Several organisations have considered the effect of GDPR in the context of whistleblowing and the steps required to investigate claims, but what are the implications when a whistleblower doesn’t follow set procedures and decides to take matters into their own hands?

Under GDPR the responsibilities of data processors has been expanded. Previously, the Data Protection Directive only held data controllers accountable for securing data. GDPR Article 4 defines data controllers as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.

Now data processors, defined as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”, will also be liable for the security of personal data.

This stricter accountability raises questions over the implications and ramifications for organisations of not adequately protecting data. It’s feasible that if a whistleblower chooses to expose an organisation by placing data into the hands of a national newspaper or publishing it on Wikileaks that the responsibility for that data changes too.

If an employee was able to remove data easily, regulators would be justified in deeming that person to be a data processor on the basis that they had access to process personal data. Currently GDPR fines are levied at organisations, but in just the same way there is growing move to make individuals responsible in regulatory compliance, it’s likely that GDPR will eventually go the same way.

While few newspapers would arbitrarily print a list of personal details unless it was considered in the public interest, they are now processing that data. While that data is in their care it seems only fair that they shoulder some of the responsibility for securing it. At the same time, what responsibility and/or penalties would the original source of this leaked data be subject to when the information is exposed publicly by a third party?

Similar situations will also arise with insider trading. Recent scandals have shown that it’s not always a case of a couple of individuals sharing illicit information, but widespread collusion between organisations. If firm A handed over information to firm B and firm B lost that information in a hacker attack, criminal charges and potential fines aside, who is responsible for that data?

It’s worth noting that in the recent case of Various Claimants v Wm Morrisons Supermarket PLC, where a disgruntled senior IT auditor posted personal employee information online, Morrisons was still found responsible through vicarious liability.

The challenge that companies face today is compounded by the sheer volume of data they consume and generate. Step one in mitigating the risk is to identify what is actually valuable by turning data into information. Once you know where your most sensitive and valuable information is stored, step two is to put the appropriate controls around the information: Information needs to be protected; it needs to be retained for the appropriate amount of time; and it needs to have relevant compliance controls put in place. Step three is education. Ensure your employees are aware of their rights with regards to whistleblowing and that they are aware of the correct procedures to follow. 

Whether or not a court of law would take a different stance on a whistleblower not following normal procedures remains to be seen. However, if there has ever been a need to highlight the importance of protecting data from internal misuse, GDPR is the wake-up call.