About Board and Fraud

Board and Fraud is a blog that aims to bring a practical approach to issues facing the board of directors and the audit committee specifically in the area of governance, risk management, compliance, and internal audit, with a strong focus on fraud, ethics, and internal controls.

How GDPR Could Impact Whistleblowers and the Ethics Hotline


Love it or hate it, from what I have experienced and read, whistleblowers and their “tips” are one of the most, if not the most important sources for uncovering fraud in organizations, which is supported by the Association of Certified Fraud Examiners (ACFE), which I highlight below.  Building from this theme, there have been some developments in 2018 that the general counsels’s office, compliance, and internal audit professionals and the like need to understand and consider.


The Figure below from the ACFE shows that the leading detection methods for fraud are tips, internal audit, and management review. This finding is not surprising, as these have been the three most common means of detecting occupational fraud in every edition of the report since 2010. Collectively, these three detection methods were cited in 68% of the cases in the ACFE’s current study.

Tips were by far the most common means of detection at 40% of cases—more than internal audit (15%) and management review (13%) combined.


On February 21, 2018, Justice Ruth Bader Ginsburg delivered the unanimous opinion of the Court, which held the anti-retaliation provisions of the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act do not extend to employees who have reported internally but extend only to employees who have reported suspected securities law violations to the Securities and Exchange Commission, which reversed the 9th Circuit decision.

On March 19, 2018,  The Securities and Exchange Commission announced its highest-ever Dodd-Frank whistleblower awards, with two whistleblowers sharing a nearly $50 million award and a third whistleblower receiving more than $33 million.  The previous high was a $30 million award in 2014.  Jane Norberg, Chief of the SEC’s Office of the Whistleblower said, “These awards demonstrate that whistleblowers can provide the SEC with incredibly significant information that enables us to pursue and remedy serious violations that might otherwise go unnoticed.”

On May 25, 2018, the European Union’s General Data Protection Regulation, or GDPR, took effect and will have major implications for organizations with connections to Europe.  I will focus on how GDPR could impact the whistleblower hotline, which we know does in most instances contain sensitive personal data or information.

Overview of GDPR

The GDPR could affect almost every U.S. consumer goods and services company, and plenty of other organizations, that do business in the EU.

GDPR is designed to protect an individual’s right to control the use of his or her personal data and is broadly drafted to apply to a wide range of personal data on any natural person, regardless of his or her nationality.

Under GDPR, personal data includes, but is not limited to, customer data, such as dates of birth, mailing addresses, IP addresses, product purchases, payment information, supplier data, and employee data. Personal data also includes “sensitive data,” such as health information and information on race and sexual orientation.

GDPR requirements for subject access rights are similar to many data privacy directives in place today.  The GDPR has two key additions: the right to be forgotten (or erasure) and the right for an individual to port his or her data to a new vendor or platform.


GDPR does create some uncertainty when it comes to the data collected and recorded in whistleblower or ethics hotlines, which capture allegations of wrongdoing or tips from internal and external sources.

Individuals have new, or expanded rights, including the ability to see information about themselves, find out its source, or demand that it be deleted.

Under Article 15, the data subject or individual has the right to obtain a confirmation if their personal data is being processed, and, if so, have access to the following information:

  • the purpose of processing
  • categories of personal data concerned
  • recipients of the data
  • the envisaged period for which the personal data will be stored or the criteria used to determine that period
  • the existence of the right for rectification (Article 16) or erasure or right to be forgotten (Article 17)
  • the right to lodge a complaint with a supervisory authority, and
  • where the personal data is not collected from the data subject, any information held as to its source.

Personal data included within the whistleblowing process might include –

  • personal data of the whistleblower submitting the report in case it hasn’t been submitted anonymously, and/or
  • personal data of third parties shared by the whistleblower in the report.


How GDPR will be enforced will be interesting. Organizations might be placed in a situation where they will have to consider an individual’s right to privacy vs. the organization’s decision to conduct an investigation.

Furthermore, an allegation raised by a whistleblower that turns out to be baseless, the subject of the claim could ask that their employer delete their record of the case, on the basis that the company no longer needs to hold that data and more likely than not the organization will have to comply.

According to the regulation, organizations can handle an individual’s data even without their consent to comply with a legal obligation, in the public interest, or in pursuit of their own “legitimate interests,” among other instances.

Twenty-eight (28) national agencies will be in charge of enforcement. The EU member states, will probably be most affected by the GDPR:

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Republic of Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • United Kingdom

The regulation allows each country to spell out how the rules will work within its borders on a variety of fronts. The national systems are expected to be similar, but differences are likely, leaving it unclear what organizations can expect.

A further complication is that much of the data handling covered by GDPR relates to staff, whose treatment is subject to separate national requirements.


What penalties organizations should expect for what types of noncompliance and what areas the authorities will focus on is another area of uncertainty.

Organizations that process personal data without consent could be fined as much as 4% of annual revenue, or €20 million ($23.3 million), whichever is higher, but national data-protection agencies can also just scold an organization for lesser violations.


Ears and eyes will be listening and reading the first few enforcement actions to see how the national regulators react to noncompliance.

Visit other relevant thought leadership pieces – Why GDPR Matters, Tipsters Not Trusting the System, and A ticking time bomb? Whistleblowing In Organizations Today.

I welcome your thoughts and comments on this subject.



  • ACFE
  • WSJ
  • FCPA Blog
  • CFO.com – Why GDPR Matters
Please follow and like us:

Articles You Might Like

Share This Article

Share on facebook
Share on twitter
Share on linkedin
Share on tumblr

More Stories

%d bloggers like this:
Skip to toolbar