WHISTLEB, WHISTLEBLOWING CENTRE NOVEMBER 2016

How to handle personal data in a Whistleblowing system Are you compliant with the new EU General Data Protection regulation?

WhistleB, Whistleblowing CentreNovember 2016

WHISTLEB, WHISTLEBLOWING CENTRE NOVEMBER 2016

The right to be protected, and the responsibility to protectArticle 8 of the Charter of Fundamental Rights of the European Union states that the protection of personal data (see definition below) is a fundamental right in the EU. Accelerating technological advancement and the vision for a single digital market has led to the creation of the General Data Protection Regulation (GDPR) that will provide a single set of rules, applicable across all EU countries.

The new regulation will tighten data protection by enfor-cing a number of stricter provisions and new obligations for personal data controllers and data processors (see definition below), and reinforcing data subject rights. It will also allow for stronger enforcement of these require-ments and introduces administrative fines for businesses that fail to comply with the regulation.

Definitions:1) Personal data is any information, direct or indirect,

that can identify a person, the so-called data subject.

2) A personal data controller is an entity that alone or together with others decides why and how personal data shall be processed.

3) A personal data processor is usually a company that processes personal data on behalf of a controller, and only according to the controller’s instructions. The GDPR introduces direct obligations to the data processor and thereby increases the responsibilities of the data processor. See for example: Obligation to notify data breaches, in point 2, and point 3.

“Whistleblowers believe that they are acting in the public interest when reporting an activity observed of serious matter… Confidentiality is therefore crucial and the most effective way to encourage staff to report concerns is to ensure them that their identity will be protected.”

European Data Protection Supervisor (EDPS), Whistleblowing Guidelines, 2016

In May 2018 new EU wide regulation regarding data protection will come into force replacing current national data protection laws. The General Data Protection Regulation (GDPR) will have wide-reaching impact, including on organisational Whistleblowing systems. Is your system compliant? What do you need to think about to be ready in time?

This whitepaper helps you understand the five main issues that you need to address in order to be compliant with the new regulations when handling personal data in a whistleblowing system.

How to handle personal data in a Whistleblowing system Are you compliant with the new EU General Data Protection regulation?

WHISTLEB, WHISTLEBLOWING CENTRE NOVEMBER 2016

One of the main objectives of the new regulation is to simplify the regulatory environment for businesses by providing a single set of regulations, the GDPR, in all member states.

- The “One-stop-shop mechanism” introduced in the GDPR allows an organisation that is active in several member states to deal only with the data protection au-thority in the member state of its main establishment.

- Regarding the abolishment of the notification require-ment, it remains to be seen how the processing of personal data relating to criminal offences will be inter-preted and handled under national laws.

WhistleB insight: Reviews are currently underway re-garding the impact of the GDPR on the national legal guidelines for corporate whistleblowing in EU countries. However, according to the Swedish Data Protection Agency, no decisions have yet been made. WhistleB helps customers to comply with national data protection regulations, and is closely monitoring the possible changes in legal requirements on corporate whistleblowing.

What does the GDPR say? Five factors for Whistleblowing system compliance The GDPR has implications for the handling of personal data in a whistleblowing system. Below are five areas to which you should give particular attention.

1. One-stop-shop mechanism

WHISTLEB, WHISTLEBLOWING CENTRE NOVEMBER 2016

Organisations need to ensure that their whistleblowing system meets the stricter technical requirements in the new regulations. These include:

- Privacy by design. Data protection and data privacy should permeate the design and processes of the whistleblowing system. It is important to ensure:

- Secure data processing, why, how, where and by whom

- Secure data storage, how, where and by whom- How data is destroyed, including backups

- Privacy by default. The whistleblowing system per de-fault should enable the highest level of data privacy and protection in the handling of personal data.

- Obligation to notify data breaches. There is a new obligation for controllers to notify the relevant autho-rities of data breaches within 72 hours, and to com-municate such breaches to the data subjects. Proces-sors are obliged to notify the controller.

