These days, Diversity, Equity and Inclusion (DEI) aren’t just PR-friendly buzzwords, but are essential pillars of a healthy and resilient organisation! While many companies, however, run DEI surveys to understand their teams and measure progress, too few focus on how these surveys handle the most sensitive data: the personal identities, backgrounds, and experiences of real people.

This is where the concept of security comes in; drawing insight from recent academic research — such as Empirical Analysis of Data Privacy Concerns in DEI— it becomes clear that privacy, anonymity and compliance are not just “nice to have”, but core enablers for honest responses and sustained trust between organisations and their people.

Sensitive Questions Demand Serious Safeguards

A typical DEI survey might ask about country of birth, ethnicity, gender identity, sexual orientation, disability status, and more. These are deeply personal questions and attributes, protected by law in many regions. If handled carelessly, breaches can do real harm: damaging reputations, violating regulations like GDPR or CCPA, and worst of all: silencing the very voices that the survey seeks to uplift.

Employees are more likely to share honestly if they know these two things:

1. Their answers cannot be traced back to them personally (anonymisation).
2. Their data is stored securely and used only for its intended purpose (privacy and compliance).

Without this guarantee, participation drops; or worse, people might give incomplete or misleading answers out of fear or resentment. This dilutes the survey’s insights and can thereby sabotage inclusion efforts.

Trust is a Two-Way Street

Our research (link) found a clear connection: when organisations build trust through robust privacy measures, participation rates in DEI surveys rise significantly.

Employees who trust that their information won’t be misused are 2.5 times more likely to engage with diversity initiatives!

Think about it: would you share your most personal identity markers with a manager if you feared it could come up in a performance review? Or be leaked to the wider team? Probably not.

This is why investing in a Secure Diversity and Inclusion Survey isn’t just an IT /Technology task; it’s an organisational commitment to respecting each person’s story.

Privacy-First Tech (more than just passwords)

Leading organisations are going beyond basic password protection or encrypted storage to protect their data and their people. New privacy-preserving technologies are emerging to balance usable insights with ironclad security.

Here are a few:

• Anonymisation & Data Minimisation: Stripping or scrambling personally identifying details so people can’t be re-identified, even by insiders. This involves collecting only what’s truly needed.
• Differential Privacy: Adding mathematical “noise” to aggregated data, so statistics are accurate but individuals stay invisible.
• Homomorphic Encryption & Secure Multi-Party Computation: Advanced cryptography that allows data to be analysed while staying encrypted.
• Federated Learning: Training AI models across multiple secure devices without moving raw data to a central location.

These techniques might sound complex (and they are)  but they can be built into modern survey tools behind the scenes, so that HR teams and employees simply experience a safer, more trustworthy process.

Compliance is not Optional

Besides ethics, strict data protection laws worldwide make a secure DEI survey non-negotiable. The EU’s GDPR, California’s CCPA, Brazil’s LGPD, and many others, rightly impose hefty penalties for mishandling sensitive personal data.

For example:

• Under GDPR (Eu), data about race or sexual orientation is “special category data” with extra rules.
• In some countries, employers can only collect such data with explicit consent, and must prove robust safeguards are in place.
• If a breach happens, organisations risk legal action and fines, plus irreversible reputational damage.

Ensuring that your DEI surveys comply with local and global privacy regulations protects your organisation from these pitfalls.

Here is a list of key regulatory compliances from various regions:

