By Varun Chari
The adage “Between a Rock and a Hard Place” has long captured the predicament of the employee-whistleblower who must decide whether to report company fraud. However, with the Securities & Exchange Commission (SEC) providing incentives to whistleblowers to report internally and the General Data Protection Regulation (GDPR) imposing legal restrictions on the collection of personal data, the adage now better describes the employer’s situation. U.S. transnational companies are pressured with the task of restructuring their internal compliance procedures to incorporate the requirements imposed by the GDPR or risk potential liability for failing to do so. This Article will first explain this development by providing a brief background on the SEC whistleblower incentive scheme and the GDPR. Next, this Article will discuss the procedural requirements companies are subject to when they process a whistleblower or third-party’s personal data. Finally, this Article will propose best practices that companies should implement when processing a whistleblower claim internally.