Minimum data protection checklist on future law on whistleblowing protection

• Assess and understand the future law on whistleblowers’ protection and all areas with (possible) implications thereof, e.g., data protection, employment, corporate governance
• Involve all relevant stakeholders from the beginning of the assessment and keep the management informed
• When budgeting the project, take into consideration the cost for configuring the internal reporting channel to comply with data protection requirements
• Check if there is an internal reporting channel already implemented.

if yes:

• assess the reporting channel against the new requirements and the data protection ones (see below)
• conclude on whether the reporting channel meets the new requirements and the data protection ones and identify the areas that need improvements / further developments

if no:

• assess if the required reporting channel under the future law will be developed internally or if your organization prefers to contract the specialized services of a third party
• in the latter case, conduct a market research, identify the third party whose services correspond to the needs of your organization and start the procurement process

• Assess and establish the essential elements of the processing activities, such as:
  • how and when will the personal data be collected, e.g., whether it is possible to collect the personal data by recorded calls, only be e-mail or through a dedicated platform
  • who are or who could be the individuals whose personal data will be collected (e.g., employees, collaborators, contractual partners)
  • what personal data need to be collected and in what form
  • whether there could be cases for processing special categories of personal data
  • what are the specific purposes for which the personal data will be processed
  • what legal basis apply and (if the case) what safeguard for processing special categories of personal data apply
  • for how long will the personal data need to be stored
  • who shall have access to the personal data (both internal and external), from where (country and method) and under what circumstances
  • if, when and how will the data subjects be informed on the processing of their personal data

• Check the need to and carry out the specific assessments from a data protection perspective, e.g.:
  • data protection impact assessment
  • legitimate interest assessment
  • data transfer assessment
• If a third party will be involved, e.g.,:
  • establish its roles and responsibilities from a data protection perspective
  • conduct a due diligence process to ensure the third party offers sufficient guarantees for protecting the personal data
  • check in which country will the third party store the personal data or access the personal data from
  • begin the negotiation process for concluding the contract
  • agree with the third party mechanism to periodically check the guarantees implemented by the third party for protection the personal data
• Identify / check / implement the necessary measures/ controls to ensure:
  • access to the personal data on a need to know basis
  • confidentiality, availability and integrity of the personal data from the collection date until the deletion, through measures such as:
    • encryption and hashing techniques for storage operations and data transmission
    • back-ups and logs
    • periodical vulnerability and penetration tests
    • training of persons having accessto the personal data
    • data breach drills
  • rectification of the personal data when necessary
  • automatically deletion of the personal data without delay, upon request or upon the expiration of the storage periods
  • restriction of the processing of personal data, except of their storage
  • learning, handling, reporting and learning about security incidents / implement such
  • possibility to generate a copy of the personal data in order to comply with right of access and right to portability