Pillars of a Roman justice building symbolising the need for effective legal compliance, iBlow.eu article

Compliance: Yes or No?

Pillars of a Roman justice building symbolising the need for effective legal compliance, iBlow.eu article
iBlow.eu article detailing the levels of compliance required for companies to be legally compliant with the RGPC or RGPDi, “Compliance: Yes or No?”.

Compliance: Yes or No?

Following on from our previous article entitled “European Whistleblower Protection Directive: Key Requirements for Companies” (click to find out more) as if we were reading this week’s article, following on from the previous one (if you haven’t read it yet, we recommend that you do so in order to better understand the sequence of the contents).

We should read or even fit this article into the sequence of the paragraph entitled “Characteristics of an Effective Reporting Channel:”.

In order to continue, detailing the point raised in the previous article, we thought it best to explain what these terms, in the context of legal compliance with these European directives, mean with regard to the functionalities that we should demand in the solutions we have chosen or will choose.

Just Give the Right Access?

In other words, in order to guarantee the confidentiality and security of these report channel management applications, one of the main points to analyse will be the need for very tight access control.

These should be kept to a minimum and not allow undue access – anyone outside the role of the person responsible for handling each report cannot have access to them and to the identification (direct or indirect) of the whistleblowers.

Let’s go through a few examples, showing that, in addition to the high levels of security of encrypted information, unauthorised access is not always due to external attacks on infrastructures, applications or databases.

Why is this?

This is because access to these applications and their databases is carried out by teams of IT staff, one or more of whom are internal or external to the organisation, or even support technicians who can easily connive in requests to identify sensitive information or whistleblower IDs, manipulate data to favour the internal interests of one of those targeted in certain reports, etc… the risk of undue access or data breaches by unauthorised personnel has been consummated.

If these or other breaches occur, of non restricted access, not reserved for those who really need to have access – those responsible for report processing (on a “need to know basis”), as this will drastically reduce confidentiality and security, which are sometimes so promised but not guaranteed.

This drastically reduces the legality of the whole process because it exposes data that the law is supposed to protect – highlighting various legal non-compliances on the part of the organisations that make these choices, from the point of view of legal compliance, the least appropriate!

Multiple Non-Compliance Scenarios

We have a huge range of options in current use in the market, by various entities that think they can and should use the ways they think are the most appropriate, thinking that the compliance result is achieved in any of these ways – because it isn’t!

Perhaps because of the short investment or probably because they think that they can achieve control of all the information in certain ways, when the scenario is internal application development.

Examples of improper tools

Let’s take a look at some of the ways we’ve encountered platforms for managing whistleblowing channels, or often just for collecting reports of irregularities and little else, or nothing at all.

Despite their goodwill, following the idea that “…it’s better to do something than nothing at all”, they rarely, if ever (at least according to the evaluation of what we have found) enforce the legal regulations in force in these matters of the RGPC or RGPDi.

It’s worth taking a closer look at the benefits lost by using a platform of dubious legal compliance, in our article “Anonymous Reporting Channel: The Advantages for Your Company” (click to find out more) and thus try to balance the scales between what you may have gained (or come to gain) versus what you may have lost (or come to lose) with the decisions made or to be made, respectively.

A simple email or telephone number

Simply providing an email address to collect reports of irregularities, or even a telephone number for this purpose, again does not fulfil the legal requirements, as it does not guarantee any of the privacy, confidentiality, let alone anonymity, that these processes require.

Unless very unusual measures were taken which we have never seen implemented and which would be much more expensive and difficult to maintain or manage.

  • Do they think that the email they provide is secure?
  • It won’t let anyone undeserving have access to its contents?
  • How will they guarantee anonymity?

Apart from the fact that it can be accessed by those who should and those who shouldn’t, internally or externally to the organisation, and is not restricted to the person responsible for handling the report, an email that contains, among many other details, the IP address, with it the location and the exact or approximate/likely user communicating with the organisation in question, once again fails to comply with legal requirements – if you read the law more carefully, you’ll understand that.

Corporate Websites

Hiring internal or external development of corporate websites (regardless of the CMS used: WordPress, Drupal, Joomla, WIX, among many others).

One of the tools we’ve seen countless times on websites acting as a reporting channel is that, in addition to everything else already mentioned, they install an add-on / plug-in called Microsoft Clarity, which we have nothing against on corporate websites, as long as it’s well implemented, which simply records footage of the entire process of accessing and filling in each report… yes, it films the operations carried out by whistleblowers… not at all what is needed to comply with the law;

Web form

We have found multiple reporting channels with simple web forms, either directly on the websites or via google forms (among many other similar forms) collecting information that cannot guarantee either the level of confidentiality or even less the anonymity that whistleblowers will need in order to feel comfortable participating.

Multipurpose applications

It is very important to avoid opting for shared solutions with other functionalities in addition to report channel management, such as: commercial management software, workflow software, ERP’s, among others…

  • These applications are easily configurable to share “undue” information (in this context) between the various database tables, exchanging information on reports or whistleblowers to tables in other modules to facilitate management but complicate legal compliance in the context of these legal regulations.
  • Too many people will have access to the application and its databases, and it will not be easy to maintain and guarantee access control to only those responsible for processing both the content of reports and the data of whistleblowers.

The level of access management restricted to whistleblower data and the report itself is not guaranteed in most of the situations detected…

The existing access management is much broader than it should be, ideally only the person responsible for processing the report should have access to it and, as for the (direct and indirect) data of the person who reported it, if it is anonymous, NO ONE!

How can this be guaranteed?

By guaranteeing that everything complies with unequivocal, clear and well-enforced access management, with meticulous evaluations carried out by application audits that analyse EVERYTHING with a magnifying glass throughout development and by various analyses of the law by various “types” of eyes with multiple types of knowledge.

And of course, we carry out the entire analysis and development process with security as a priority, implementing all the requirements with the eyes of a scrupulous ISO27001 auditor.

Not even cookies, IP addresses or any other data relating to the whistleblower, which may not seem to identify the whistleblower – directly at least – but if it is possible to help identify the whistleblower indirectly with this “piece” of information, then it will be a breach of security, confidentiality and of course it will not guarantee the anonymity of the whistleblower whenever they wish.

If the chosen platform collects or stores any “piece” of information with which it is possible, directly or indirectly, even if only on a technical level, to identify the whistleblower, then it will not be in legal compliance with these regulations.

Who will have access to these reports (from non-compliance scenarios)?

Well, “only” all the professionals who implemented the solution, all those who maintain it, and within the applications there must be (unfortunately much more than less often, there is not enough) reserved access, well-defined for each role (of each type of user) and well-defined what information each one should or should not have access to, because only in this way will the risk of conflicts of interest be reduced and due legal compliance achieved.

    • Have you ever made the wrong decision?
    • If so, the good news is that there’s still time!
    • What should you do?

Ensure both legal compliance, for little more than you did, and many more benefits than you’re benefiting from, ask us how!

See other articles that may be of interest to you.

We hope you enjoyed this article.

Thank you!


Published in: 2024.05.22

Leave a Comment

Your email address will not be published. Required fields are marked *

Add Comment *

Name *

Email *