Skip Nav

JLTP is currently transitioning articles from our previous website to this updated platform, with completion expected by fall 2024. We apologize for any temporary inconveniences this may present. Our commitment remains to deliver an enhanced user experience and the highest standard of content. Thank you for your patience and continued support.


Practical Pieces & Perspectives

April 01, 2019
Whistleblowers, Internal Reporting, and GDPR Compliance
Varun Chari

The adage “Between a Rock and a Hard Place” has long captured the predicament of the employee-whistleblower who must decide whether to report company fraud. However, with the Securities & Exchange Commission (SEC) providing incentives to whistleblowers to report internally and the General Data Protection Regulation (GDPR) imposing legal restrictions on the collection of personal data, the adage now better describes the employer’s situation. U.S. transnational companies are pressured with the task of restructuring their internal compliance procedures to incorporate the requirements imposed by the GDPR[1] or risk potential liability for failing to do so. This Article will first explain this development by providing a brief background on the SEC whistleblower incentive scheme and the GDPR. Next, this Article will discuss the procedural requirements companies are subject to when they process a whistleblower or third-party’s personal data. Finally, this Article will propose best practices that companies should implement when processing a whistleblower claim internally.


I. The Incentive to Report Internally and GDPR Restrictions

Through the Dodd Frank Act, Congress implemented a massive financial reform legislation to decrease risk in the U.S. financial system.[2] The Act introduced significant whistleblower incentives and protections, and created the Office of the Whistleblower (OWB) to process meritorious award claims.[3] Under the Act’s incentive scheme, a whistleblower who voluntarily provides original information to the SEC—that leads to successful enforcement in which the monetary sanctions total more than $1,000,000—may receive a percentage of the amounts recovered by the SEC.[4] In an administrative proceeding, the SEC extended this scheme to foreign whistleblowers[5] and it has since been attractive to claimants abroad. The Commission has received whistleblower tips from individuals in 119 countries outside of the U.S., and, in 2018 alone, the Commission received submissions from individuals in 72 foreign countries.[6] Notably, on September 24, 2018, the SEC awarded roughly $4 million to an overseas whistleblower whose tip led the Commission to a successful enforcement action.[7]


Although Dodd Frank opened the door for individuals to report externally, the SEC has encouraged whistleblowers to report internally first.[8] For instance, if an employee reports suspected violations to the company and the company subsequently conducts an investigation and reports its findings to the SEC, the original whistleblower could be granted full credit.[9] And, in fact, one of the factors that may increase the award percentage is whether the whistleblower reported the violation first through his or her firm.[10] Thus, the SEC has expressed its desire for employees and companies to work together to expose fraud. This is likely due in part to data revealing that most whistleblowers actually prefer to report internally first.[11] According to the SEC, “[o]f the award recipients who were current or former employees of a subject entity, approximately 83% raised their concerns internally to their supervisors, compliance personnel, or through internal reporting mechanisms, or understood that their supervisor or relevant compliance personnel knew of the violations, before reporting their information of wrongdoing to the Commission.”[12]


Given this preference for internal reporting, companies have reason to invest in their internal compliance programs. However, with the introduction of the GDPR, a legislation designed to protect European Union (EU) residents’ personal data,[13] the task is easier said than done. The Directive essentially forces companies to implement procedures when processing personal data in order to protect the data subject’s rights.[14] This presents unique challenges for companies with their internal reporting procedures because whenever a whistleblower makes an internal report, the company will likely collect (1) personal data of the whistleblower if the report is not submitted anonymously and (2) personal data of third parties shared by the whistleblower in the report.[15] And, if a company fails to undertake the necessary safeguards, the GDPR imposes significant penalties.[16] Thus, U.S. companies subject to the GDPR[17] will likely have to restructure their internal reporting procedures or risk potential liability.


II. Procedural Requirements when Processing Personal Data Under the GDPR

The GDPR lists several exceptions to its general rule that individuals should primarily be in control of their personal and sensitive data.[18] These exceptions are found under Article 6[19] and of these exceptions, two are relevant in the context of internal reporting. First, the processing of data is lawful if the data subject has given consent to the processing of his or her personal data for one or more specific purposes.[20] Second, the processing of data is lawful where processing is necessary for the purposes of the legitimate interests pursued by the controller or third party.[21]


A. GDPR’s Consent Exception

When reporting internally, the whistleblower may choose to provide personal data about herself in her report. If so, in accordance with Article 6 of the GDPR, the company processing the data must obtain the whistleblower’s consent.[22] Companies would have to ensure that their compliance programs have the necessary procedures in place to obtain the whistleblower’s consent prior to processing the report.[23] At this juncture, the internal reporting procedure would also have to comply with Article 5 of the GDPR. Article 5(c) provides that the data processed must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.[24] Article 5 further requires that the relevant data be erased once the investigation ends.[25] Article 7(3) adds another wrinkle. This section of the GDPR states that “[t]he data subject shall have the right to withdraw his or her consent at any time.”[26] Where a whistleblower decides to withdraw consent, the company must erase the whistleblower’s personal data.[27]


The more pressing concern arises when a company processes the personal data of third parties that the whistleblower provides in the internal report.[28] Article 15 gives the right for individuals to obtain a confirmation if their personal data is being processed.[29] Once notified under Article 15, the third party may request the personal data be erased in accordance with Article 17(1)(B)’s “right-to-be-forgotten” provision.[30] The likely result in such a situation is that the investigation will come to halt or remain incomplete until the company can rely on another legal basis. Thus, while the consent exception may initially impose less of a burden upon compliance officers—because they need not substantiate the whistleblower’s claim immediately[31]—it presents several risks once an investigation is underway.


