What does the new directive mean for companies and cyber security service providers?
The topic of whistleblowing has been especially prevalent since the summer of 2013. At that time, the now former US intelligence employee Edward Snowden triggered a tangible, worldwide scandal with his publications. And he plunged the CIA, FBI and NSA into a crisis. In his publications, the US-American impressively documented which data are not only collected, but also what these data are used for, but he also revealed via which paths the data got into the respective servers. Because of this, the term "whistleblowing" has a negative connotation - so why is the EU calling a new directive the "Whistleblowing Directive?"
Even though the term is negatively charged, it best describes what the directive is intended to do. Employees should be able to report data breaches anoymously and without fear of consequences. Such breaches or even thefts not only have a legal consequence, but are also damaging to the company's image. Our Supervisory Board Chairwoman Edith Krüger is more than "just good" at dealing with the legal consequences. So she was very happy to take the time to inform about the new EU directive and to shed light on other aspects and topics as well.
Which obligations have the enterprises by the Whistleblowing guideline.
To start with, an overview of what companies with more than 50 employees as well as legal entities in the public sector and municipalities with a population of 10,000 or more will be obliged to set up an internal whistleblowing system in the future. Companies with 250 or more employees must comply with this requirement by December 17, 2021, and companies with between 50 and 249 employees by December 17, 2023. This is required by the European Union's Whistleblower Directive, which came into force in December 2019 and has yet to be transposed into national law by German lawmakers. The Whistleblowing Directive means an increasing change in corporate practice, as now obligated parties no longer only have to report wrongdoing internally. The new directive requires all obligated parties to provide a reporting channel that complies with the directive - for example, an online platform through which reports can be submitted and processed securely, anonymously and confidentially in accordance with the directive. This will provide whistleblowers with significantly better protection against disadvantages such as dismissal or transfer. However, this will mean considerably more work for the obligated parties.
How cyber security and data protection intertwine
The whistleblower system introduced is intended to ensure that compliance risks and violations are identified at an early stage through anonymous tips from so-called whistleblowers. This only works if the identity of the whistleblower can remain secret. This is where data protection comes into play: No matter how a company implements its whistleblower system, the personal data about the whistleblower is particularly sensitive and must therefore be protected especially well. Cyber security cannot be implemented without data protection as part of the directive.
Gaining from data protection and cyber security working together
Structured compliance management provides competitive advantages: Customers often award larger contracts only if an appropriate management system is in place. Processes and methods already implemented in data protection (keyword: TOM) can be used in other compliance areas, such as information security. Because one thing is clear: strong data protection measures protect whistleblowers - a legal requirement of the Whistleblower Directive. The risk of compliance violations also depends on the type of technologies used and the degree of networking. Those responsible in the companies have also recognized this and assess the level of risk of their technologies differently.
However, digitalization not only poses challenges for compliance, but also offers it new opportunities to counter potential compliance risks: Krüger Law Firm offers the total solution - legally compliant and practicable. Our whistleblowing system provides companies with a platform through which they can easily and quickly meet the requirements of the Whistleblowing Directive. We also fully support the system as their external compliance officer with many years of experience in data protection and compliance.
Questions for Edith Krüger, lawyer and chairwoman of the supervisory board of QUANTUM cyber lab AG
What challenges do you see for companies as a result of the directive?
Small and large companies with 50 or more employees, public sector institutions, public authorities as well as municipalities with 10,000 or more inhabitants will have to provide secure internal reporting channels for whistleblowers throughout the EU in the future. For companies with 250 or more employees, this obligation will already apply at the end of 2021; for companies between 50 and 250 employees, there is a transition period of another two years. Whistleblowers are to be given the option of submitting reports either in writing via an online system, a mailbox or by post and/or verbally via a telephone hotline or answering system. If requested by the whistleblower, a face-to-face meeting shall also be made possible. In all reporting channels, the confidentiality of the whistleblower must be protected.
Within the company, the "most appropriate" person to receive and follow up on reports should be designated. According to the EU, this could be: compliance officer, human resources manager, legal counsel, chief financial officer, member of the board of directors or senior management - absolute confidentiality is essential. Companies can also outsource the handling of whistleblowing, for example to a lawyer. There are various deadlines to be observed and the processing must be carried out in a targeted manner. Otherwise, there is a risk of fines. Many medium-sized companies are overburdened with the requirements because it is not part of their daily work routine - moreover, statistical studies have shown that approximately 1 report is made per 100 employees per month. Thus, it is simply not worthwhile to employ one person completely for this activity. However, if the processing is only done "on the side", the owner of the company runs the risk that the requirements will not be met.
In addition to data protection aspects, do cyber security issues also play a role?
All personal data, both that of the whistleblower and any accused persons, may only be processed in compliance with the GDPR. In addition, all reports received must be stored securely so that they can be used as evidence if necessary. This means - especially with regard to very sensitive topics such as tax fraud or the like. It must be ensured that evidence is available and secure. Protective measures are therefore necessary in any case - especially out of IT security considerations.
Why is implementation so important and how can the requirements be implemented easily and correctly?
Implementation is not debatable. The directive must be transposed into national law, and until then the directive applies directly. In this respect, there is no possibility to decide. In my opinion, it makes sense to commission an external body; this way, costs and risks can be minimized. A simple and practicable solution for handling incoming reports is an online-based tool. The messages can then be processed internally or externally - as already described.
As you have certainly noticed, the new EU directive sets up a number of hurdles in the area of data protection and cyber security. Of course, the goal of all this is to integrate data protection in companies even more and to make people more aware of this topic. If you have further questions about the whistleblowing policy, need help with the implementation or have questions about our other services, please contact our team today. We will be happy to provide you with honest, no-obligation advice.
Contact us now