The EU’s General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) is set to take effect on May 25, 2018. In spite of having been adopted nearly two years ago, in April 2016, analysts predict that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.
The stakes are high: a failure to comply can incur a fine of €20 million ($24.5 million) or 4 percent of annual revenues, whichever is higher.
From a standpoint of compliance and ethics programs, GDPR has an extensive impact on the whistleblowing process. Because of the new personal data handling requirements and the new rights given to individuals, compliance officers need to consider how to best meet the regulatory expectations. The general nature of GDPR provisions creates certain ambiguity and raises concerns regarding potential conflicts between personal data protection imperatives and whistleblowing mechanisms. In the absence of a more specific guideline, I make an attempt to analyze GDPR provisions through the lens of whistleblowing process.
Article 4(1) defines personal data as any information relating to identifiable natural person or “data subject” who can be identified by name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It is clear from this extensive definition that the term will now apply to a wider range of situations.
Personal data can be part of the whistleblowing process at least in the following 2 ways:
- personal data of the whistleblower submitting the report in case it hasn’t been submitted anonymously, and/or
- personal data of third parties shared by the whistleblower in the report.
Principles of data processing. Article 5 requires that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject, whereas Article 6 further elaborates on the notion of ‘lawfulness’ and stipulates that any processing of personal data must have a legal basis, such as the data subject’s consent, the performance of a contract, compliance with a legal obligation or the purpose of a legitimate interest pursued by the controller.
Article 4(11) defining consent says that it must be given by a clear affirmative action of the data subject rather than just implied. A way to address this requirement in the context of whistleblowing process would be to advise all employees that in the process of using a hotline/whistleblowing service/system their data may be processed and request their consent to proceed. At this stage, some other requirements can be addressed, such as:
- ensuring only data relevant to the report will be processed (Article 5(1)(c)) and would only be held until the report is fully investigated and resolved (Article 5(1)(e)), and
- the identity and contact details of the controller, contact details of the data protection officer and other requirements under Article 13.
However, under Article 7(3) the data subject has the right to withdraw his or her consent at any time. Once the consent has been withdrawn, the data subject can request from the controller to erase his or her personal data, thereby exercising “the right to be forgotten,” as stipulated by Article 17(1)(b). While data controllers should be able to remove personal data from the reports, the investigation may be seriously hampered without this information.
Therefore, it is more advisable to address the lawfulness criterion of data processing by relying on one of the following conditions:
- processing is necessary for compliance with a legal obligation to which the controller is subject (Art. 6(1)(c). This condition applies to the jurisdictions where national whistleblowing laws provide a legal obligation to adopt a whistleblowing system.
- processing is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1)(f)). The purpose of whistleblowing mechanisms is to protect the interests of the reporters, the organization and the society at large by preventing further instances of unethical conduct. Therefore, they appear to fall under the understanding of ‘the pursuit of legitimate interests’. Indeed, recital 47 clearly states that “the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.”
Rights of the data subject. Under Article 15, the data subject has the right to obtain a confirmation if their personal data is being processed, and, if so, have access to the following information:
- the purpose of processing
- categories of personal data concerned
- recipients of the data
- the envisaged period for which the personal data will be stored or the criteria used to determine that period
- the right to lodge a complaint with a supervisory authority, and
- where the personal data is not collected from the data subject, any information held as to its source.
Apparently, it would be counter-productive to inform data subjects, upon their request, that they are a subject of an ongoing investigation. The last point also raises serious concerns — hypothetically it may lead to the exposure of whistleblower’s identity. The potential conflict may be resolved by applying the provisions outlined in Article 23 which afford the right to each Member State to restrict by national legislation the scope of the rights to access in order to safeguard the following:
- the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties (Art 23(1)(d))
- the protection of the data subject or the rights and freedoms of others (Art 23(1)(i)), and
- the enforcement of civil law claims (Art 23(1)(j)).
Apart from the fact that national whistleblowing laws mostly provide for the confidentiality of the whistleblower’s identity, it could be also argued that the Article 29 Working Party in its Guidelines on processing personal information within a whistleblowing procedure recommends that: “Under no circumstances can the person accused in a whistleblower’s report obtain information about the identity of the whistleblower …except where the whistleblower maliciously makes a false statement. Otherwise, the whistleblower’s confidentiality should always be guaranteed.”
Data protection impact assessment (DPIA). Under Article 35(1), where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller has the responsibility to carry out the DPIA. DPIAs are considered important tools for accountability, as they demonstrate that appropriate measures have been taken to ensure compliance with GDPR.
The Article 29 Working Party “Guidelines on data protection impact assessment” (revised in October 2017) outline 9 criteria of personal data processing. Meeting at least 2 of them would require a DPIA to be carried out. Depending on the nature of the report and circumstances of the alleged misconduct, whistleblowing process may satisfy the following 2 criteria:
- sensitive data or data of a highly personal nature which includes personal data relating to criminal convictions or offenses as defined in Article 10.
- data concerning vulnerable data subjects (recital 75): this applies to situations when data subjects may be unable to easily consent to, or oppose, the processing of their data, or exercise their rights, including employees.
Once these criteria are met, the requirement of carrying out a DPIA would apply to organizations which implemented whistleblowing mechanisms.
GDPR is an important step towards the new generation of data regulations in EU. Its implementation requires significant changes to data processing routines, whistleblowing process being no exception. At this stage, it is clear that the Regulation puts whistleblowers in a stronger position regarding the authority over their own data. At the same time, the new requirements raise certain ambiguity. It is therefore desirable that in the coming months’ national data protection authorities issue guidelines on the best ways to implement whistleblowing procedures in compliance with GDPR.
Vera Cherepanova, FCCA, CIA, MSc (pictured above), has more than 10 years’ experience as a compliance officer. She’s currently a self-employed ethics and compliance consultant based in Milan, Italy. She speaks English, French, Italian, and Russian. She can be contacted here.