Whistleblowers, Internal Reporting, and GDPR Compliance

By Varun Chari

The adage “Between a Rock and a Hard Place” has long captured the predicament of the employee-whistleblower who must decide whether to report company fraud. However, with the Securities & Exchange Commission (SEC) providing incentives to whistleblowers to report internally and the General Data Protection Regulation (GDPR) imposing legal restrictions on the collection of personal data, the adage now better describes the employer’s situation. U.S. transnational companies are pressured with the task of restructuring their internal compliance procedures to incorporate the requirements imposed by the GDPR[1] or risk potential liability for failing to do so. This Article will first explain this development by providing a brief background on the SEC whistleblower incentive scheme and the GDPR. Next, this Article will discuss the procedural requirements companies are subject to when they process a whistleblower or third-party’s personal data. Finally, this Article will propose best practices that companies should implement when processing a whistleblower claim internally.

I. The Incentive to Report Internally and GDPR Restrictions

Through the Dodd Frank Act, Congress implemented a massive financial reform legislation to decrease risk in the U.S. financial system.[2] The Act introduced significant whistleblower incentives and protections, and created the Office of the Whistleblower (OWB) to process meritorious award claims.[3] Under the Act’s incentive scheme, a whistleblower who voluntarily provides original information to the SEC—that leads to successful enforcement in which the monetary sanctions total more than $1,000,000—may receive a percentage of the amounts recovered by the SEC.[4] In an administrative proceeding, the SEC extended this scheme to foreign whistleblowers[5] and it has since been attractive to claimants abroad. The Commission has received whistleblower tips from individuals in 119 countries outside of the U.S., and, in 2018 alone, the Commission received submissions from individuals in 72 foreign countries.[6] Notably, on September 24, 2018, the SEC awarded roughly $4 million to an overseas whistleblower whose tip led the Commission to a successful enforcement action.[7]

Although Dodd Frank opened the door for individuals to report externally, the SEC has encouraged whistleblowers to report internally first.[8] For instance, if an employee reports suspected violations to the company and the company subsequently conducts an investigation and reports its findings to the SEC, the original whistleblower could be granted full credit.[9] And, in fact, one of the factors that may increase the award percentage is whether the whistleblower reported the violation first through his or her firm.[10] Thus, the SEC has expressed its desire for employees and companies to work together to expose fraud. This is likely due in part to data revealing that most whistleblowers actually prefer to report internally first.[11] According to the SEC, “[o]f the award recipients who were current or former employees of a subject entity, approximately 83% raised their concerns internally to their supervisors, compliance personnel, or through internal reporting mechanisms, or understood that their supervisor or relevant compliance personnel knew of the violations, before reporting their information of wrongdoing to the Commission.”[12]

Given this preference for internal reporting, companies have reason to invest in their internal compliance programs. However, with the introduction of the GDPR, a legislation designed to protect European Union (EU) residents’ personal data,[13] the task is easier said than done. The Directive essentially forces companies to implement procedures when processing personal data in order to protect the data subject’s rights.[14] This presents unique challenges for companies with their internal reporting procedures because whenever a whistleblower makes an internal report, the company will likely collect (1) personal data of the whistleblower if the report is not submitted anonymously and (2) personal data of third parties shared by the whistleblower in the report.[15] And, if a company fails to undertake the necessary safeguards, the GDPR imposes significant penalties.[16] Thus, U.S. companies subject to the GDPR[17] will likely have to restructure their internal reporting procedures or risk potential liability.

II. Procedural Requirements when Processing Personal Data Under the GDPR

The GDPR lists several exceptions to its general rule that individuals should primarily be in control of their personal and sensitive data.[18] These exceptions are found under Article 6[19] and of these exceptions, two are relevant in the context of internal reporting. First, the processing of data is lawful if the data subject has given consent to the processing of his or her personal data for one or more specific purposes.[20] Second, the processing of data is lawful where processing is necessary for the purposes of the legitimate interests pursued by the controller or third party.[21]

A. GDPR’s Consent Exception

When reporting internally, the whistleblower may choose to provide personal data about herself in her report. If so, in accordance with Article 6 of the GDPR, the company processing the data must obtain the whistleblower’s consent.[22] Companies would have to ensure that their compliance programs have the necessary procedures in place to obtain the whistleblower’s consent prior to processing the report.[23] At this juncture, the internal reporting procedure would also have to comply with Article 5 of the GDPR. Article 5(c) provides that the data processed must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.[24] Article 5 further requires that the relevant data be erased once the investigation ends.[25] Article 7(3) adds another wrinkle. This section of the GDPR states that “[t]he data subject shall have the right to withdraw his or her consent at any time.”[26] Where a whistleblower decides to withdraw consent, the company must erase the whistleblower’s personal data.[27]

The more pressing concern arises when a company processes the personal data of third parties that the whistleblower provides in the internal report.[28] Article 15 gives the right for individuals to obtain a confirmation if their personal data is being processed.[29] Once notified under Article 15, the third party may request the personal data be erased in accordance with Article 17(1)(B)’s “right-to-be-forgotten” provision.[30] The likely result in such a situation is that the investigation will come to halt or remain incomplete until the company can rely on another legal basis. Thus, while the consent exception may initially impose less of a burden upon compliance officers—because they need not substantiate the whistleblower’s claim immediately[31]—it presents several risks once an investigation is underway.

