Back to overview

GDPR & Whistleblowing: How the General Data Protection Regulation Will Affect Whistleblowing Systems

We take a look at the implications of the General Data Protection Regulation (GDPR) for whistleblowing systems.

Sabine Stöhr Sabine Stöhr

    The imminent General Data Protection Regulation (GDPR) will be one of the most influential frameworks in the data privacy sector. Throughout Europe, data privacy will soon be harmonized by law. The regulation was adopted in April 2016 and its enforcement will be mandatory from May 25, 2018 for all companies processing personal data. As a result, GDPR will also affect how personal data will be managed within whistleblowing systems.

    Compliance officers will be required to follow very specific procedures when handling personal data, particularly as it pertains to issues of whistleblowing reports and reporters.

    Modern correspondence and workflows rely heavily on digital means of communications and data storage. Subsequently, these workflows produce huge amounts of data (which could be susceptible to abuse or breaches). This is forcing compliance officers who are subject to the regulation, to think about the manner that they may be handling and controlling European citizens’ personal data.


    The abuse of personal data was one of main the triggers leading to tightening laws of personal data processing. This trend is reflected in the implementation of fiscal penalties for organizations in breach of GDPR and data processing regulations. Penalties have been structured in a tiered manner. Fines can equal up to 20 million Euro, or 4 % of the annual global turnover of the company (whichever is greater). Smaller GDPR infringements, such as failing to notify a regional data privacy authority and data subject about a breach, can result in fines of up to 2 % of turnover. These penalties are in effect for both parties involved in data exchanges: controllers and processors, including any cloud-based services. Regarding whistleblowing systems, a lot of sensitive data is processed and therefore needs to be handled appropriately and confidentially.

    Right to be Forgotten

    GDPR also underlines the ‘Right to be Forgotten’. This includes the requirement that personal data be erased after being completely processed. Article 17 describes the conditions for the erasure of data: either the data is no longer relevant to the original purposes of processing, or the data subject withdraws his or her consent for data processing. In contrast to email or phone reporting, a digital whistleblowing system can easily meet erasure requirements by providing reporters and compliance teams options like data anonymization in a simple and structured manner.

    Our digital whistleblowing system EQS Integrity Line helps you to reduce risks in your company.

    Sabine Stöhr
    Sabine Stöhr

    Senior Product Manager – EQS Group | As Senior Product Manager for EQS Integrity Line Sabine is an expert on the implementation of whistleblowing systems. She is based in our Zurich office.