In my previous article, How to Choose a Whistleblower Service Provider? I outlined how a serious and trustworthy business partner can actually enhance your organization commitment toward compliance (although outsourcing such service is far from being compulsory or necessary).
As we all know, in May 2018, the General Data Protection Regulation (GDPR) will come into force, and, given the nature of the information such providers deal with on daily basis, it’s important choosing one fully compliant with data protection laws. It is worth mentioning in fact, that Whistleblower Service Providers act as your data processors.
1. Contractual obligations. Everything starts by defining nature and purpose of data processing (misconduct prevention), duration (at least 5 years), type of data expected to be processed.
2. Confidentiality. The provider and its personnel shall be bound to strict confidentiality duties, moreover, sufficient guarantees should be provided concerning the security of the information stored by the provider (inter alia, state of art encryption, regular backups and limited and documented access to the stored information).
On this point, you should implement a contractual clause by means of which you are granted audit rights.
3. Sub Processing. It is not unusual using a sub processor, particularly when uncommon language skills or physical locations are required. However, the service provider may do so only with the consent of the controller. On this regard, I strongly suggest to perform enhanced due diligence on sub contractors as well. The provider (processor) shall remain responsible for the tasks carried by any sub processor.
4. Data breach. This is one of the most important aspect of the GDPR and it should be considered whether any unauthorized access is likely to represent a risk to any individual. We know, in fact, that not every whistleblower seeks anonymity, nonetheless, since disclosures can contain information about criminal offenses, individuals, data controller and supervisory authority should be informed in case of data breach.
5. Data Protection Officer. As pointed out just above, a DPO must be appointed while dealing with sensitive information – and criminal offenses fall undoubtedly in this category – in order to supervise the privacy compliance program of the organization he works for. Even when in doubt, a DPO appointed on voluntary basis will add credibility to a Provider’s commitment toward data protection.
6. Privacy Impact Assessment. For businesses operating in a technological environment it’s imperative operating a PIA on ongoing basis, to see whether the data processing is likely to be risky or not. Besides, a PIA will keep the Service Provider aware of new legislative developments as well as the technological ones (e.g. encryption).
As usual, one fits all approach does not work. In this article I chose to leave out some important aspects such as privacy notices, subjects’ rights (to access, to amend or even delete relevant data) because, in whistleblowing, it is likely having the Member Countries intervention to define the aforementioned aspects.