GDPR & whistleblowing – how to handle personal data in a Whistleblowing system?
“Whistleblowers believe that they are acting in the public interest when reporting an activity observed of serious matter… Confidentiality is therefore crucial and the most effective way to encourage staff to report concerns is to ensure them that their identity will be protected.”
European Data Protection Supervisor (EDPS), Whistleblowing Guidelines, 2016
In May 2018 new EU wide regulation regarding data protection will come into force replacing current national data protection laws. The General Data Protection Regulation (GDPR) will have wide-reaching impact, including on organisational Whistleblowing systems. Is your system compliant? What do you need to think about to be ready in time?
This whitepaper helps you understand the five main issues that you need to address in order to be compliant with the new regulations when handling personal data in a whistleblowing system.
What does the GDPR say? Five factors for Whistleblowing system compliance The GDPR has implications for the handling of personal data in a whistleblowing system. Below are five areas to which you should give particular attention.
One of the main objectives of the new regulation is to simplify the regulatory environment for businesses by providing a single set of regulations, the GDPR, in all member states.
– The “One-stop-shop mechanism” introduced in the GDPR allows an organisation that is active in several member states to deal only with the data protection authority in the member state of its main establishment.
– Regarding the abolishment of the notification requirement, it remains to be seen how the processing of personal data relating to criminal offences will be interpreted and handled under national laws.
WhistleB insight: Reviews are currently underway regarding the impact of the GDPR on the national legal guidelines for corporate whistleblowing in EU countries. However, according to the Swedish Data Protection Agency, no decisions have yet been made. WhistleB helps customers to comply with national data protection regulations, and is closely monitoring the possible changes in legal requirements on corporate whistleblowing.
Adequate technical measures
Organisations need to ensure that their whistleblowing system meets the stricter technical requirements in the new regulations. These include:
– Privacy by design. Data protection and data privacy should permeate the design and processes of the whistleblowing system. It is important to ensure: – Secure data processing, why, how, where and by whom