Investigations are, by nature, often intrusive and covert. So what is an investigator to do when the GDPR requires that you are transparent and explicit?
Many companies worry about how the GDPR affects their internal investigations. They fear that the GDPR makes investigating significantly riskier. Plus, make the wrong move and your organization could be fined up to €20m (or four per cent of worldwide annual turnover, whichever is higher).
So, to help you navigate the relatively new world of the GDPR regulations, this article covers the main impacts that the GDPR has had on internal investigations.
Still unsure if your company is compliant? Use our GDPR Compliance Checklist as a roadmap to make sure you’re checking all the GDPR compliance boxes.
One of the primary changes of the GDPR deals with consent.
Why is explicit consent a problem? Well, when you’re conducting an internal investigation, it’s not always possible or wise to inform the subject. It’s not sensible to ask someone who has been accused of bribery if you can collect their personal information for an investigation.
If the GDPR expects you to be transparent by obtaining explicit consent, but your line of work requires you to be discreet, how do you proceed?
Robert Bond, a Partner and Notary Public at Charles Russell Speechlys LLP, recommends making sure your employment contracts and employee handbook are transparent enough. Be clear that you reserve the right to search emails on corporate devices and the network server.
In fact, go a step further, advises law firm Osborne Clarke. The consent must be distinguishable from other matters and communicated in an intelligible, accessible form. It “should not ‘sit’ within the employment contract”.
Navigating Another Law
There are several myths regarding the GDPR that can affect internal investigations.
The first myth, says Bond, is that the GDPR eclipses all other laws. The provisions contained in the GDPR do not always supersede a company’s rights. There may be legal or administrative grounds permitting you to carry out data processing during an investigation.
The second myth is that employees have absolute rights under the GDPR. Like the first myth, it is true that the GDPR awards strong rights to individuals, but they are not absolute. Other laws may allow you to legally collect information about the subject without consent, bypassing their GDPR rights, for example.
Identifying a Legitimate Interest
Under the GDPR, it’s essential to identify a legitimate interest to conduct an investigation. This means that prior to conducting your investigation, you must conduct a “legitimate interest assessment”.
A legitimate interest is typically a reasonable suspicion of misconduct based on specific facts. The interest can be those of your organization or of a third party. Any data processing that occurs must be justifiable and necessary to achieve the legitimate interest.
In other words, says Bond, the company must “balance the legitimate interests of the company against those of the data subject” and collect minimal information.
Greater Process and Consistency
The GDPR is another law in an already-long list of laws that define the rules and requirements of your internal investigations, so it will also impact how you plan and document your internal investigations.
Case management software can help you align with data privacy and documentation requirements. Learn more about using software for investigations in our eBook.
Therefore, it’s important to create a proper process for investigations when the GDPR applies. Place greater importance on documentation and do not collect more personal data than is necessary.
The New Normal
Since its implementation in the EU, countries around the world, including Turkey, Japan, Singapore and South Korea, have begun adopting similar laws. In the US, all eyes are on the California Consumer Privacy Act (CCPA).
This means that for investigators and compliance officers there is more than the GDPR to be concerned about. Multinational companies need to stay on top of data privacy laws around the world.