B. GDPR’s Legitimate Interest Exception

Unlike the consent provision, a compliance procedure grounded on the legitimate interest condition of Article 6 is advantageous in that it does not require prior approval by the data subject—or third party.[32] The legitimate interest provision applies because internal reporting procedures protect the interests of the whistleblower, the company, and society by preventing further instances of improper activity.[33] Recital 47 provides further support for these procedures stating that “[t]he processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.”[34] Additionally, Recital 71 states that “decision-making based on… profiling should be allowed where expressly authori[z]ed by . . . law . . . including for fraud or tax evasion monitoring and purposes.”[35] And even further, the regulation recognizes that the controller has the right to process and store data when it is “for the establishment, exercise or defense of legal claims.”[36]

While the legitimate interest exception seems to be a catch-all provision, there are important restrictions. The exception only applies when the legitimate interest outweighs the data subject’s privacy interest.[37] The result of this balancing test is that legal and compliance officers will have to determine the legal authority for processing whistleblower data on a case-by-case basis. “‘A generic prevention of fraud’ purpose is not a legitimate interest prevailing over the data subject’s interest.”[38] Given the complexity of processing whistleblower claims, it is likely that the legitimate interest provision will not support the processing of all claims.[39]

C. Data Protection Impact Assessments

Even when operating under the Article 6 exceptions, companies will still have to adhere to Article 35(1), which requires companies to undertake certain procedures when processing personal data. When data processing is likely to result in high risk to the rights of the data subject—because the data is sensitive or highly personal—the data processor has the responsibility to carry out Data Protection Impact Assessments (DPIAs).[40] DPIAs require (1) a systematic description of the processing operations and legitimate interests pursued, (2) an assessment of the necessity and proportionality of the operations in relation to purpose, (3) an assessment of the risks to the rights and freedoms of data subjects and (4) measures and safeguards to address the risks.[41] The GDPR also allows the data subject for a right to access and right to object to the processing of personal data.[42] Additionally, Article 13 and Article 14 require companies to inform data subjects that their data is being processed under the legitimate interest provision.[43] Under Article 21, the data subject has the right to object and once the data subject objects, the controller must demonstrate compelling grounds for processing.[44] Thus, the GDPR imposes several procedural requirements upon companies when they process personal data and even when they are operating under a lawful basis.

III. Best Practices for Processing Whistleblower Claims Internally

Because of the restrictions imposed by the GDPR, compliance officers must undertake safeguards to ensure that their company’s internal whistleblower programs properly process personal data. When processing a foreign whistleblower claim, companies should take into account the following considerations: (1) data quality (2) right of information (3) right of access (4) retention period and (5) data security.[45] In the internal reporting process, these considerations arise in three crucial stages: claim intake, notification to data subjects, and data retention.

Compliance officers must first determine what the scope of personal data essential to the investigation to meet the GDPR’s data minimization requirement.[46] With regard to the whistleblower’s personal data, companies should encourage whistleblowers to report anonymously. The danger with a whistleblower who decides to give consent to the processing of his or her personal data is that the whistleblower has the right to withdraw his or her consent at any time.[47] To protect anonymity, companies should implement online intake forms that allow for follow up and feedback.[48] The online intake forms should not reveal any identifying information such as the whistleblower’s IP address or employee password.[49] Aside from maintaining anonymity, the communications must also be sophisticated to ensure that the whistleblower’s claim is substantiated. Sophistication at this stage is crucial to guarantee confidentiality and screen false or vindictive allegations.[50]

The second important stage involves notification to data subjects. After the claim intake, compliance officers will have to provide prompt notice to those implicated in the investigation.[51] It is not enough to state a general privacy notice on the company website.[52] Notice should be given at the point of data collection or shortly after. Throughout this process, it is essential for compliance officers to be upfront, transparent, and explicit as to the nature of the data collection.[53] Compliance officers should keep documented records of every stage of the procedure. Moreover, because an accused party is likely to object once notified, compliance officers must be able to respond with compelling grounds for processing the personal data.[54] The key issue to resolve here is whether the claim brought forth is substantiated. Thus, sophistication in the claim intake procedure is essential in that allows the company to carry forward with its investigation even after informing data subjects that their personal data is being processed.