B. GDPR’s Legitimate Interest Exception

Unlike the consent provision, a compliance procedure grounded on the legitimate interest condition of Article 6 is advantageous in that it does not require prior approval by the data subject—or third party.[32] The legitimate interest provision applies because internal reporting procedures protect the interests of the whistleblower, the company, and society by preventing further instances of improper activity.[33] Recital 47 provides further support for these procedures stating that “[t]he processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.”[34] Additionally, Recital 71 states that “decision-making based on… profiling should be allowed where expressly authori[z]ed by . . . law . . . including for fraud or tax evasion monitoring and purposes.”[35] And even further, the regulation recognizes that the controller has the right to process and store data when it is “for the establishment, exercise or defense of legal claims.”[36]


While the legitimate interest exception seems to be a catch-all provision, there are important restrictions. The exception only applies when the legitimate interest outweighs the data subject’s privacy interest.[37] The result of this balancing test is that legal and compliance officers will have to determine the legal authority for processing whistleblower data on a case-by-case basis. “‘A generic prevention of fraud’ purpose is not a legitimate interest prevailing over the data subject’s interest.”[38] Given the complexity of processing whistleblower claims, it is likely that the legitimate interest provision will not support the processing of all claims.[39]


C. Data Protection Impact Assessments

Even when operating under the Article 6 exceptions, companies will still have to adhere to Article 35(1), which requires companies to undertake certain procedures when processing personal data. When data processing is likely to result in high risk to the rights of the data subject—because the data is sensitive or highly personal—the data processor has the responsibility to carry out Data Protection Impact Assessments (DPIAs).[40] DPIAs require (1) a systematic description of the processing operations and legitimate interests pursued, (2) an assessment of the necessity and proportionality of the operations in relation to purpose, (3) an assessment of the risks to the rights and freedoms of data subjects and (4) measures and safeguards to address the risks.[41] The GDPR also allows the data subject for a right to access and right to object to the processing of personal data.[42] Additionally, Article 13 and Article 14 require companies to inform data subjects that their data is being processed under the legitimate interest provision.[43] Under Article 21, the data subject has the right to object and once the data subject objects, the controller must demonstrate compelling grounds for processing.[44] Thus, the GDPR imposes several procedural requirements upon companies when they process personal data and even when they are operating under a lawful basis.


III. Best Practices for Processing Whistleblower Claims Internally

Because of the restrictions imposed by the GDPR, compliance officers must undertake safeguards to ensure that their company’s internal whistleblower programs properly process personal data. When processing a foreign whistleblower claim, companies should take into account the following considerations: (1) data quality (2) right of information (3) right of access (4) retention period and (5) data security.[45] In the internal reporting process, these considerations arise in three crucial stages: claim intake, notification to data subjects, and data retention.


Compliance officers must first determine what the scope of personal data essential to the investigation to meet the GDPR’s data minimization requirement.[46] With regard to the whistleblower’s personal data, companies should encourage whistleblowers to report anonymously. The danger with a whistleblower who decides to give consent to the processing of his or her personal data is that the whistleblower has the right to withdraw his or her consent at any time.[47] To protect anonymity, companies should implement online intake forms that allow for follow up and feedback.[48] The online intake forms should not reveal any identifying information such as the whistleblower’s IP address or employee password.[49] Aside from maintaining anonymity, the communications must also be sophisticated to ensure that the whistleblower’s claim is substantiated. Sophistication at this stage is crucial to guarantee confidentiality and screen false or vindictive allegations.[50]


The second important stage involves notification to data subjects. After the claim intake, compliance officers will have to provide prompt notice to those implicated in the investigation.[51] It is not enough to state a general privacy notice on the company website.[52] Notice should be given at the point of data collection or shortly after. Throughout this process, it is essential for compliance officers to be upfront, transparent, and explicit as to the nature of the data collection.[53] Compliance officers should keep documented records of every stage of the procedure. Moreover, because an accused party is likely to object once notified, compliance officers must be able to respond with compelling grounds for processing the personal data.[54] The key issue to resolve here is whether the claim brought forth is substantiated. Thus, sophistication in the claim intake procedure is essential in that allows the company to carry forward with its investigation even after informing data subjects that their personal data is being processed.


Finally, companies should monitor how long personal data may be retained. Article 5(1)(e) mandates that data only be stored for as long as necessary for the purpose for which is being processed.[55] The difficulty in the context of whistleblower claims is that there is no certainty as to how long an investigation will last. Moreover, there are other difficulties such as simply erasing company data because of where the data is stored.[56] It is therefore necessary for compliance officers to conduct a risk assessment, business impact assessment, and data protection impact assessment at this stage.[57] Record keeping and proper documentation of the reasons for storing backup data may, at the least, illustrate that it would be impracticable for the company to erase the data.[58] Once a whistleblower claim has been fully investigated and no further action is taken, compliance officers have an obligation to determine whether there is a legitimate interest for the continued storage of that data.[59] Compliance officers can reduce the risk of violating this requirement in two ways. First, the compliance procedure should outline clear goals for the investigation and evaluate the information available, as well as the information needed, to process the investigation. Second, compliance officers must implement heightened data security measures, technical and organizational, throughout the process, to protect the confidentiality of the data subjects.[60]


IV. Concluding Remarks

Given the GDPR’s hefty penalties and strict data processing requirements, non-U.S. companies may be deterred from implementing internal reporting channels.[61] However, this does not apply to U.S. companies where whistleblowers generally report internally first, and the SEC incentivizes them to do so. Moreover, even companies that do not conduct business in the EU will be required to implement proper data privacy safeguards because of the California Consumer Privacy Act, which applies to any business that processes the personal information of California residents.[62] In short, because data protection laws have enormous implications for U.S. companies in the context of whistleblowers who report internally, companies should look to invest in their internal reporting procedures and implement best practices for compliance.

Sign Up Now