GDPR & Whistleblowing: How data protection will affect whistleblowing systems

We take a look at the implications of the General Data Protection Regulation (GDPR) for whistleblowing systems.
Sabine Stöhr

The General Data Protection Regulation (GDPR) is one of the toughest and most influential frameworks in the data privacy sector. Throughout Europe, data privacy is now harmonized by law. The regulation was adopted in April 2016 and its enforcement became mandatory from May 25, 2018 for all companies processing personal data. As a result, GDPR now also affects how personal data will be managed within whistleblowing systems.

Compliance officers are required to follow very specific procedures for data protection, particularly when it pertains to issues of privacy concerning whistleblowing reports and reporters.

GDPR and Whistleblowing teaser image person in spotlight |

Modern correspondence and workflows rely heavily on digital means of communications and data storage. Subsequently, these workflows produce huge amounts of data (which could be susceptible to abuse or breaches). This is forcing compliance officers who are subject to the regulation, to think about the manner that they may be handling and controlling European citizens’ personal data.


The abuse of personal data was one of main the triggers leading to tightening laws of personal data processing. This trend is reflected in the implementation of fiscal penalties for organizations in breach of GDPR and data processing regulations. Penalties have been structured in a tiered manner. Fines can equal up to 20 million Euro, or 4 % of the annual global turnover of the company (whichever is greater). Smaller GDPR infringements, such as failing to notify a regional data privacy authority and data subject about a breach, can result in fines of up to 2 % of turnover. These penalties are in effect for both parties involved in data exchanges: controllers and processors, including any cloud-based services. Regarding whistleblowing and GDPR, a lot of sensitive data is processed and therefore needs to be handled appropriately and confidentially.

Right to be forgotten

GDPR also underlines the ‘Right to be Forgotten’. This includes the requirement that personal data be erased after being completely processed. Article 17 describes the conditions for the erasure of data: either the data is no longer relevant to the original purposes of processing, or the data subject withdraws his or her consent for data processing. In contrast to email or phone reporting, a digital whistleblowing system can easily meet erasure requirements by providing reporters and compliance teams options like data anonymization in a simple and structured manner.


Another GDPR change mandates a stricter manner of giving consent regarding further data processing. GDPR has introduced requirements to have a clear and intuitive form for any reporters or data subjects of requesting the permission to process data. Illegible Terms and Conditions full of “legalese” are no longer acceptable. It must be as easy to withdraw consent as it is to give it. In view of the new requirements, a whistleblowing system will have to verify such confirmation processes during the reporting period, while keeping in mind any additional national or organizational regulations.

Breach notification

GDPR requires that in the case of any data breach, breach notifications will be mandatory to secure the integrity and rights of individuals. Data processors must inform their customers (controllers) within 72 hours after first having become aware of a data breach. Working on sensitive matters that may involve whistleblower information requires both security and transparency.

Internal structure - Privacy by design


GDPR is a huge integrity test, challenging organizations’ internal information security structures with the aim of protecting personal data and complying with data privacy requirements. This requires the implementation of appropriate technical and organizational measures (Article 23) in order to meet these enhanced requirements. This includes limiting access to personal data, new specifications on data storage, the appointment of a Data Protection Officer, and the encryption of any personal data transactions.

A whistleblowing system must respect the principles of privacy and security to gain a potential reporter’s trust and ensure confidentiality. When it comes to data protection, the use of encryption technology, granular permission management, and measures to assure a reporter’s anonymity are integral requirements of a whistleblowing system compliant with GDPR.

The management of whistleblowing cases requires an appropriate corporate culture which reflects the organization’s intention to handle personal data and whistleblowing reports confidentially and with the utmost security.

The implementation of GDPR and compliant whistleblowing systems may seem like a lot of work for little reward, particularly for smaller and mid-sized companies. However, when looking at creating a culture of organizational transparency, security, and trust, is an undertaking that is well worth it. Whistleblowers will feel more secure knowing their data is protected and under stricter regulation. GDPR is an important step in creating a new generation of data regulations and initiatives across Europe, and hopefully, globally.

Guide to the Introduction of Whistleblowing Systems

How to successfully implement a whistleblowing system in your organisation.

Share this blog post on

Sabine Stoehr contact image |
Sabine Stöhr
Senior Product Manager | EQS Group
As Senior Product Manager for EQS Integrity Line Sabine is an expert on the implementation of whistleblowing systems. She is based in our Zurich office.