Get ready for the GDPR – Part 4: Whistleblower arrangements
The General Data Protection Regulation will apply as of 25 May 2018. The new Regulation is important to companies that already have or are considering establishing a whistleblower arrangement as it places new requirements upon the data controllers and data processors. In this newsletter, we focus on the new rules and how your company can be prepared.
Under the new Regulation the obligation to notify the national Data Protection Agencies is removed. This means that companies are no longer obliged to report whistleblower arrangements prior to establishing them. However, this does not mean that all requirements to the arrangements cease to apply.
Continued Requirements
The Danish Data Protection Agency has determined a number of requirements relating to whistleblower arrangements, which under the existing rules must be met to obtain the approval of the Agency. Most of these requirements are based on general principles of good data processing practice, objectivity and proportionality and are therefore carried forward under the new Regulation.
These requirements include:
- Only persons affiliated with the company can file a report, and reports shall only concern individuals with connection to the company, e.g. employees, board members, suppliers.
- Reports may only be filed in case of suspicion of serious misconduct that can impact the company as a whole or the lives or health of individuals, such as serious financial crime, serious breach of safety at the workplace or serious offence aimed at an employee, e.g. violence or sexual assault.
- Minor offences cannot be reported under the arrangement. In such cases the company’s usual means of communication must be used, e.g. in case of violation of the internal guidelines.
- Access must be limited to an independent unit, which receives and handles the reports. This unit must live up to certain requirements, such as training.
- Finally, the company must meet requirements relating to data security and develop internal guidelines on safety precautions, which are subject to an examination at least once a year.
New requirement: Records
With the GDPR the notification obligation is replaced with a requirement to keep internal records of all processing activities, placed upon the data controller and the data processor. As the activities include sensitive data, this requirement equally applies to smaller companies with whistleblower arrangements.
The record must contain a description of the character, extent, context and purpose of the processing activity as well as the likelihood of risks connected with the processing. This aims to ensure that the company can prove that the arrangement is administered in accordance with the GDPR. In principle, this means that your company must document every processing activity.
Possible Requirement: Impact Assessments (DPIA)
The Danish Data Protection Agency recommends that a company in general prepares an impact assessment when a new system or processing activity is applied. The GDPR only requires that an analysis is conducted if there is a “high risk” that the processing activity may violate the rights of the data subject. Neither the new provisions nor the guidelines offer any indication as to whether a whistleblower-arrangement by definition results in such a risk.
First of all, a “high risk” is likely to occur if a company applies a new technology in their processing activities. But, even if this is not the case, a whistleblower-arrangement is likely to require an impact assessment, because a number of elements in the processing activities combined constitute such a “high risk”. This is due to the fact that the arrangements involve processing of sensitive data, aimed at employees, which under the new rules must be considered as a vulnerable group. Moreover, the company must be aware that cross-border data transfers to a third country or an anonymous whistleblower arrangement will increase the existence of a “high risk” and as a result, an impact assessment should be made.
In conclusion, it is likely that the data protection authorities will require an impact assessment to be conducted when a company establishes a whistleblower arrangement. As for the existing arrangements, there is no explicit requirement to complete an impact assessment but following the new rules a company must reassess its risk analysis every third year. This will most likely affect all companies, which currently have whistleblower arrangements in place.
IUNO’s Opinion
The obligation to notify the Danish Data Protection Agency is replaced with a number of new requirements, which is in agreement with the general principle “data protection by design” in the GDPR. It is to a large extent up to the companies to ensure that these new rules are incorporated and complied with – and especially that this is documented. With the new requirements to keep records and conduct impact assessments the original goal of limiting the administrative and economic burden for companies by removing the obligation to notify, has not been met, as the new requirements also causes a lot of administrative work.
IUNO recommends that companies, as part of their processing procedures, thoroughly assess if their whistleblower arrangements comply with the new rules, especially in relation to the new requirements to keep record and the possibility that an impact assessment may be required.
Under the new Regulation the obligation to notify the national Data Protection Agencies is removed. This means that companies are no longer obliged to report whistleblower arrangements prior to establishing them. However, this does not mean that all requirements to the arrangements cease to apply.
Continued Requirements
The Danish Data Protection Agency has determined a number of requirements relating to whistleblower arrangements, which under the existing rules must be met to obtain the approval of the Agency. Most of these requirements are based on general principles of good data processing practice, objectivity and proportionality and are therefore carried forward under the new Regulation.
These requirements include:
- Only persons affiliated with the company can file a report, and reports shall only concern individuals with connection to the company, e.g. employees, board members, suppliers.
- Reports may only be filed in case of suspicion of serious misconduct that can impact the company as a whole or the lives or health of individuals, such as serious financial crime, serious breach of safety at the workplace or serious offence aimed at an employee, e.g. violence or sexual assault.
- Minor offences cannot be reported under the arrangement. In such cases the company’s usual means of communication must be used, e.g. in case of violation of the internal guidelines.
- Access must be limited to an independent unit, which receives and handles the reports. This unit must live up to certain requirements, such as training.
- Finally, the company must meet requirements relating to data security and develop internal guidelines on safety precautions, which are subject to an examination at least once a year.
New requirement: Records
With the GDPR the notification obligation is replaced with a requirement to keep internal records of all processing activities, placed upon the data controller and the data processor. As the activities include sensitive data, this requirement equally applies to smaller companies with whistleblower arrangements.
The record must contain a description of the character, extent, context and purpose of the processing activity as well as the likelihood of risks connected with the processing. This aims to ensure that the company can prove that the arrangement is administered in accordance with the GDPR. In principle, this means that your company must document every processing activity.
Possible Requirement: Impact Assessments (DPIA)
The Danish Data Protection Agency recommends that a company in general prepares an impact assessment when a new system or processing activity is applied. The GDPR only requires that an analysis is conducted if there is a “high risk” that the processing activity may violate the rights of the data subject. Neither the new provisions nor the guidelines offer any indication as to whether a whistleblower-arrangement by definition results in such a risk.
First of all, a “high risk” is likely to occur if a company applies a new technology in their processing activities. But, even if this is not the case, a whistleblower-arrangement is likely to require an impact assessment, because a number of elements in the processing activities combined constitute such a “high risk”. This is due to the fact that the arrangements involve processing of sensitive data, aimed at employees, which under the new rules must be considered as a vulnerable group. Moreover, the company must be aware that cross-border data transfers to a third country or an anonymous whistleblower arrangement will increase the existence of a “high risk” and as a result, an impact assessment should be made.
In conclusion, it is likely that the data protection authorities will require an impact assessment to be conducted when a company establishes a whistleblower arrangement. As for the existing arrangements, there is no explicit requirement to complete an impact assessment but following the new rules a company must reassess its risk analysis every third year. This will most likely affect all companies, which currently have whistleblower arrangements in place.
IUNO’s Opinion
The obligation to notify the Danish Data Protection Agency is replaced with a number of new requirements, which is in agreement with the general principle “data protection by design” in the GDPR. It is to a large extent up to the companies to ensure that these new rules are incorporated and complied with – and especially that this is documented. With the new requirements to keep records and conduct impact assessments the original goal of limiting the administrative and economic burden for companies by removing the obligation to notify, has not been met, as the new requirements also causes a lot of administrative work.
IUNO recommends that companies, as part of their processing procedures, thoroughly assess if their whistleblower arrangements comply with the new rules, especially in relation to the new requirements to keep record and the possibility that an impact assessment may be required.
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing
