How does GDPR affect the processing of personal information within the whistleblowing system?
The General Data Protection Regulation (GDPR) imposed by the European Union in 2018 has changed the landscape of data protection around the globe. In brief, GDPR is a guideline to data privacy that applies to all organizations processing personal data of EU citizens. As a consequence, it affects how personal information is managed within the whistleblowing system.
How whistleblowing system works under GDPR
The Whistleblowing system itself is the most effective tool to detect fraud. “Effective” requires several things, one of which is that the whistleblowing system must respect the privacy and security principles of the whistleblower. Under GDPR, processing personal information of the whistleblower within the system is stricter with several exceptions, which are found under Article 6. Two of these exceptions – consent and legal interest, which are relevant in terms of internal reporting, force compliance officers to comply with some procedural requirements in managing personal information.
According to the Article, organizations need to ensure that their whistleblowing system program implements the necessary procedures to obtain consent from the whistleblowers before processing the reports.
Another aspect that should be paid heed to is internal reporting. It is governed by Article 5(c), which specifies that the data handled must be sufficient, relevant, and restricted to what is required for the purposes for which it is processed. Article 5 further mandates that the relevant data be destroyed after the investigation is completed.
According to the article, the whistleblower is required to submit sufficient and relevant data of the report. The party who is responsible for managing the whistleblowing system must also ensure that all data will be deleted after the investigation is completed or when the agreed period has ended.
Whistleblowing system to meet GDPR
As a third-party whistleblowing solution, Canary Whistleblowing System is committed to protecting and respecting your privacy according to GDPR rules:
- Data will be deleted after a certain period based on the agreement
In addition, our Canary platform and infrastructures are equipped with security systems, such as SSL certificates as cryptographic protocol and end-to-end encryption. We also offer multilingual whistleblowing services on various platforms that are ready to receive any incoming reports. We can assist your company in conducting investigation of the reports. Lastly, we can assist in conducting enforcement activities with the Law Enforcement Agencies when necessary.