The imminent General Data Protection Regulation (GDPR) will be one of the most influential frameworks in the data privacy sector. Throughout Europe, data privacy will soon be harmonized by law. The regulation was adopted in April 2016 and its enforcement will be mandatory from May 25, 2018 for all companies processing personal data. As a result, GDPR will also affect how personal data will be managed within whistleblowing systems.
Compliance officers will be required to follow very specific procedures when handling personal data, particularly as it pertains to issues of whistleblowing reports and reporters.
Modern correspondence and workflows rely heavily on digital means of communications and data storage. Subsequently, these workflows produce huge amounts of data (which could be susceptible to abuse or breaches). This is forcing compliance officers who are subject to the regulation, to think about the manner that they may be handling and controlling European citizens’ personal data.
Throughout Europe, the GDPR will harmonize data privacy by law.
The abuse of personal data was one of main the triggers leading to tightening laws of personal data processing. This trend is reflected in the implementation of fiscal penalties for organizations in breach of GDPR and data processing regulations. Penalties have been structured in a tiered manner. Fines can equal up to 20 million Euro, or 4 % of the annual global turnover of the company (whichever is greater). Smaller GDPR infringements, such as failing to notify a regional data privacy authority and data subject about a breach, can result in fines of up to 2 % of turnover. These penalties are in effect for both parties involved in data exchanges: controllers and processors, including any cloud-based services. Regarding whistleblowing systems, a lot of sensitive data is processed and therefore needs to be handled appropriately and confidentially.
2. Right to be Forgotten
GDPR also underlines the ‘Right to be Forgotten’. This includes the requirement that personal data be erased after being completely processed. Article 17 describes the conditions for the erasure of data: either the data is no longer relevant to the original purposes of processing, or the data subject withdraws his or her consent for data processing. In contrast to email or phone reporting, a digital whistleblowing system can easily meet erasure requirements by providing reporters and compliance teams options like data anonymization in a simple and structured manner.
Another GDPR change mandates a stricter manner of giving consent regarding further data processing. GDPR has introduced requirements to have a clear and intuitive form for any reporters or data subjects of requesting the permission to process data. Illegible Terms and Conditions full of "legalese" are no longer acceptable. It must be as easy to withdraw consent as it is to give it. In view of the new requirements, a whistleblowing system will have to verify such confirmation processes during the reporting period, while keeping in mind any additional national or organizational regulations.
Want the lastest updates on Compliance topics delivered straight to your feed?
4. Breach Notification
The GDPR requires that in the case of any data breach, breach notifications will be mandatory to secure the integrity and rights of individuals. Data processors must inform their customers (controllers) within 72 hours after first having become aware of a data breach. Working on sensitive matters that may involve whistleblower information requires both security and transparency.
5. Internal Structure - Privacy by Design
GDPR challenges organizations' internal information security structures with the aim of protecting personal data and complying with data privacy requirements. This requires the implementation of appropriate technical and organizational measures (Article 23) in order to meet these enhanced requirements. This includes limiting access to personal data, new specifications on data storage, the appointment of a Data Protection Officer, and the encryption of any personal data transactions.
A whistleblowing system must respect the principles of privacy and security to gain a potential reporter’s trust and ensure confidentiality. The use of encryption technology, granular permission management, and measures to assure a reporter's anonymity are integral requirements of a compliant whistleblowing system.
Privacy and security are key principles to gain a potential whistleblower’s trust.
The management of whistleblowing cases requires an appropriate corporate culture which reflects the organization’s intention to handle personal data and whistleblowing reports confidentially and with the utmost security.
The implementation of GDPR may seem like a lot of work, particularly for smaller and mid-sized companies. However, when looking at creating a culture of organizational transparency, security, and trust, is an undertaking that is well worth it. Whistleblowers will feel more secure knowing their data is protected and under stricter regulation. GDPR is an important step in creating a new generation of data regulations and initiatives across Europe, and hopefully, globally.
This article was first published by ETHIC Intelligence.