Implementing a global corporate whistleblowing policy: data protection issues
Produced in partnership with Pulina Whitaker and Lee Harding of Morgan, Lewis & Bockius LLP
Implementing a global corporate whistleblowing policy: data protection issues

The following Employment guidance note Produced in partnership with Pulina Whitaker and Lee Harding of Morgan, Lewis & Bockius LLP provides comprehensive and up to date legal information covering:

  • Implementing a global corporate whistleblowing policy: data protection issues
  • Corporate whistleblowing requirements
  • EU data protection law approach to whistleblowing
  • Exporting personal data
  • Other EU regulatory issues
  • Guidance from the Article 29 Working Party
  • Whistleblowing and data protection compliance strategy
  • Why data protection issues matter in whistleblowing policies

Companies must find a reliable method of identifying and correcting any unlawful or unethical conduct that occurs within their organisations in order to achieve effective corporate governance. In part, this objective can be achieved through the establishment of internal whistleblowing schemes, providing employees with a trusted and confidential mechanism for reporting misconduct.

Globally, there is an increasing trend for national legislation to require companies to establish internal financial control procedures—these are often implemented by way of whistleblowing schemes. The US still leads the way in providing strong standards for internal reporting and investigation of potential wrongdoing under the Sarbanes-Oxley Act 2002 (SOX). For a US-regulated multi-national company, it can be difficult to create a consistent corporate whistleblowing scheme in all of the countries in which it operates. Further, in Europe, there is a need for organisations to balance their corporate governance objectives against the need to safeguard the privacy rights of those persons identified as a result of the operation of their whistleblowing scheme, particularly where reports under the scheme are made on an anonymous basis.

The introduction of Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR) in the EU, has made privacy rights even more stringent, increasing the need to carry out whistleblowing procedures with careful internal checks and controls.

Corporate whistleblowing requirements

A company that operates in several jurisdictions