Is your whistleblowing hotline GDPR compliant?

With the GDPR deadline just weeks away, we’ve compiled 8 steps to help prepare your Speak Up service for the new data protection rules.

GDPR and whistleblowing: A brief recap

GDPR is intended to unify data protection provisions across the EU. Any business processing the Data of EU subjects will be subject to the new data handling requirements.

This will inevitably affect any organisation that processes whistleblowing reports made by, or about, EU citizens.

You can find out more about these specific considerations in our blog: How will GDPR will affect the whistleblowing process?

Preparing your Speak Up service for GDPR

1. Inform your employees

Make sure all employees and potential whistleblowers are aware of GDPR and their rights when making a whistleblowing report. Aim to provide clarity around issues such as:

  • what data will be processed
  • how the data will be processed
  • who will have access to that data
  • how it will be protected
  • how long it will be retained for

2. Map your data

Data Mapping is essential. Make sure you document what personal data you hold, where it came from and who you share it with.

You can use this mapping to let the whistleblower know where their information will be going after you’ve taken their report. We recommend you also take steps to update your whistleblowing policy and privacy notices at the same time to ensure this information is reflected.

Discover how we tackled the Data Mapping process

3. Put procedures in place

A review of the procedures relating to your whistleblowing service, whether internal or provided by a third party, should be conducted. As part of this, consideration should be given to your investigation processes, data minimisation and retention provisions.

Another consideration for companies with an international presence is the transfer of data. If there is a potential for the data to be transferred outside of the EEA, even if internally within the company, the subject should be made aware of this. It may also be worth reviewing your internal system for any reports received directly to the company.

4. Review your privacy notices

You’ll need to identify your lawful basis for your processing activity under GDPR, document it and update your privacy notice/s to explain it.

You should also make sure these notices are understood by your whistleblowing supplier (if applicable).

5. Accommodate new Data Subject rights

You will need to evaluate your current subject access request process, and update your procedures to reflect the new requirements.

Work with any data processors to ensure you are able to locate and provide a full response to any subject access requests within the new, reduced timescales.

This area is particularly important in a whistleblowing context given that exercising certain subject rights (such as revealing case-specific information) may interfere with a company’s legitimate interest in investigating reports of wrongdoing.

You can update your whistleblowing policy to detail your lawful basis for processing, and why certain rights afforded under GDPR may not be observed.

6. Get consent

There are several grounds for lawful processing but in the context of the service, a collaborative approach to obtaining consent is preferable.

For Expolink, reporters’ consent is taken at the time the report is made through all our available channels. However, this should be coupled with the employer’s whistleblowing policies being clear, and accessible to all employees.

7. Understand what Protection Impact Assessments are

You should familiarise yourself with Protection Impact Assessments and work out how and when to implement them into your whistleblowing procedures.

8. Ensure your authorised recipients and investigators are GDPR compliant

The designated persons who take reports will need to make sure when taking the information from the individual, or receiving the report from your external whistleblowing company, that they deal with the personal data and information in a secure, lawful and GDPR compliant way.

These measures should also apply to individuals or third parties tasked with undertaking an investigation.

Looking for a GDPR-compliant hotline provider?

Our global service is trusted by the world’s leading organisations.