A web-based software de canal de denuncias allows a whistleblower to submit a breach report digitally, anonymously or confidentially. A browser and an intact Internet connection are required.
The so-called SaaS (Software as a Service) is cloud-based, does not require installation on the company’s end devices and enables simple and fast implementation. Further advantages are the reduced IT administration effort, as no own servers have to be operated and updates installed. The software ensures device- and location-independent access at all times. Data centres certified to the ISO 27001 standard guarantee data security through a professional IT security management system. Storage space can be expanded at any time. If requirements change, adjustments can be made to the software.
The high degree of flexibility, data security and protection of in-house IT resources make SaaS very attractive to companies and public authorities.
DISS-CO’s web-based whistleblowing system is a secure solution with many selectable modules, integrations and customisation options. The whistleblower software, which can also be used as complaint management software, offers dashboards and intuitive case management that store sensitive personal and case-related data centrally, is GDPR compliant and unmanipulable. Encrypted communication allows further information to be obtained from the whistleblower, who can choose between anonymous and confidential reporting. The anonymity of the whistleblowing system is essential and builds trust. By removing the metadata of the file attachments, the whistleblower system ensures technical anonymisation. Internal communication, as well as communication with advisors can also take place exclusively on the platform in encrypted form. This reduces the risk of data leakage. An individual authorisation concept can be used to regulate access within the organisation. If the internal reporting office is wholly or partially outsourced, external personnel have access to the information via an authorisation concept. Persons assisting in investigating a case can easily and quickly obtain permit for task management without having to view the entire case. This allows the person responsible for the case to maintain an overview of the tasks at all times and to define deadlines and dependencies. In addition, a Kanban board provides an overview of the status of pending and ongoing tasks. For audit security, all information is recorded and cannot be changed until the final deletion of the entire case. The software also reminds of the legal deadlines.
El tratamiento centralizado, seguro e inmanipulable de la información en relación con una comunicación segura, respetando al mismo tiempo el anonimato de la persona que facilita la información, permite una tramitación eficaz de los expedientes.
Many companies still provide a general e-mail address for reporting violations.
Si la persona que da el chivatazo quiere permanecer en el anonimato, no hay forma de evitar una cuenta de correo electrónico anónima. Crear una cuenta de correo electrónico con un proveedor de correo privado es muy fácil y gratuito hoy en día. Sin embargo, este método tiene varias desventajas y riesgos.
The e-mails are usually unencrypted, which creates a security risk for the company. In addition, employees are practically forced to transmit internal company information via a private e-mail provider. The sensitive information could be tapped during transmission or afterwards. The usual US e-mail providers, such as Google and Yahoo, transmit the data to servers in the US or elsewhere, or to subcontractors or affiliates, who in turn process and transmit information to their subcontractors and affiliates. For users, the strand of data processing is not transparent. If, for example, US authorities are involved in external investigations, the providers are obliged to cooperate and must transmit the information and e-mails to the authorities. The data subjects are not informed about the transfer. In both cases, the consequence is that sensitive internal company information is passed on and processed in an uncontrolled manner.
Employees also sometimes use their private devices, depending on the structure and IT policies of the company. Either because they do not need end devices such as laptops and smartphones for their work or because there is a bring-your-own policy or the use of private end devices for company purposes is not regulated. This poses a high risk for the data subject. In the past, there have repeatedly been whistleblower cases with criminal consequences for the whistleblower due to the transfer of company information into the private sphere. The data was transferred either physically or digitally for the purpose of transmission to external reporting bodies or to the press from the company environment, sometimes after the person suffered reprisals due to an internal report. It is not relevant whether, for example, one or more file folders are physically transferred or the data is transferred digitally to external storage media or by e-mail. What is relevant is the transfer itself. In addition, the scope of the transferred data is relevant.
Las transmisiones de datos a través de los dispositivos finales de la empresa y desde la red de la empresa pueden rastrearse utilizando varios métodos. Esto puede revelar la identidad del informador anónimo. Más seguro es el uso del software de alerta por Internet Smart Intergity Platfom por parte de DISS-CO y la aplicación de las directrices asociadas, que, entre otras cosas, prohíben el seguimiento del uso de la URL específica por parte de TI.
If file attachments are attached to the report, the identity of the whistleblower can be identified via the metadata. The metadata is attached to each file and provides information about the author, the users and the history of the file. If the whistleblower is skilled enough to remove the metadata him/herself, the information cannot be traced. We know from practice that only a small percentage of people who usually report whistleblowing have the technical knowledge or are willing to read up on it in detail. Therefore, DISS-CO’s whistleblowing software automatically removes the metadata from anonymous reports.
In addition, for security reasons, some companies have so-called data loss prevention (DLP) tools in place that can record and monitor all actions. DLP tools can be used preventively to avoid data theft, but they are also very suitable for employee monitoring and can endanger the anonymity of the whistleblower. Whistleblowers are well advised to inform themselves in advance about the use of DLP tools if they wish to use the whistleblowing system for anonymous reporting.
Using an e-mail address as an internal whistleblowing channel offers many risks for the company and the denunciante. Sensitive information within the company is processed and forwarded externally in an uncontrolled manner, could be misused and cause financial and reputational damage. The possible negative consequences for the whistleblower reduce trust in the whistleblowing system, which leads to lower use of the whistleblowing system. This in turn leads to violations going undetected for longer.
By implementing a secure web-based whistleblowing system such as DISS-CO’s Smart Integrity Platform, companies and authorities can provide security to whistleblowers and uncover risks at an early stage.
Book a free demo now and get advice from our experts.
