The imminent general data protection regulation (GDPR) will be one of the most influential frameworks in the data privacy sector. Throughout Europe, data privacy will soon be harmonized by law. The regulation was adopted in April 2016 and its enforcement will be mandatory from May 2018 for companies processing personal data.
Compliance officers will be obliged to follow very specific procedures when handling personal data particularly as it pertains to issues of whistleblowing.
Modern working conditions rely heavily on digitally displayed workflows which produce huge amounts of data, forcing compliance officers, following the regulation, to handle and control European citizens’ personal data to prevent abuses.
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.
Right to be forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. In contrast to an email or telephone reporting process, a digital system can meet such requirements in a relatively easy and structured manner.
The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. It must be as easy to withdraw consent as it is to give it.. In view of the new requirements, a whistleblowing system will have to verify such confirmation processes during the reporting period while keeping in mind any additional national or organizational regulations.
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach. Working on sensitive matters following whistleblowing information requires a specific form of transparency.
Internal structure -Privacy by Design
GDPR challenges organizations' internal structures related to information security for the purpose of protecting personal data and complying with various data privacy requirements. This affects ‘…implement appropriate technical and organizational measures … ‘(Article 23) in order to meet the requirements of e. g. limited access to personal data, storage of data, required Data Protection Officer, encrypted transactions of personal data…etc.
A whistleblowing system needs to respect the principles of privacy and security to gain a potential whistleblower's trust and ensure confidentiality. The use of encryption technology, granular permission management or measures to assure a reporter's anonymity are integral requirements of a compliant whistleblowing system.
The management of whistleblowing cases requires an appropriate corporate culture which reflects the organization’s intention to handle personal data and whistleblowing reports confidentially and with the utmost security.
The implementation of GDPR may seem like a lot of work, particularly for smaller and mid-sized companies. But with respect to the topic of whistleblowing, it will be worth it.
Whistleblowers will feel much safer, knowing their data is protected and under stricter regulation. GDPR will foster a whistleblowing culture around the globe.