BY: ComplyLog|October 5, 2021|Whistleblowing
The EU Whistleblowing Directive has to be transposed in national law by 17th December 2021. Organisations employing 250 staff members or more, as well as municipalities serving more than 10,000 citizens, have to implement internal whistleblowing reporting systems by that date.
Implementing the system itself can be difficult but, when you add the fact that you also have to be mindful of GDPR, it becomes a true challenge. One of the biggest concerns to organisations is how they will protect all of the data they will collect and stay compliant with the data privacy regulations within the union.
GDPR and whistleblowing go hand-in-hand. This article is here to help data protection officers and compliance teams do what they can do to prepare.
We will go over the basics behind the General Data Protection Regulation (GDPR), the scope of the Whistleblowing Directive, the main data protection issues and the elements you need to instigate as part of your compliance strategy.
Table of Contents
Whistleblowing and GDPR compliance strategy
GDPR applies to your business if you:
It is a legal framework that dictates how companies collect and store data, and is built on seven principles. These are:
You must ensure you have consent to process and store someone’s personal data, and they have the right to access it at any time. Citizens can also request the erasure of their data by an organisation under the “Right to be Forgotten”.
The fines for failing to comply are 4% of turnover or €20 million, whichever is the greater.
The Whistleblowing Directive is designed to prevent retaliation, discrimination and harassment against anyone who reports violations and breaches of EU law that they have uncovered as part of their employment. It also requires all businesses and public entities with 50 or more employees to implement confidential internal reporting channels for whistleblowers, as well as systems for following up on the reports and appropriate measures to protect the reporting person.
The directive requires organisations to offer protection to the whistleblowers themselves, their family and any colleagues who have supported them and aided them in reporting.
When a whistleblower leaves a report, they will usually provide information that falls within the remit of GDPR. This personal data must be handled in a GDPR-compliant manner. These are some of the major whistleblowing data protection issues you should consider:
|Issue||Why this matters|
|Knowing how long to retain whistleblower records||The GDPR data protection law requires companies to only hold data in an identifiable form for as long as is necessary. But, as each whistleblowing case has a different outcome and ends in a different resolution, this makes it more difficult to work out how long to retain the data.
You must formulate a policy for when you consider a case to be closed and then put in place a timeframe following that in which to anonymise or destroy the data.
For example, after an investigation, some cases may move on to legal action, whereas other cases come to nothing and do not progress further. You cannot close a case until the trial and any appeals have taken place, but you can close those that are not subject to prosecution and then destroy the data soon after.
You should be aware that Article 17.3 of the GDPR does allow data retention as long as this is necessary to comply with a legal obligation.
|Working with GDPR’s “Right to be Forgotten”||If a reporting person requests to exercise their right to be forgotten, you must ensure that all data is anonymised or destroyed.
When you accept reports in written form, email or telephone channels, this requires you to track down all related information wherever it has been stored, which might prove difficult.
That’s why it’s a good idea to keep everything organised in one place. With the help of a GDPR-compliant online whistleblowing system such as IntegrityLog, you can easily call up all recorded data and anonymise or destroy it in accordance with the law.
|Ensuring data quality||You should only collect the data that is absolutely necessary to carry out your investigation, which means that you should design any questionnaires or submission forms to only ask for the details you truly need.
IntegrityLog, for example, allows you to take control over the data fields you request from the reporting person. This helps you stay compliant.
|Handling right of access||Everyone has the right to access data that you hold about them and to request adjustments to incorrect or out-of-date information in a complaint. However, you should ensure that this does not infringe on someone else’s rights. For example, a person who has been accused of wrongdoing in a whistleblowing report should not be able to uncover the identity of the whistleblower by exercising their right of access.
You should implement policies to maintain the whistleblower’s anonymity and the confidentiality of the information at all times, superseding the right of access.
With regard to the lawfulness of your processing data relating to whistleblowing reports, you can justify using one of two different reasons, as set out in the data protection directive:
In most cases, your legal basis for data processing will fall under the first reason. When a whistleblower makes a report, you are obliged to investigate, which requires processing data. If the first reason does not apply, you would have to prove that you were processing data in the public interest, relating to national or EU law, to justify your actions under the second reason.
A good practice for setting up your whistleblowing reporting channels for the processing of personal data is to inform all individuals in the organisation about the existence and workings of those channels, as well as the reasons behind setting them up. This could be an entry in the company handbook laying out the rights of the data subject, for example.
You should make sure that your communications make clear that whistleblowers will face no punishments provided they make reports in good faith, and that their information will remain confidential throughout the process. You might also choose to reiterate this to the whistleblower following a report being made.
You should tell individuals what their rights are in case they are involved in the whistleblowing process. This applies to both reporting persons and ‘persons concerned’, who are individuals named in a report and being accused of wrongdoing.
In order to comply with GDPR, you should inform persons concerned about the fact you are processing their data. However, as this could hinder any investigation, you are allowed to delay disclosure until the high risk of obstructing the reporting process is diminished. Article 14.5(b) of GDPR offers an exemption in cases where disclosure is “likely to render impossible or seriously impair the achievement of the objectives of that processing.“
You should put in place measures to keep the data secure from the outset. You are obliged to ensure it isn’t accidentally lost, unlawfully destroyed, subject to a data breach or accessed by or disclosed to unauthorised individuals.
Although there are many different types of whistleblowing channels allowable under the Whistleblowing Directive, you should keep in mind that they offer varying levels of security. For example, using a postbox in an office makes it easy for people to be able to access and read the entries when no one is looking. Using a telephone whistleblowing hotline might require a call handler to take written notes that could fall into the wrong hands.
A cloud-based online reporting system like IntegrityLog is the most secure method, as it is password-protected, and the data is encrypted both in transit and at rest.
The whistleblower directive requires you to designate an independent, competent individual or department to handle reports. It is also possible to contract third parties to carry out these tasks. But, in either case, you should set up organisational measures to minimise the chance of someone sharing confidential data with the wrong people.
Access should be given only to those who need to process the data in order to perform the investigation and to follow it up in the interests of privacy.
The guidance allows you to share whistleblowing data with other entities in your group of businesses in EU member states and beyond, only if this is necessary to fully carry out the investigation.
An employee who reports wrongdoing such as fraud, corruption and bribery in the workplace qualifies as a whistleblower. However, they do not have to be a full-time employee, but could also be a contractor, freelancer, volunteer, prospective employee, former employee, shareholder, supplier or any number of other connected people to an organisation.
There are a number of actions compliance officers need to take right now to comply with the rules connecting GDPR and whistleblowing. One way to make life easier and ensure compliance in your reporting channels is to use IntegrityLog.