Reference	Regulatory name	Region	Scope
[58]	Family Educational Rights and Privacy Act (FERPA)	United States	Governs the access to and release of student education records. DEI initiatives in educational institutions need to comply with FERPA regulations.
[61]	Privacy Act	Australia	Regulates the handling of personal information about individuals. This includes the collection, use, storage, and disclosure of personal data by both government and private entities.
[57]	Health Insurance Portability and Accountability Act (HIPAA)	United States	Protects the privacy and security of individuals’ health information. While primarily focused on healthcare data, HIPAA compliance may be relevant for DEI initiatives involving health-related data.
[59]	Personal Information Protection and Electronic Documents Act (PIPEDA)	Canada	Governs how private sector organisations collect, use, and disclose personal information in the course of commercial business. PIPEDA ensures that organisations follow fair information practices.
[64]	Personal Data Protection Law (PDP Law)	Japan	Regulates the handling of personal information to protect individuals’ rights and interests and ensure proper handling by businesses.
[67]	Personal Information Protection Act (PIPA)	South Korea	The Personal Information Protection Act (PIPA) of South Korea, sometimes referred to as “GDPR-K,” regulates the processing of personal data and ensures privacy rights for individuals.
[62]	Personal Data Protection Act (PDPA)	Singapore	Governs the collection, use, disclosure, and care of personal data. Organisations in Singapore must comply with the PDPA for any DEI-related data processing activities.
[66]	Protection of Personal Information Act (POPIA)	South Africa	Aims to protect personal information processed by public and private bodies, ensuring that data is processed in accordance with the right to privacy.
[69]	General Data Protection Regulation (GDPR)	European Union	A comprehensive regulation that addresses data protection and privacy for individuals within the EU and the European Economic Area.
[70]	Consumer Data Right (CDR)	Australia	Gives consumers greater access to and control over their data. Initially applied to the banking sector, with plans to extend to other industries.
[60]­­­	General Data Protection Law (LGPD)	Brazil	Similar to the GDPR, it regulates the processing of personal data and grants rights to individuals over their data.
[63]	Data Protection Act (DPA)	United Kingdom	Complements the GDPR and regulates the processing of personal data within the UK. The DPA includes provisions specific to the UK that differ from the GDPR.
[65]	California Privacy Rights Act (CPRA)	California, United States	Enhances and amends the CCPA, providing additional protections for California residents, including the establishment of the California Privacy Protection Agency.
[68]	New Zealand Privacy Act	New Zealand	Governs how personal information is collected, used, disclosed, and stored. The Act includes principles that guide privacy practices for organisations.
[71]	Personal Information Protection Law (PIPL)	China	Regulates the processing of personal information, emphasising the protection of individual rights. PIPL applies to entities handling personal data of individuals within China, including data collection, storage, and usage, with strict requirements for cross-border data transfers.

So, What Can Your Organisation Do Today?

Here are a few practical tips to ensure your DEI surveys are truly secure and build lasting trust:

• Choose survey tools designed for security: Look for vendors that explain how they anonymise and encrypt data. Diversity Atlas is a platform that not only complies with many different regulations, but also provides with full flexibility and customisability of the survey
• Communicate clearly: Tell your respondents exactly how their will be used, stored, and who can see it.
• Collect only what you need: More data isn’t always better. Be precise about which questions support your inclusion goals.
• Train your people: Educate HR and diversity leads about privacy best practices and legal obligations.
• Review and update regularly: Privacy laws evolve — make sure your survey practices keep pace.

At Diversity Atlas, our survey platform is uniquely designed to adapt to the complex patchwork of global privacy and data protection laws — from Europe’s GDPR and the UK’s DPA to Brazil’s LGPD, Australia’s Privacy Act, and California’s CPRA[DF1] . Unlike generic survey tools, Diversity Atlas offers customisable question sets, consent processes, and data storage options tailored to each client’s regional compliance needs.   

This flexibility ensures that organisations can confidently gather rich, identity-specific insights while fully aligning with local legal requirements and cultural expectations. By combining robust regulatory compliance with unparalleled customisability, Diversity Atlas empowers organisations to build trust and inclusivity without compromising privacy or security.

How the Well-Architected Framework Powers Our Secure Diversity and Inclusion Surveys

The AWS Well-Architected Framework is a trusted industry blueprint that helps organisations build secure, high-performing, resilient, and efficient infrastructure for their applications and data. Security is one of its five core pillars, alongside operational excellence, reliability, performance efficiency, and cost optimisation, ensuring that data is protected through best practices and modern technologies at every layer.

At Diversity Atlas, we’re proud to have undergone a comprehensive Well-Architected Review with AWS, a process highlighted in an official AWS case study. This gives our clients the confidence that their diversity and inclusion data is managed securely and reliably, in line with global standards.

Conclusion

A Secure Diversity and Inclusion Survey is not just an IT checkbox; it’s a promise. It says: We care enough about your identity and safety to protect it as fiercely as possible.

When people trust that promise, they speak more openly. When they speak openly, organisations learn more. And when organisations learn more, they can build workplaces that truly celebrate every identity and background.

In the end, privacy is the backbone of inclusion — and security is the trust that makes it real.

For a deeper dive into the legal, ethical, and technical best practices behind secure diversity surveys, we invite you to download the full academic paper Empirical Analysis of Data Privacy Concerns in DEI. It offers a detailed breakdown of global compliance requirements and actionable recommendations for organisations serious about getting it right.

---