal roles and responsibilities for each step in the lifecycle of DEI data including:
1. Collection: DEI data should only be collected for the purposes identified in the notice provided to the individual providing the data (also known as the “data subject”).
2. Use: Use and processing of DEI data should be limited to the purposes identified in the notice and for which the individual has provided implicit or explicit consent.
3. Retention: DEI data should be retained for only as long as necessary to fulfill the stated purpose.
4. Disclosure: DEI data should only be disclosed to third parties for the purposes identified in the notice and with the consent of the individual.
By describing these roles and responsibilities as “formal,” this means that the data lifecycle is documented in official policy and procedure that can be produced to leadership or regulators upon request. This formalization is an essential aspect of mature Data Governance and is a necessary precursor for data-driven DEI.
DEI Data Stewardship
As we will see, accountability is increasingly important to demonstrate compliance with evolving laws. This brings up the next Data Governance concept we will address: stewardship. In Data Governance, the person with ultimate accountability for data is called a “steward.” Leaders delegate responsibility to stewards for establishing authority and control over the definition, production, and use of data. The exercise of this authority and control is what we mean when we use the term “Data governance.” Stewards in turn delegate certain responsibilities to data producers and data consumers for managing various steps in the lifecycle of the data they manage.
To understand what is meant by stewardship, it is useful to note the difference between data “stewards” and data “producers.” While a data producer bears responsibility for the data they collect or create, a steward retains authority (and ultimate accountability) over data that others collect or create. Usually, the steward’s authority applies to a specific data domain – e.g., product, customer, workforce, etc. This authority is sometimes referred to as “ownership” and the steward may also be called a data “owner.” Data professionals typically recommend against using the term “ownership,” as it leads to misunderstanding and tends to drive bad behaviors.
DEI Data Risk
Although both outcome and process metrics are important to achieving diversity goals, advocates need to consider their leaders’ tolerance for the risks that come with a metrics-based DEI approach. They also need to consider the maturity of their underlying processes for managing related risks. Data risk will be a significant challenge when gathering support from leadership for data-driven DEI and advocates must clearly demonstrate that they understand and are prepared to manage such risk. This requires a thorough understanding of the laws that apply to DEI data. Analysis of such law is beyond the scope of this article and practitioners are cautioned to seek the advice of counsel at the beginning of any DEI project. Effective partnership with legal counsel is crucial to the success of data-driven DEI.
At a very high level, it is important to understand that legal requirements will affect most DEI initiatives. In the United States, federal laws prohibit discrimination in hiring and regulate certain workplace practices.  The primary purpose of these laws is to prohibit discrimination in hiring and other employment decisions. A secondary effect, however, is that these laws often affect how interviews and other background screen activities are conducted. Employers risk possible discrimination claims for interview questions about national origin or race under Title VII, about age under the ADEA, or about disability under the ADA. The Equal Employment Opportunity Commission (EEOC) has held that Title VII sex discrimination extends to claims based on an individual’s sexual orientation or gender identity.  Along with federal laws, states have their own antidiscrimination laws and almost half the states currently prohibit sexual preference discrimination in both public- and private-sector jobs, while other states prohibit such discrimination in public workplaces only. 
To further understand the complexities of DEI data risk, let’s look at a common DEI issue: diversity targets. Employers may set numerical diversity targets by stating that a specific percentage of new hires will be racial minority members by a certain date, or the employer may state that a certain percentage of managers will be women by a set date in the future. Although such goals may be legally permissible, even targets that are communicated as “goals” may deemed by courts as quotas, which are impermissible under U.S. federal law. It is up to the courts to determine whether a percentage target is a goal or a quota and the process is often complicated and contingent on specific circumstances. The legality of a target may come down to subjective criteria such as whether managers felt pressure to comply with the target or whether anyone was disciplined for not meeting the target.
In addition to employment issues, U.S. federal law also protects education records and limits the collection and disclosure of student information for commercial purposes.  An additional challenge in the context of education occurs because federal law also provides certain rights to the parents of minors with regards to the collection of sensitive information from students through surveys including sexual behavior and attitudes.  States have also enacted numerous employment privacy laws, providing protections to employees in a wide range of speciﬁc situations. Employment and education laws are constantly changing and vary by location, so things can get confusing very quickly. DEI advocates should consider working with data leaders to identify the correct legal and compliance subject matter experts (SMEs) who can help navigate legal requirements.  It is important to bear in mind that the DEI advocate may take on accountability for any residual legal risk that cannot be mitigated through administrative or technical controls.
 See Joan C. Williams and Jamie Dolkas, Data-Driven Diversity: to achieve your inclusion goals, use a metrics-based approach, Harvard Business Review (Mar. 2022).
 The United States has a number of federal laws that prohibit discrimination in employment, notably: Title VII of the Civil Rights Act of 1964 bars discrimination in employment due to race, color, religion, sex, and national origin; The Equal Pay Act of 1963 bars wage disparity based on sex; the Age Discrimination in Employment Act of 1967 bars discrimination against individuals over 40; the Pregnancy Discrimination Act of 1978 bars discrimination due to pregnancy, childbirth, and related medical conditions; the Americans with Disabilities Act of 1990 bars discrimination against qualiﬁed individuals with disabilities.
 See What You Should Know about EEOC and the Enforcement Protections for LGBT Workers, Equal Employment Opportunity Commission.
 See Susan Miller, ’Shocking Numbers:’ Half of LGBTQ Adults Live in States Where No Laws Ban Job Discrimination, USA Today, October 8, 2019.
 See the Family Educational Rights and Privacy Act of 1974 (FERPA), the Protection of Pupil Rights Amendment of 1978 (PPRA), as amended, and the interaction between FERPA and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. In addition to these federal laws, practitioners in this area should be careful to follow any state and local laws that apply.
 See the Protection of Pupil Rights Amendment (PPRA) where Congress responded to concerns about the collection and disclosure of student information for commercial purposes by amending FERPA in 1978.
 Attorneys will also be essential to guide on what documents such as corrective-action plans may qualify as “privileged” – i.e., protected by attorney-client privilege. This is especially important for organizations that have already been sued for discrimination.
Stay tuned for part two, which discusses how to leverage governance to manage DEI data risk.