Finally, companies should monitor how long personal data may be retained. Article 5(1)(e) mandates that data only be stored for as long as necessary for the purpose for which is being processed.[55] The difficulty in the context of whistleblower claims is that there is no certainty as to how long an investigation will last. Moreover, there are other difficulties such as simply erasing company data because of where the data is stored.[56] It is therefore necessary for compliance officers to conduct a risk assessment, business impact assessment, and data protection impact assessment at this stage.[57] Record keeping and proper documentation of the reasons for storing backup data may, at the least, illustrate that it would be impracticable for the company to erase the data.[58] Once a whistleblower claim has been fully investigated and no further action is taken, compliance officers have an obligation to determine whether there is a legitimate interest for the continued storage of that data.[59] Compliance officers can reduce the risk of violating this requirement in two ways. First, the compliance procedure should outline clear goals for the investigation and evaluate the information available, as well as the information needed, to process the investigation. Second, compliance officers must implement heightened data security measures, technical and organizational, throughout the process, to protect the confidentiality of the data subjects.[60]

IV. Concluding Remarks

Given the GDPR’s hefty penalties and strict data processing requirements, non-U.S. companies may be deterred from implementing internal reporting channels.[61] However, this does not apply to U.S. companies where whistleblowers generally report internally first, and the SEC incentivizes them to do so. Moreover, even companies that do not conduct business in the EU will be required to implement proper data privacy safeguards because of the California Consumer Privacy Act, which applies to any business that processes the personal information of California residents.[62] In short, because data protection laws have enormous implications for U.S. companies in the context of whistleblowers who report internally, companies should look to invest in their internal reporting procedures and implement best practices for compliance.


[1]And likely other data protection laws.

[2]Amy Deen Westbrook, Cash for Your Conscience: Do Whistleblower Incentives Improve Enforcement of the Foreign Corrupt Practices Act?, 75 Wash & Lee L. Rev. (2018).

[3]U.S. Sec. & Exch. Comm’n, 2018 Annual Report to Congress: Whistleblower Program4 (2018) [hereinafter 2018 Annual Report to Congress], https://www.sec.gov/sec-2018-annual-report-whistleblower-program.pdf.

[4]Id. at 4.

[5]In the Matter of the Claim for Award in Connection with Redacted, Release No. 73174 (Sept. 22, 2014). The Commission reasoned that “there is a sufficient U.S. territorial nexus whenever a claimant’s information leads to the successful enforcement of a covered action brought in the United States, concerning violations of the U.S. securities laws” and that this approach“best effectuates the clear Congressional purpose underlying the award program.” Id. at 2 n.2.

[6]2018 Annual Report to Congress, supra note 3, at 22–23.

[7]Id. at 11.

[8]Id. at 14.

[9]Id. at 17. While the Supreme Court decision in Digital Realtyfound that Dodd-Frank’s protections only apply to those who report to the SEC, there is no requirement that an individual be an employee or company insider to be eligible for an award. Dig. Realty Tr., Inc. v. Somers, 137 S. Ct. 2300 (2017).

[10]2018 Annual Report to Congress, supra note 3, at 14.

[11]OECD, The Detection of Foreign Bribery: The Role of the Whistleblower14 (2017) [hereinafter OECD], http://www.oecd.org/corruption/anti-bribery/OECD-The-Role-of-Whistleblowers-in-the-Detection-of-Foreign-Bribery.pdf.

[12]2018 Annual Report to Congress, supra note 3, at 14.

[13]Matt Burgess, What is GDPR? The Summary Guide to GDPR Compliance in the UK, Wired(Jan. 21, 2019), https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018.

[14]Id.

[15]Vera Cherepanova, Vera Cherepanova: GDPR implications for the Whistleblowing Process, The FCPA Blog(May 3, 2018), http://www.fcpablog.com/blog/2018/5/3/vera-cherepanova-gdpr-implications-for-the-whistleblowing-pr.html.

[16]Joseph J. Lazzarotti et al., Does the GDPR Apply to Your US-based Company?, Jackson Lewis(Jan. 8, 2018), https://www.workplaceprivacyreport.com/2018/01/articles/international-2/does-the-gdpr-apply-to-your-us-based-company (stating that fines can reach up to “4% of annual revenues or €20 million (whichever is greater) for non-compliance with the GDPR, and 2% or €10 million (whichever is greater) for less important infringements.”).