WhistleB insight: We welcome the update to the tech-nical requirements for secure handling of data. Data secu-rity is the basis for a trusted whistleblowing system where both personal data and sensitive information are proces-sed. External vulnerability assessments and penetration testing should be performed regularly to identify and re-medy potential security risks. WhistleB provides a whist-leblowing service with industry leading security, through secure processes, solutions and monitoring, to safeguard anonymous whistleblowers and sensitive data.

Organisations should ensure they have implemented adequate organisational measures.

- Organisations need to ensure that they have a process and technical system in place for “pseudonymisation”. Pseudonymisation is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. This is a way to ensure personal data security when an external processor is involved.

By implementing pseudonymisation, the GDPR allows organisations to demonstrate a certain level of compli-ance with the rules concerning security, for example. However, pseudonymisation does not lessen other obligations.

- Organisations need to have a personal data processor agreement in place if they outsource the processing of whistleblowing cases. Be sure to review existing agree-ments because:

2. Adequate technical measures

3. Adequate organisational measures

WHISTLEB, WHISTLEBLOWING CENTRE NOVEMBER 2016

According to Article 30 of the GDPR, organisations should ensure documentation exists regarding correct data processing, both for controllers and processors. This includes:

• Purpose• Process

- How can organisations ensure the originality of the report?

- Who has taken what actions and when, including deleted reports. Documentation should include a description of categories of personal data, data subjects, time limits of the processing, technical and organisational security measures

- To whom and to which countries is the data disclosed?

- If you have not informed persons included in the report, why not, per the GDPR principle of the right to be forgotten.

- Documentation of closing of cases and deletion of personal data according to the GDPR prin-ciple of storage minimisation.

Detailed documentation of data processing (account-ability) should be maintained in a secure way both by controllers and processors. Note that the obligations for record keeping vary for controllers and processors.

WhistleB insight: The WhistleB system is designed such that case management actions are documented in a process log.

Personal data should be deleted when not needed for investigations and the functionality of the WhistleB sys-tem is designed to comply with this GDPR requirement. However, note that the GDPR acknowledges that other relevant laws can serve as legal grounds for the proces-sing of personal data. For example, if you are required by a labour law to store personal data, this is acceptable according to the GDPR as long as you have legal grounds for doing so.

4. Increased obligations for documentation of handling of personal data

- Firstly, the GDPR poses direct obligations on data processors. These include implementing technical and organisational measures, noti-fying the controller without undue delay of data breaches, documentation requirements and informing the controller if an instruction is non-compliant with the GDPR. The data proces-sor will be jointly liable with the controller for damages caused to the data subject.

- Secondly, the GDPR introduces new elements that must be included in data processor agree-ments.

- Consider placing a requirement on the processor that they have an appointed Data Protection Officer.

- The GDPR will be applicable to companies established outside the EU (both controllers and processors), if they

monitor the behaviour of EU data subjects within the EU. There is an obligation for these entities to appoint a representative in the EU (with some exceptions).

WhistleB insight: The protection of personal data is only as strong as the weakest link in the system. This is why the WhistleB service is designed such that it is the data controller’s responsibility to appoint individuals who can decrypt, read and act on the data. The custo-mer can select whether they want internal and/or exter-nal data processing.

When external processing is used, it is vital that a sys-tem is in place for seamless handling of personal data in order to ensure its security. The system also needs to be easy to use and adaptable to the specific requirements of the organisation. A user-friendly whistleblowing sys-tem safeguards the correct handling of personal data.

WHISTLEB, WHISTLEBLOWING CENTRE NOVEMBER 2016

Organisations will be required to:

- Make the whistleblowing privacy notice/policy and other information easily available to all parties that are invited to report. The communication should be easily understandable.

- Provide contact details of the data controller re-sponsible for the whistleblowing system, and when appro priate, details of the data protection officer. This information should also be documented.

- Inform employees about potential other recipients or categories of recipients that may have access to per-sonal data in the whistleblower report, for example if categorisation of data or investigations have been outsourced. Employees should also be informed of potential recipients of personal data outside the EU/EEA area.

- Inform employees how data that does not fall under the definition of whistleblowing, for example data related to HR issues, will be processed.

- Inform employees about their right to file complaints with the Data Protection Agency.

The GDPR also requires that employees must be informed of matters that are already part of the Data Protection Regulation:

- The purpose for which personal data is used and the legal basis for its processing.

- Deletion of personal data once the purpose has been fulfilled. The new regulations emphasise the right to be forgotten.

- The right for the person specified in a whistleblower report to request access to data relating to themselves and to require amendments, should the information be incorrect, incomplete or out of date. (This right is subject to any overriding safeguarding measures re-quired to prevent the destruction of evidence or other obstructions to the processing and investigation of the report.)

(the GDPR, Articles 13 and 14)

WhistleB insight: Communication about the whistle-blowing system is key to gaining trust and thereby recei-ving business critical information. Informing employees about how the data in the reports is handled is important both in the whistleblowing policy and in the communi-cation to the whistleblower, not only to comply with the GDPR, but also so that the whistleblowing system is a trusted system.

Finally, WhistleB recommends organisations ask them-selves these three key questions to start to assess whether they comply with the GDPR:

1 Is the data protection level of your whistleblowing service compliant with the GDPR?

2 What internal policies and processes do you have in place for case handling, documentation, deletion, right to be forgotten, etc?

3 Are your whistleblowing communications and guide-lines/policy for employees and other stakeholders compliant with the GDPR?

5. New requirements regarding communication to employees

WHISTLEB, WHISTLEBLOWING CENTRE NOVEMBER 2016

APPENDIXData Protection Bodies at the EU levelThe European Data Protection Supervisor (EDPS) is the independent supervisory authority at EU level with responsibility for processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.

The EDPS launched in July 2016 its Guidelines on processing personal information within a whistleblowing procedure for civil servants in the European Union. The guidelines involve a list of recommendations for setting up whistleblowing systems. Summary: 1. Implement channels for internal and external reporting.2. Ensure confidentiality of the information and protect the whistleblowers’ and

other involved persons’ identity.3. Apply data minimisation: only process personal information which is necessary.4. Identify the affected individuals to determine their right of information, access

and rectification. Restrictions to these rights are allowed, as long as documented reasons can be provided.

5. Make sure to inform each category of individuals concerned about how their data will be processed. General information on the web site for example is not sufficient.

6. Ensure when responding to right of access requests that personal information of other parties is not revealed.

7. Assess the appropriate competence of the recipient (internal or external) and then limit the transfer of personal information to a minimum.

8. Define proportionate conservation periods for the personal information processed.9. Implement both organisational and technical security in order to guarantee a

lawful and secure processing of personal information.

The Article 29 Data Protection Working Party was set up under the Data Protection Directive the protection of individuals with regard to the processing of personal data and on the free movement of such data. It has advisory status and acts independently.

The Working Party is the author of the advice on the Opinion 1/2006 WP 1117 on the application of EU data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime.

As the opinion, as well as the national guidelines on how to handle personal data in whistleblowing systems are based on the Data Protection Directive, that will be replaced by the new General Data Protection Regulation it is still not, according to the Swedish Data Protection Agency in October 2016, decided how the national gui-delines on handling of personal data will be affected.

Major benefits of a corporate whistleblowing service

Preventive• Reduces the risk of a wrong-

doing to take place.

• Important part of our efforts related to anticorruption.

• Sends a clear signal that we are dedicated to do business according to our Code of Conduct.

Early warning• We consider our whistle-

blowing channel to be our safety valve.

• A communication platform to recieve information that we eould not recieve through other channels.

• We can catch up and react on irregularities at an early stage.

Gain trust• Important part of our

compliance program.

• Strengthens the sustainability profile, also in the external communication of our sustain ability efforts.

• Lead by example, to show that we want to enhance a transparent business climate.

WHISTLEB, WHISTLEBLOWING CENTRE NOVEMBER 2016

Welcome to contact WhistleB Founding Partner Karin Henriksson:karin.henriksson@whistleb.com +46 70 444 32 16

More information about WhistleB: www.whistleb.com