June 6, 2022
13 Ways Your Trust Program Can Build an LGBTQ+ Inclusive Culture
11 Min Read
Is your company doing everything it can to build an inclusive culture and earn the trust of your LGBTQ+ teammates, customers, partners, and more? While workplace protections for the LGBTQ+ community are increasingly common, research from UCLA reports that nearly ten percent of LGBTQ+ people have experienced discrimination at work in just the last year.
While Pride Month gives companies an opportunity to celebrate the LGBTQ+ community and commemorate their struggle for civil rights, earning the trust of LGBTQ+ stakeholders requires a safe, inclusive, and equitable environment year-round – and fostering that environment is not the sole responsibility of your HR, people, and culture teams.
In fact, what better place to start building trust than within your company’s trust programs, including privacy, ethics, ESG, and security? Below, find practical actions your trust programs can take starting today to build an inclusive culture – one that your LGBTQ+ team members, customers, and their allies can trust.
Follow us on LinkedIn for updates throughout the month of June on how we’re providing meaningful support for the LGBTQ+ community within OneTrust and with our customers.
Privacy and Data Governance
At the heart of any privacy program is the protection of individuals and their privacy rights – and the LGBTQ+ community is particularly vulnerable to data exploitation and bias. Ensure that your privacy and data governance programs are taking every step possible to protect the data of vulnerable populations, including LGBTQ+ employees, customers, and more. “By protecting the private data of our LGBTQ+ community, we are providing a safeguard for those who may not be ready to come out,” says Ricardo Herrera-Estrada, Business Operations Manager for Tugboat Logic by OneTrust, “or protecting those who are not fully accepted by their families and/or communities.”
1. Obtain relevant consent for using Sensitive Personal Information
Sexual orientation and information about a person’s sex life are frequently included in definitions of sensitive personal information under many of the world’s privacy laws. In order to process such information, obtain explicit consent – which in many instances includes ensuring that the data subject is given clear and detailed information about the purpose of processing and the third parties involved at the time of collection. Empower data subjects to withdraw their consent as easily as it was given without fear of retaliation or discrimination.
2. Govern opt-outs and limit use requests in business systems
Transparency and choice around the use of sensitive personal information are critical for fostering trust. Respecting the preferences of the data subject and communicating these consent preferences across the organization and third parties is a key element of demonstrating transparency and choice.
From a data governance perspective, you should have a clear understanding of where sensitive personal information exists across different business systems, the consent preferences attached to this information, and who has access to this data. You can use this insight to develop, implement, and enforce strict data use policies to limit access to sensitive personal information, ensuring it’s used only when absolutely necessary and in line with the purposes it was originally collected.
3. Don’t keep sensitive information longer than you need to
As a matter of best practice, review your sensitive data footprint and reduce it where possible. Retaining personal information longer than necessary can cause your organization operational issues from both a privacy and security perspective, leaving it susceptible to security incidents and potential data breaches. This is particularly prevalent in the case of sensitive personal information, such as details about sexual orientation or an individual’s sex life, where penalties for breaches of sensitive personal information can be severe both in monetary terms but also in terms of reputational damage.
Ethics and Compliance
Your Ethics and Compliance teams bears the responsibility for documenting your company’s stance on anti-discrimination and inclusivity and embedding it within company culture – a powerful element of earning the trust of your company’s LGBTQ+ employees and partners.
4. Update your code of conduct and policies
If you want to create an inclusive culture, the baseline is putting your stance on inclusivity and antidiscrimination in writing. In 2020, the Supreme Court ruled in Bostock v. Clayton County that discrimination on the basis of sexual orientation or gender identity was a violation of the Civil Rights Act, establishing consistent protections for LGBTQ+ employees across the United States – and your organization’s anti-discrimination policy should be updated to reflect that. Ensure that your anti-discrimination policy specifically states that discrimination based on sexual orientation and gender identity will not be tolerated.
In addition to updating your anti-discrimination policy, consider making your dress code (if you have one) gender-neutral, creating an inclusive restroom/facilities policy, and creating a policy on pronoun use and name changes.
Beyond your policies, drive inclusivity throughout your culture by including a statement on inclusion and belonging in your code of conduct. For example, the OneTrust Code of Trust states “We expect every OneTeam member to cultivate an environment free from offensive or abusive behavior, discrimination, harassment, and bullying,” and defines discrimination as “The act of singling out a person or group of people based on: age, race, color, national origin, gender, ancestry, citizenship, gender identity or expression, legally protected medical condition (including pregnancy, childbirth, breastfeeding, or other related medical condition), sexual orientation, religion, physical or mental disability, genetic information, marital status, military or veteran status or other protected status” [emphasis added].
5. Train and educate on inclusivity
It’s not enough to document your organization’s stance on inclusivity in your code of conduct and policies. You must engrain it in your culture via education, awareness, and engagement. When you’ve updated your code and policies, share the update with an awareness campaign, update your ethics training courses to reflect the new language, and consider running additional awareness campaigns during Pride month and throughout the year. Consider whether certain groups – like people managers – may require more in-depth, specific training on how to lead equitably, respond to questions and reports of discrimination, and support their LGBTQ+ team members. Your training should also make clear how your organization will respond to reports of discrimination or harassment.
Plus, outside of formal training, consider providing resources in your company newsletter and elsewhere to educate and raise awareness on LGBTQ+ issues, rights, and how to behave inclusively. For example, share research from McKinsey or the Human Rights Campaign (HRC) on the state of LGBTQ+ inclusion in the workplace, or share education from HRC and Stonewall about LGBTQ+ inclusive terms, behaviors, and best practices.
