People that leave a report through a whistleblowing system may include personal data in their message. Organisations that want to set up a whistleblowing system for their employees, suppliers or other parties have to consider the privacy aspects that come into play. How to combine whistleblowing & GDPR pragmatically?
Article 6 of Regulation (EU) 2016/679 (General Data Protection Regulation or GDPR) requires a ‘legal ground for processing’. Consent seems like a good option. But it isn’t. Not for whistleblowing.
Why not?
Consent has to be ‘freely given’, but there is a dependency relationship between employer and employee. If the boss asks for consent, most employees will simply give consent. In its Opinion 2/2017 (WP 249), the Article 29 Data Protection Working Party puts it like this: “Unless in exceptional situations, employers will have to rely on another legal ground than consent”.
From a more practical point of view: consent is an unstable foundation. It can be revoked at any time. If you are running a serious investigation and an employee suddenly decides to revoke his or her consent, what do you do?
Legal and practical points aside, imagine an employee that has been sexually harassed. Your whistleblowing system has a consent box that has to be ticked before someone can leave a report. Your employee has finally found the courage to speak up anonymously and the first question is: ‘do you agree to your personal data being processed?’ There is a big risk that this will scare away reporters and they may even decide to go public. You don’t want to miss important cases!
So, no consent. Then how to comply with GDPR in whistleblowing?
Base your processing on the legitimate interest that you have to detect misconduct that otherwise might not be detected at an early stage. In the end, don’t forget: data protection & privacy rights are very important, but the end goal here is to set up an effective whistleblowing mechanism. People should feel free to speak up, so your organisation can actually detect and deal with serious misconduct!