As any organization that operates internationally knows, there are varying levels of data protection that are implemented from country to country. The idea is to share data in a manner that also protects personal privacy and is controlled by regulations and laws—some more strict than others.
The European approach prioritizes privacy over free speech while the US does the reverse; some countries fall somewhere in between. This can complicate matters when you’re looking to extend a hotline to different locations. But being complicated is no excuse for not abiding by all pertinent laws and regulations.
We often hear questions about data privacy and protection from companies concerned with meeting the standards of different countries. When implementing a hotline in international locations, it is best to contact an employment attorney who is familiar with the local rules and regulations. Beyond working with a local attorney, here are some additional best-practice guidelines to help you start thinking about the different regulations that may affect your implementation of a global hotline.
Inform employees with targeted messages.
Employees should be supplied with written communication explaining the operation and purpose of the hotline. This message should be custom tailored for each country you’re deploying in so you can address local issues and properly explain the hotline within context (without making your employees read a lot of information that doesn’t pertain to them).
Be aware of the restrictions on accepting anonymous complaints.
In this situation, employers are advised to encourage “confidential” reporting rather than using the word “anonymous.” Anonymous reports are strongly discouraged in some countries, so be sure your organization (or the local employment attorney) does proper due diligence in order to understand local expectations. The hotline communication materials distributed to employees in these countries should make it clear that reporting is confidential, but on a named basis. Also make sure your hotline and case management systems can handle the potential for anonymous reporters from the US while not allowing anonymous reporting from other countries where applicable.
Prepare to limit the issue types that are surfaced in your hotline.
Many countries restrict the type of matters that can reported via a hotline. Complaints that are submitted and fall outside the scope should be filtered out at as early as possible. All initial decision makers (possibly even including phone intake call center personnel) should be thoroughly trained regarding what type of issues can and cannot be made via hotline, based on region. This procedure should also include training on advising the reporter on how to proceed in lieu of making a hotline report and what steps, if any, should be taken by the call center to notify the compliance team of the issue.
Limit the scope of the data being processed.
Only collect the minimum amount of data necessary. Since companies are held to a very high standard regarding the type of information they gain throughout the course of doing business, consider limiting the intake of complaints to a free text form without prompting questions. Free text entry allows the employee to decide what information they are choosing to pass on to the company, rather than guiding reporters with specific issue types and prompting questions. You will also need to consider who can be the subject of the report. Some countries limit the types of reports based on the accused individual, meaning one can only report a concern about a member of management. Other countries only permit hotline reports on non-management employees. Again, knowing the specific regulations and expectations of the locale you are working in is exceptionally important.
Understand right of correction and be prepared to support it.
The employee who is the subject of the report should be informed that the report has been made and given the chance to respond to the allegations. This is more than just a best practice; it is a key factor of many hotline regulations in Europe. A specific policy should be put in place to define the timing of informing the subject of a report. Once the individual is told of the complaint, he should be permitted access to the report and the opportunity to correct or clarify any incorrect information.
Understand varying data retention standards.
Many European countries have very strict restrictions on what type of data can be stored, how it can be stored, where and how it can be transferred and how long you can legally retain that information. For these reasons, processed data should not be retained for any longer than is strictly necessary. Plan ahead for these requirements by researching and understanding the regulations in each country where you have a presence. From there, a retention policy should be implemented for each region in order to ensure that data is not kept for any longer than is necessary or allowed. Regularly auditing these policies is important to ensure procedures are being consistently followed, so put an audit and review schedule in place now.
Prepare for the registration requirements.
Within each jurisdiction there will be different regulatory requirements to consider before rolling out a hotline. Companies operating in European Member States are generally required to notify the applicable DPA (Data Protection Authority). A company can expect the DPA to request information during registration related to the purpose of the hotline and intended use. Before implementing a hotline, you should contact the DPA that oversees each country or territory where you have an employee presence. The DPA will be able to provide you with requirements and any information which may exempt your company from participating, such as number of employees, etc.
This list is by no means comprehensive of everything companies need to do when expanding hotlines to European countries or adequately protecting employee and data privacy. Instead, considering these points will give you a good general understanding of the challenges companies face regarding European hotline standards and can serve as a jumping off point for your conversations or sanity check if you already have a hotline deployed in Europe.
Also check out the new November 2018 proposed EU Directive on whistleblower protection.