Addressing Important GDPR-Related Topics
In June 2018, Keith Read (Convercent’s Senior Director, Europe) set out to answer some of the most common deletion, redaction, and hotline case archival questions posed by Convercent customers around the world. Many professionals are concerned about following the letter of the law, especially in light of the GDPR, but varying regulations around these issues tend to complicate compliance.
As the GDPR takes hold, it’s vital to understand the wider considerations of data management as it relates to whistleblower reports. After reading, you’ll have the background and expanded knowledge required to more appropriately handle whistleblowing-related data within your organization. We’ll also share some solutions that preserve data integrity, so that compliance professionals can identify trends, protect employees, and remain GDPR compliant.
While some EU member states have their own legislation related to the retention and deletion of personal data, there are some broad rules that apply throughout the Union. Of particular importance are the recommendations of the Article 29 Data Protection Working Party, an advisory body where each EU member state appointed a representative from their respective data protection authorities. On May 25th, 2018, this entity essentially became the European Data Protection Board (EDPB) under the EU General Data Protection Regulation (GDPR).
In regards to whistleblowing, the Working Party released Opinion 1/2006 titled ‘Application of EU data protection rules to …. whistle-blowing schemes’. In that Opinion, the Working Party stated:
‘Personal data processed by a whistle-blowing scheme should be deleted, promptly, and usually within two months of completion of the investigation of the facts alleged in the report.
Such periods would be different when legal proceedings or disciplinary measures are initiated against the incriminated person or the whistle-blower in cases of false or slanderous declaration. In such cases, personal data should be kept until the conclusion of these proceedings and the period allowed for any appeal. Such retention periods will be determined by the law of each Member State.
Personal data relating to alerts found to be unsubstantiated by the entity in charge of processing the alert should be deleted without delay.’
Understanding differing whistleblowing-related data retention periods
Not surprisingly, variations of these requirements made their way into some (but not all) EU Member State legislation. For example, France’s data deletion regulations state that:
‘Data relating to a report (‘alert’) found to be unsubstantiated by the entity in charge of processing such reports must be deleted immediately.
Data pertaining to a given report and reporting of facts giving rise to an investigation (or ‘verification’) must not be stored beyond two months, unless a disciplinary procedure or legal proceedings are initiated against the person incriminated in the report or the author of an abusive/false alert. In that case, data must be deleted at the end of the procedure/proceedings’
France’s regulation is just one example, which is what makes adhering to data-related laws so difficult for many organizations that operate throughout the EU and elsewhere. Even in a post-GDPR world, many of these regulations are still in effect. Additionally, some countries have established broad whistleblower report retention periods that include:
- Zero if the case is unsubstantiated
- 30 days or 2 months if there is an investigation
- Only until the investigation/disciplinary process is concluded
- 6/7 years if criminal proceedings are involved
However, compliance professionals must also recognize that employer data retention periods in relation to certain issues are currently much longer. Typical examples of HR-related data retention guidelines include:
- Data held on HR System: Date of Employee Termination + 6 years
- Disciplinary Records: Date of Employee Termination + 1 year
- Declaration of Outside Employment: Date of Employee Termination + 4 years
- Grievance Records: Date of Employee Termination + 1 year
Prematurely deleting or redacting important data can have widespread implications for whistleblower hotlines, as we’ll discuss next.
The missing piece: whistleblower retaliation
Crucially, the established whistleblower report retention periods above don’t take retaliation, follow-up reports, and linked reports into consideration. This is clearly a problem, and research consistently shows that:
- Nearly 80% of retaliation occurs within three weeks of a report being made.
- Over 90% of retaliation occurs within six months, often when the reporter is retaliated against through the annual review, pay or bonus process.
Under the whistleblower report retention periods we just covered, all details of the original case would have been deleted by the six-month mark.
Ironically, had the reporter made the same report through his/her employer’s grievance process, that information would have been statutorily retained. Crucially, deleting a case early could result in an employer not being able to satisfactorily discharge their Duty of Care responsibilities.
Analyzing whistleblower reporting ‘lag’
To analyze and demonstrate the implications of these issues, I’ve previously assessed the delays between an incident occurring and it being reported via the whistleblower hotline.
Each time, the analysis results in a long-tail distribution with some incidents (usually sexual or abuse-related) not being reported for 11 or 12 months, sometimes more. Reporters may take time to reflect, gain confidence, seek counsel, overcome their trauma or only be triggered into action by subsequent issues. Additionally, they may decide to report only when they or the implicated party has moved on, wider organizational developments have changed reporting relationships, or their job is under threat.
Clearly, it may take three or four cases to establish a pattern of issues. Unfortunately, those cases could have been lost to deletion before the pattern is fully established.
Timelines for data retention and/or deletion under the GDPR
The GDPR doesn’t specify timescales for data retention and/or deletion (referred to as erasure). However, what Article 5(e) of the GDPR does require is that data is not kept longer than is necessary for the purposes for which the personal data was obtained and processed.
There are some circumstances where personal data may be stored for longer periods, including archiving purposes in the public interest. But, overall, the GDPR emphasizes data minimization, both in terms of the volume of data stored and how long it is retained. This is a contrast to how employee data is most often handled, with organizations collecting as much of it as possible.
Clearly, we need to take data minimization seriously, but how can that be accomplished while still meeting our Duty of Care responsibilities?
How can compliance professionals meet varying data retention requirements?
Post-GDPR, many EU Member State whistleblower-related requirements will remain, at least for now, particularly given that some have their origins back in World War II. Clearly, the challenge of consistently meeting these varying data retention
requirements should not be underestimated. This is a particularly important consideration when multiple international jurisdictions are involved, since there is relatively little consistency across the EU regarding whistleblower hotline report data retention.
As previously highlighted, there is a crucial balance to be struck between Data Privacy law and an employer’s ability to discharge their Duty of Care to their employees, including effective utilization of a whistleblower hotline capability. Moreover, the same employee issue reported via a grievance procedure and the whistleblower hotline has the potential to be treated very differently in data retention terms.
Data management solutions related to whistleblowing reports
In preparation for the GDPR, Convercent has developed the customer capability to selectively redact their whistleblower hotline reports. Now, customers can manage redaction within cases independently, and without incurring an additional cost. This isn’t necessarily an industry standard, and other software companies tend to impose additional costs on customers for these capabilities, and their use.
However, remember that redaction of any type has some complexities. For example, successful anonymization of reports can hinge on factors that include the number of employees in a location, and one-size-does-not-fit-all. Nonetheless, this capability is comprehensive, and also incorporates the necessary process protocols, controls and safeguards. Another benefit to redaction is the ability to retain attributes of a report for analytics and insights.
To achieve a balance between data privacy and Duty of Care, one approach would be to establish a single, consistent company policy based on whether a report is:
- Results in disciplinary proceedings,
- Results in judicial proceedings, or;
- If there are special ‘legitimate interest’ exceptions.
Then, operate according to that policy, which evidences a considered, demonstrable, structured and compliant process.
You can learn more about Convercent’s GDPR-specific capabilities, including redaction, here. We recognize that this is a complicated topic; I welcome you to reach out with any questions or concerns.