[17]The GDPR is far reaching in its territorial scope. The legislation applies to the processing of personal data of individuals residing in the EU. Therefore, a company without an EU establishment will be subject to the GDPR if the company processes data that is related to either (a) offering goods or services to data subjects in the Union (European Union); or (b) monitoring data subjects’ behavior as far as it takes place in the Union. GDPR Art. 3.

[18]Burgess, supra note 13.

[19]GDPR Art. 6.

[20]Id.

[21]Id.

[22]Id.

[23]This can be done with individual online-intake forms or a company may choose to “advise all employees that in the process of using hotline/whistleblowing service/system their data may be processed and request their consent to proceed.” Cherapanova, supra note 15.

[24]GDPR Art. 5(c).

[25]GDPR Art. 5(e).

[26]GDPR Art. 7(3).

[27]Cherapanova, supra note 15.

[28]Id.

[29]GDPR Art. 15.

[30]GDPR Art. 17(1)(B).

[31]With consent of the data subject, the company is not required to provide a compelling basis as a grounds for processing personal data. Irene Kamara & Paul De Hert, Understanding the Balancing Act Behind the Legitimate Interest of the Controller Ground: A Pragmatic Approach, Brussel Privacy HubWorking Paper (2018).

[32]GDPR Art. 6(1) (stating that “[p]rocessing shall be lawful only if and to the extent that at least one of the following applies: . . . (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data . . . .”

[33]Cherapanova, supra note 15.

[34]GDPR, Recital 47.

[35]GDPR, Recital 71.

[36]See GDPR Art. 21.

[37]GDPR Art. 6(1).

[38]Kamara & Hert, supra note 31.

[39]See Case C-131/12 Google Spain and Google, EU:C:2014:317, ¶81 (providing an example of where the data subjects rights were found to be greater than the legitimate interest of the data processor).

[40]Cherapanova, supra note 15.

[41]GDPR Art. 35(7).

[42]GDPR Art. 21.

[43]GDPR Art. 13(4) and 14(5).

[44]GDPR Art. 21; Kamara & Hert, supra note 31.

[45]Anti-Fraud Procedures, EU Data Protection Supervisor [hereinafter Anti-Fraud Procedures] https://edps.europa.eu/data-protection/data-protection/reference-library/anti-fraud-procedures_en (last visited Feb. 1, 2019); Angie White, Fighting Fraud in a Post GDPR World, Iovation: Innovations & Compliance(May 10, 2018) [hereinafter White], https://www.iovation.com/blog/fighting-fraud-in-a-post-gdpr-world.

[46]White, supra note 45.

[47]Cherapanova, supra note 15.

[48]Kaufmann et al., German Data Protection Authorities Establish New Rules for Whistleblowing Hotlines: Call for Action, Global Compliance News(Aug. 22, 2018), https://globalcompliancenews.com/germany-whistleblowing-hotlines-20180822.

[49]See, e.g., European Commission, Anonymous Whistleblower Tool, http://ec.europa.eu/competition/cartels/whistleblower/index.html (last visited Mar. 26, 2019) (providing a procedure to report anonymously).

[50]OECD, supra note 11, at 16.

[51]Anti-Fraud Procedures, supra note 45.

[52]Id.

[53]Carmel Mushel, Making Sense of Legitimate Interests Under the GDPR, Return Path(Mar. 12, 2018), https://blog.returnpath.com/making-sense-of-legitimate-interest-under-the-gdpr;see also GDPR: What are the Implications for Fraud Detection?, Howich Farelly(May 26, 2017), https://h-f.co.uk/knowledge/gdpr (discussing the practical implications of the GDPR).

[54]Kamara & Hert, supra note 31.

[55]GDPR Art. 5(1)(e)

[56]See Luke Irwin, The GDPR: How the Right to be Forgotten Affects Backups, IT Governance (May 21, 2018), https://www.itgovernance.eu/blog/en/the-gdpr-how-the-right-to-be-forgotten-affects-backups (discussing the complications with erasing data on backup).

[57]Id.

[58]See, e.g., id.(positing an ideal system as one that would organize backups so that each data subject gets their own archive.)

[59]GDPR 6 Months On: Has the Whistleblowing Landscape Changed?, EXPOLINK (Nov. 29, 2018), https://www.expolink.co.uk/blog/gdpr-6-months-whistleblowing-changed.

[60]Anti-Fraud Procedures, supra note 45. These can include cyber-security defenses.

[61]International Bar Ass’n, Whistleblower Protections: A Guide26 (2018)

[62]Mark G. McCreary, The California Consumer Privacy Act: What You Need to Know, N.J. Law Journal (Dec. 1, 2018), https://www.law.com/njlawjournal/2018/12/01/the-california-consumer-privacy-act-what-you-need-to-know.