GDPR & whistleblowing: How the General Data Protection Regulation is affecting whistleblowing systems

We take a look at the implications of the General Data Protection Regulation (GDPR) for whistleblowing systems.
Sabine Stöhr

The General Data Protection Regulation (GDPR) is one of the most influential frameworks in the data privacy sector. Throughout Europe, data privacy is now enshined in the law. The regulation was adopted in April 2016 and its enforcement was mandatory from May 2018 for all companies processing personal data. As a result, the GDPR has affected how personal data is being managed within whistleblowing systems.

Compliance officers are now required to follow very specific procedures when handling personal data, particularly as it pertains to issues of whistleblowing reports and reporters.

GDPR and Whistleblowing teaser image person in spotlight |

Modern correspondence and workflows rely heavily on digital means of communications and data storage. Subsequently, these workflows produce huge amounts of data (which could be susceptible to abuse or breaches). This has forced compliance officers who are subject to the regulation, to think about the manner that they may be handling and controlling European citizens’ personal data.


The abuse of personal data was one of main the triggers leading to tightening laws of personal data processing. This trend is reflected in the implementation of fiscal penalties for organizations in breach of GDPR and data processing regulations. Penalties have been structured in a tiered manner. Fines can equal up to 20 million Euro, or 4% of the annual global turnover of the company (whichever is greater). Smaller GDPR infringements, such as failing to notify a regional data privacy authority and data subject about a breach, can result in fines of up to 2% of turnover. These penalties are in effect for both parties involved in data exchanges: controllers and processors, including any cloud-based services. Regarding whistleblowing systems, a lot of sensitive data is processed and therefore needs to be handled appropriately and confidentially.

Right to be forgotten

GDPR also underlines the ‘Right to be Forgotten’. This includes the requirement that personal data be erased after being completely processed. Article 17 describes the conditions for the erasure of data: either the data is no longer relevant to the original purposes of processing, or the data subject withdraws his or her consent for data processing. In contrast to email or phone reporting, a digital whistleblowing system can easily meet erasure requirements by providing reporters and compliance teams options like data anonymization in a simple and structured manner.


Another GDPR change mandates a stricter manner of giving consent regarding further data processing. The GDPR has introduced requirements to have a clear and intuitive form for any reporters or data subjects of requesting the permission to process data. Illegible Terms and Conditions full of “legalese” are no longer acceptable. It must be as easy to withdraw consent as it is to give it. In view of the new requirements, a whistleblowing system will have to verify such confirmation processes during the reporting period, while keeping in mind any additional national or organizational regulations.

Breach notification

The GDPR requires that in the case of any data breach, notifications will be mandatory to secure the integrity and rights of individuals. Data processors must inform their customers (controllers) within 72 hours after first having become aware of a data breach. Working on sensitive matters that may involve whistleblower information requires both security and transparency.

Internal structure - Privacy by design

The GDPR challenges organizations’ internal information security structures with the aim of protecting personal data and complying with data privacy requirements. This requires the implementation of appropriate technical and organizational measures (Article 23) in order to meet these enhanced requirements. This includes limiting access to personal data, new specifications on data storage, the appointment of a Data Protection Officer, and the encryption of any personal data transactions.

A whistleblowing system must respect the principles of privacy and security to gain a potential reporter’s trust and ensure confidentiality. The use of encryption technology, granular permission management, and measures to assure a reporter’s anonymity are integral requirements of a compliant whistleblowing system.

The management of whistleblowing cases requires an appropriate corporate culture which reflects the organization’s intention to handle personal data and whistleblowing reports confidentially and with the utmost security.

Complying with the GDPR may seem like a lot of work, particularly for smaller and mid-sized companies. However, when looking at creating a culture of organizational transparency, security, and trust, it is an undertaking that is well worth it. Whistleblowers will feel more secure knowing their data is protected and under stricter regulation. GDPR is an important step in creating a new generation of data regulations and initiatives across Europe, and hopefully, globally.

Guide to the Introduction of Whistleblowing Systems

How to successfully implement a whistleblowing system in your organisation.

Share this blog post on

Sabine Stoehr contact image |
Sabine Stöhr
Senior Product Manager | EQS Group
As Senior Product Manager for EQS Integrity Line Sabine is an expert on the implementation of whistleblowing systems. She is based in our Zurich office.