Where Should Your Organization’s Data About Whistleblowing Be Hosted?
When it comes to whistleblowing, there is no doubt that sensitive and personal information is exchanged between the whistleblower and the organization. In order to ensure data protection related to whistleblowing, it is critical to consider the technical and organizational measures of your reporting system. In this article, we will explore what aspects of data hosting to look out for and what are the best practices to mitigate risks and ensure compliance.
Whistleblowing processes and data protection
Whether a whistleblower’s report is anonymous or not, various personal pieces of information are disclosed: about the author of the report, witnesses, the person reported, or any other party mentioned in the report.
Organizations are required to protect the personal data of whistleblowers and the content of their reports. They also need to remain compliant with the different local regulations.
It is therefore critical to carefully identify your specific data protection requirements when selecting a whistleblowing solution.
Data residency, data sovereignty, and data localization
When discussing hosting solutions, it’s best to understand the following terminologies to better refine the outcome that’s suited for your organization:
- Data Residency
The first and least restrictive concept is data residency, where an entity simply specifies the geographical location where it stores its data.
- Data Sovereignty
Data sovereignty is a more restrictive concept. It represents the idea that data is subject to the nation’s laws where it is collected, processed, and stored. This means that businesses have to comply with local data protection laws to avoid getting fined by the government.
- Data Localization
Data localization is the most restrictive concept of the three. While data residency gives organizations a choice to specify the geographical location where their data is stored, data localization refers to keeping the data of businesses within the border of a country.
The concept refers to the storage and creation of the data, and some countries that have implemented data localization laws require organizations to keep only a copy of the data within the country.
There are important criteria to consider when choosing a whistleblowing solution:
- do the data hosting options ensure full security and confidentiality (Cloud Act, etc.)?
- are the data hosting options compliant with the local legal requirements in countries where potential whistleblowers can report?
- is your solution provider able to easily provide new data hosting options if legal requirements evolve in the future?
Whispli offers data localization for clients, with either single or multi-tenant options. Further security can be added on top of localized hosting, including encryption key management or Single Sign On. By providing the highest security standards, compliance with restrictive legislation regarding data security such as the PIPL in China, data sovereignty requirements in Russia, or the GDPR in the EU, can easily be met.
Staying in control of your data by choosing a local hosting solution
Cloud-based hosting is not perfect, and some risks need to be considered before trusting a provider with your sensitive information. Two risks are prevalent regarding whistleblowing processes: leaks during data transfer, and loss of control due to the cloud provider’s specific regulations.
For both risks, preferring a local hosting solution can mitigate or prevent data security breaches.
Data transfers between servers can happen for several reasons: allocating a report to the relevant person in the organization, translating a report through a third-party translation tool, or seeking external input during an investigation for instance.
Transferring data increases the risks of leaks, and it's best to ensure that personal information and sensitive data remain located in a single place as much as possible. By choosing a local data hosting solution, you reduce considerably the need for transfers. To provide an extra level of security, Whispli clients can choose their own encryption keys to maintain full control of their data. Whispli cannot access this data at any time, and it is never shared with third parties, including for translation through on-site translation technology. As a result, data doesn’t pass through another server.
A local data hosting solution will also prevent any undesired access to your data. While you can choose the geographical location of your data, the cloud provider is still subject to its own regulations regarding data access. This is the case for example with the USA Cloud Act, which goes against GDPR requirements. Having your whistleblowing system hosted on a European cloud such as Scaleway if your organization has activities in the EU prevents this type of risk while granting full compliance and security with your local requirements.
Ensuring data security in the long term
While personal data protection will remain a constant requirement for whistleblowing processes, your organization is bound to evolve as well as the legal framework with which you need to comply.
Whispli adapts to its client’s requirements, and not the other way around. This means that security is at the center of our priorities and the choice of the hosting provider as well as the number of add-ons for higher levels of security is entirely up to the client. We make sure to offer the highest standards of security through certifications and continuous audits of our processes. A scalable platform effortlessly follows the evolution of your organization’s needs as it grows.