Skip to content
English - United Kingdom
  • There are no suggestions because the search field is empty.

Rethinking consent: Ensuring GDPR compliance in whistleblowing programs

Consent is not always a stable foundation for whistleblowing systems under GDPR. By relying on legitimate interest, organisations can maintain compliance and encourage more employees to report misconduct confidentially.

When setting up a whistleblowing system, organisations must navigate privacy concerns, especially regarding personal data that reporter might leave in their message or during the course of investigation. Combining whistleblowing with GDPR can be challenging, so, it is important to combine whistleblowing and GDPR pragmatically. 

The Issue with consent under GDPR

Article 6 of EU Regulatory Policy 2016/679 (General Data Protection Regulation or GDPR) requires a ‘legal ground for processing’. While consent may seem viable, it is unsuitable for whistleblowing systems.

Dependency in employer-employee relationship

Consent must be "freely given," yet the employer-employee relationship often implies dependency. Employees may feel pressured to provide consent if asked by their employer.

Revocability of consent

Consent can be revoked at any time, posing a risk for ongoing investigations. If an essential investigation is underway and consent is withdrawn, it jeopardises the entire process.

Impact on whistleblowers

Requiring consent can deter employees from reporting. Imagine an employee wanting to report sexual harassment but being confronted with a consent form. This might discourage them from speaking up or push them to go public, which organisations aim to avoid.

GDPR compliance without consent

Legitimate interest

Instead of consent, base your data processing on the legitimate interest to detect and prevent misconduct. This aligns with GDPR while promoting a safe and effective whistleblowing mechanism.

Effective whistleblowing mechanism

Prioritising data protection is important, but the ultimate goal is an effective whistleblowing system. Employees should feel comfortable reporting issues to help organisations identify and address serious misconduct.

Consent is not always a stable foundation for whistleblowing systems under GDPR. By relying on legitimate interest, organisations can maintain compliance and encourage more employees to report misconduct confidentially.