The EU recently approved a new Whistleblower Directive promoting common minimum standards designed to enhance protections for Whistleblowers and prevent retaliation for participation in whistleblowing activities. The directive allows for reporting of breaches of law both internally within companies, and externally, directly to national and EU authorities, and requires the creation of channels and procedures for reporting and following up on reports. The directive applies to legal entities in the public sector, and also private entities with 50 or more employees, annual business turnover or annual balance sheet total of EUR 10 million or more, or entities of any size operating in financial services, or vulnerable to money laundering or terrorist financing activities.
Impacts on RIM
Article 18 of the new Directive requires that processing of personal data for whistleblowing activities be in accordance with the EU GDPR. This makes the activities subject to GDPR (5)(1)(e) requiring that they be identifiable for no longer than the purpose for which they are processed/collected. In addition, GDPR (39) requires ensuring a level of appropriate security and confidentiality, including preventing unauthorized access, which includes within networks and information systems. In addition to the GDPR requirements, the new Directive specifies that personal data not relevant for the handling of a specific case shall be immediately deleted.
Member States will have until May 15, 2021 to enact/amend laws and regulations necessary to comply with the new Directive. Several European countries already have whistleblower laws, and some have provisions that compel the destruction of records that identify a whistleblower within a short period. For example, Article (16)(5) of Hungary’s whistleblower law requires that for “investigations revealing that the whistleblower report is unfounded or that no further action is necessary, the data relating to the whistleblower report shall be deleted within 60 days after the end of the investigation.” Countries with requirements like Hungary’s will need to re-evaluate whether allowing retention after the close of the investigation is permissible under the new directive. As the EU countries are evaluating their laws and making revisions in response to the New Directive, employers and companies will need to monitor the changes and adjust their records retention schedules accordingly. For example, where Companies currently retain whistleblower records containing personal information for a short period past the close of a case for audit purposes, if the “immediately deleted” language from the New Directive flows through to new/revised country laws, they may be required to discontinue this practice.
In addition to impacting records retention schedules, these regulations also require setting up processes to adequately protect whistleblowers, including records that identify them, and procedures for breaches of related personal information. Re-evaluating policies, procedures, and recordkeeping systems will be necessary to ensure that the protections required are implemented. If you need help strategizing how to prepare for requirements like the new EU Whistleblower Directive, or even more established requirements like the GDPR, contact Zasio today.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.
Author: Rick Surber, CRM, IGP
Senior Analyst / Licensed Attorney