Reason 1: Your data is exposed to security and data protection risks
When a whistleblower reports potential misconduct, sensitive personal data is captured. However, email does not have any encryption mechanism. This makes it possible for unauthorized parties to not only read sent emails, but also to change them. As a result, neither the transmission, nor the processing of reports, is audit-proof and the integrity of the data is at risk. This may invalidate information used for internal and external investigations. In addition, GDPR compliance cannot be guaranteed, as data security requirements (article 32) are not fulfilled. GDPR requires that sensitive information be stored in high-security data centers, which is difficult to achieve with email.
Reason 2: Your employees may not trust an email whistleblower reporting system
Gaining the trust of potential whistleblowers is critical to ensuring that relevant reports are submitted. For this reason, employees must be 100% confident in the security of the system and the manner in which reports are processed. If not, potential whistleblowers will be much less likely to speak up internally and may even turn to the authorities or media. A study conducted by EQS Group and the University of Applied Sciences HTW Chur has shown that organizations with a specialized reporting channel, such as a digital whistleblowing system, are more likely to receive relevant reports than companies with more simple reporting channels, such as a whistleblower email address. Furthermore, the study showed that having the ability to report misconduct confidentially or anonymously significantly increases the likelihood that an employee will use a whistleblowing system.
Reason 3: Email doesn’t allow for efficient case processing
In addition to data security and employee trust, ease of processing reports is another factor that should be considered when choosing a whistleblowing system. With an email-based system, all of the data that is received will need to be logged manually in the case management system. Furthermore, there may not be a case management system at all, resulting in inefficient case reviews. This also means that it is almost impossible to effectively investigate an incident, and often whistleblowers don’t receive sufficient feedback on their submitted report, or in some cases, no feedback at all.
Alternative to an email-based whistleblowing system
As we have seen, there are some potential disadvantages to using non-specialised whistleblowing systems. For that reason, it’s worth considering the alternatives such as introducing a digital whistleblowing system which is currently considered best practice. With this method, all communications with the whistleblower are encrypted and stored in high-security data centers, making it easy to meet the legal requirements regarding data protection and data security.
Digital systems also foster more trust from employees, resulting in higher rates of workers reporting compliance-relevant irregularities without fear of retaliation. Reports can also be submitted confidentially or anonymously, if preferred. An integrated case management area allows you to process incoming cases efficiently and gives you a detailed overview of all existing cases and their status.
In recent years, the weaknesses of the telephone hotline for whistleblowing have become more apparent and this medium functions best as part of an integrated digital whistleblowing system. The same principle goes for email and it can be leveraged most effectively as one element of a wider whistleblowing solution. This allows compliance teams to handle reports from multiple channels in one place with substantially higher security standards while keeping the entire digital system compliant with legislation such as the GDPR and the EU Whistleblowing Directive.
Guide to the Introduction of Whistleblowing Systems
How to successfully implement a whistleblowing system in your organisation.