In May 2018, the General Data Protection Regulation (GDPR) will come into force with tighter data protection provisions and stronger enforcement of those provisions. It will provide a single set of regulations in all EU member states, thereby replacing current national data protection laws. And, it will have wide-reaching impact on organisational Whistleblowing systems. These are 5 important issues to consider to ensure that your whistleblowing system complies with the GDPR:
1) Stricter technical requirements on the whistleblowing system, including:
- Privacy by design. Data protection and data privacy should permeate the design and processes of the whistleblowing system. It is important to ensure secure data processing, storage and destruction of data, including backups.
- Privacy by default. The whistleblowing system per default should enable the highest level of data privacy and protection in the handling of personal data.
- The obligation to notify data breaches.
2) Adequate organisational measures, including:
- Pseudonymisation, which is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately.
- Stricter data processor agreements
- The GDPR will be applicable to companies established outside the EU
3) Higher demands on documentation, including, for example:
- How can organisations ensure the originality of the report?
- Who has taken what actions and when, including deleted reports.
- Description of categories of personal data, data subjects, time limits of the processing, technical and organisational security measures.
Detailed documentation of data processing (accountability) should be maintained in a secure way both by controllers and processors. Note that the obligations for record keeping vary for controllers and processors.
4) New requirements regarding communication to employees. Organisations will be required to, for example:
- Make the whistleblowing privacy notice/policy and other information easily available to all parties that are invited to report.
- Provide contact details of the data controller responsible for the whistleblowing system, and when appropriate, details of the data protection officer.
- Inform employees about their right to file complaints with the Data Protection Agency.
5) The “One-stop-shop mechanism” introduced in the GDPR allows an organisation that is active in several member states to deal only with the data protection authority in the member state of its main establishment.
Regarding the abolition of the notification requirement, it remains to be seen how the processing of personal data relating to criminal offences will be interpreted and handled under national laws.Finally, WhistleB recommends organisations ask themselves these three key questions to assess whether they comply with the GDPR:
- Is the data protection level of your whistleblowing service compliant with the GDPR?
- What internal policies and processes do you have in place for case handling, documentation, deletion, right to be forgotten, etc.?
- Are your whistleblowing communications and guidelines/policies for employees and other stakeholders compliant with the GDPR?
WhistleB is a global whistleblowing service expert which helps organisations to set up their whistleblowing systems and procedures in a correct and pragmatic manner. You can order our whistleblowing white paper on how the GDPR impacts organizational whistleblowing on: https://whistleb.com/insight/
Direct email: [email protected]
Karin Henriksson is a Co-Founding partner of WhistleB. She has worked for European Institutions in Brussels and has advised international and local actors in her role as a business ethics consultant. Karin is a member of Transparency International’s Whistleblowing Group in Sweden.