6. Respond to incidents
You may experience a rise in reports of discrimination and harassment as awareness of your updated code of conduct and policies increases. Prepare for incoming reports by ensuring that your investigation and response processes are equitable and protect the privacy of reporters and affected parties. Your incident response team should also be trained on human-centered investigations and unconscious bias.
The S in ESG – social – is focused on how an organization’s policies and operations impact society. A big part of that is fostering a safe, positive environment for everyone, including the LGBTQ+ community. Consider sponsoring a Pride campaign to engage employees, raise awareness, and help create an inclusive culture and LGBTQ+ friendly workplace.
7. Listen and provide a safe space
Start with listening. Survey your employees anonymously to get their feedback on how inclusive your company is, comfort levels with sharing gender identities and expressions, and suggestions on how to build a more inclusive workplace.
If your company hasn’t already done so, establish a company-sponsored Pride employee resource group (ERG) or employee trust group (ETG) to cultivate a positive workplace culture for LGBTQ+ employees and allies. Provide a safe, open space for members to share, collaborate, learn, and identify opportunities to promote LGBTQ+ inclusivity. Partner with the ETG annually on the Pride campaign, which could include:
- Hosting roundtable discussions where employees can talk about their experiences
- Inviting LGBTQ+ guest speakers to lunch-and-learn sessions
- Having members create content (blogs, videos, etc.) in support of the campaign
- Attending local Pride events together
- For more campaign ideas, check out the toolkits from Benevity and AlayaGood
8. Set targets and measurable goals
9. Give, volunteer, and empower employees to do the same
Identify opportunities for LGBTQ+ giving and volunteering. If your company has a workplace philanthropy program in place, consider offering additional incentives during Pride Month such as doubling matching gifts or dollars for doers. You can also sponsor or feature relevant nonprofits throughout the year. Check out the Bright Funds and Deed lists for nonprofit suggestions.
GRC and Security
Cybersecurity breaches can cause a great deal of personal harm, particularly to members of the LGBTQ+ community who may be marginalized and face increased discrimination. Organizations have a responsibility to understand the data they (and their third parties) have, protect it, and mitigate the social and physical impacts that a breach could have on the LGBTQ+ community.
Moreover, LGBTQ+ representation in the cyber security profession — while growing — is still very low. According to a 2020 joint report by the UK’s National Cyber Security Centre and analyst firm KPMG, LGBTQ+ representation in cyber security was only 10 percent in 2020.
10. Comply with security frameworks
The protection of personally identifiable information (PII), or information about sexual orientation, gender identity, and more, plays a direct part in protecting members of the LGBTQ+ community. Curating an environment where that information is proactively protected is essential to earning trust. Security experts recognize that when it comes to experiencing a cyberattack, it’s not a matter of if, but when. Protect PII proactively and mitigate the potential exposure and loss of PII by complying with relevant industry frameworks and ensuring that your organization understands its industry-specific compliance obligations.
11. Assess your third parties for inclusivity and compliance
Protecting PII and promoting inclusivity goes beyond the proverbial four walls of your own company. Your risk management program must also have visibility into your vendor ecosystem. A recent study by IBM and Ponemon reports that 53 percent of cyberattacks are malicious, citing third-party vulnerabilities as a key method of compromising information during a malicious attack. Ensure your third parties are compliant with industry frameworks, identify high risk vendors, keep abreast of changes in each third party’s risk profile (including adverse media and reports of discrimination), and take action to ensure that you’re working only with third parties that align with your own company’s values. This will further ensure that your organization is doing its due diligence to create inclusive and safe environments for LGBTQ+ individuals.
12. Support the team
Security teams are inherently siloed due to the specialized nature of their positions and skillsets. Individual employees within those teams, however, can be empowered to make inclusivity a priority for the security department.
- Start a security-specific ETG: While ETGs are often organization-wide, standing up an LGBTQ+ ETG within the security and security-adjacent teams allows colleagues to learn more about and support one another on both work and non-work-related topics.
- Implement lunch-and-learn discussions: Again, as security teams can be siloed within broader organizations, formulate a more inclusive culture with open, honest discussion and team building exercises through lunch-and-learn programs or coordinated after-hours events.
13. Track your progress and keep up the effort year-round
Establish measurable inclusivity markers. “Investors, customers, and business partners care about whether your business is equitable,” says Nick Biland, Senior Technical Writer at OneTrust, “and they want to see meaningful data on what you’re doing to be a positive force in the market.”
For example, track:
- Pay equity
- Hiring diversity
- Employee sentiment (via survey)
- The number of harassment reports you receive
- Completion rates for your inclusivity training, both across the organization and within the people manager group
- Engagement with your code of conduct, particularly sections on diversity and inclusivity
Measure where your company stands now, and use these measurements to establish a baseline – then track changes, trends, and hotspots. For example, is one of your office locations seeking out your anti-discrimination policy more frequently than others? Is a particular team or job level expressing a perception of exclusion or feeling unsafe in their engagement survey? Consider publishing your progress annually to stay accountable.
Building a culture of inclusivity and trust year-round
Trust is the foundation of an inclusive workplace; earning and maintaining that trust is a journey that lasts long past the end of June. OneTrust is on that journey alongside you. This month, we launched the Pride @ OneTrust employee trust group, and we’ll be sharing more on how we’re working to deliver meaningful impact for the LGBTQ+ community within OneTrust and with our customers on our LinkedIn, Twitter, and Instagram profiles.