Why email is a risky whistleblower reporting channel

Three reasons why an email address is not a good standalone reporting channel in companies
Moritz Homann

Many companies opt for a simple whistleblower email address and inbox when setting up their whistleblower reporting system. This option can be implemented quickly and is inexpensive. Despite those advantages, there are serious concerns about the medium’s suitability for whistleblowing, particularly from a security perspective, and it should only be used as part of a wider compliance solution.

Here are 3 reasons why email shouldn’t be used as a whistleblower reporting channel:


Reason 1: Your data is exposed to security and data protection risks

When a whistleblower reports potential misconduct, sensitive personal data is captured. However, email does not have any encryption mechanism. This makes it possible for unauthorized parties to not only read sent emails, but also to change them. As a result, neither the transmission, nor the processing of reports, is audit-proof and the integrity of the data is at risk. This may invalidate information used for internal and external investigations. In addition, GDPR compliance cannot be guaranteed, as data security requirements (article 32) are not fulfilled. GDPR requires that sensitive information be stored in high-security data centers, which is difficult to achieve with email.

Reason 2: Your employees may not trust an email whistleblower reporting system

Gaining the trust of potential whistleblowers is critical to ensuring that relevant reports are submitted. For this reason, employees must be 100% confident in the security of the system and the manner in which reports are processed. If not, potential whistleblowers will be much less likely to speak up internally and may even turn to the authorities or media. A study conducted by EQS Group and the University of Applied Sciences HTW Chur has shown that organizations with a specialized reporting channel, such as a digital whistleblowing system, are more likely to receive relevant reports than companies with more simple reporting channels, such as a whistleblower email address. Furthermore, the study showed that having the ability to report misconduct confidentially or anonymously significantly increases the likelihood that an employee will use a whistleblowing system.

Reason 3: Email doesn’t allow for efficient case processing

In addition to data security and employee trust, ease of processing reports is another factor that should be considered when choosing a whistleblowing system. With an email-based system, all of the data that is received will need to be logged manually in the case management system. Furthermore, there may not be a case management system at all, resulting in inefficient case reviews. This also means that it is almost impossible to effectively investigate an incident, and often whistleblowers don’t receive sufficient feedback on their submitted report, or in some cases, no feedback at all.

Alternative to an email-based whistleblowing system

As we have seen, there are some potential disadvantages to using non-specialised whistleblowing systems. For that reason, it’s worth considering the alternatives such as introducing a digital whistleblowing system which is currently considered best practice. With this method, all communications with the whistleblower are encrypted and stored in high-security data centers, making it easy to meet the legal requirements regarding data protection and data security.

Digital systems also foster more trust from employees, resulting in higher rates of workers reporting compliance-relevant irregularities without fear of retaliation. Reports can also be submitted confidentially or anonymously, if preferred. An integrated case management area allows you to process incoming cases efficiently and gives you a detailed overview of all existing cases and their status.

In recent years, the weaknesses of the telephone hotline for whistleblowing have become more apparent and this medium functions best as part of an integrated digital whistleblowing system. The same principle goes for email and it can be leveraged most effectively as one element of a wider whistleblowing solution. This allows compliance teams to handle reports from multiple channels in one place with substantially higher security standards while keeping the entire digital system compliant with legislation such as the GDPR and the EU Whistleblowing Directive

Guide to the Introduction of Whistleblowing Systems

How to successfully implement a whistleblowing system in your organisation.

Share this blog post on

Moritz Homann contact image | integrityline.com
Moritz Homann
Managing Director Corporate Compliance | EQS Group
Moritz Homann is responsible for the department of Corporate Compliance products at EQS Group. In this function, he oversees the strategic development of digital workflow solutions tailored to meet the needs of Compliance Officers around the world.
Despite often having a negative image, whistleblowers are not snitches, informants or traitors. In fact, they can actually prove hugely beneficial for companies.