Although the cost of a whistleblower system can be quite low, procuring such a system risks becoming a bit complicated. Procurement of a whistleblower system via a framework agreement will help to secure adequate functionality and define requirements for information security.
Whistleblower system functionality
- Under the new law, organisations need to secure anonymous reporting of misconduct
- Administrators and whistleblowers must be able to correspond anonymously
- The reporting service must be set up with a focus on accessibility and including both oral and written disclosures
- Cases need to be assessed ”independently”. External investigators seem natural, but independence could potentially be achieved by internal staff in some cases. The forthcoming ISO standard on whistleblowing, and best practice, will provide further guidance.
- Routines must take into consideration specific circumstances and risks for the organisation in question.
- To assess cases properly, the right competencies must be secured. These resources may or may not be found within the organisation.
GDPR places high demands on the handling of personal data within the EU. For the handling of sensitive information, it is important to have control over how data is handled and where it is stored. Current developments make, for example, storage in overseas cloud services questionable, as well as storage with US-owned companies.
To achieve maximum benefit with a whistleblower system, it is important to clarify the purpose and set a plan for how the organisation should communicate around the channel.