A web-based whistleblowing software allows a whistleblower to submit a breach report digitally, anonymously or confidentially. A browser and an intact Internet connection are required.
DISS-CO’s web-based whistleblowing system is a secure solution with many selectable modules, integrations and customisation options. The whistleblower software, which can also be used as complaint management software, offers dashboards and intuitive case management that store sensitive personal and case-related data centrally, is GDPR compliant and unmanipulable. Encrypted communication allows further information to be obtained from the whistleblower, who can choose between anonymous and confidential reporting.
The anonymity of the whistleblowing system is essential and builds trust. By removing the metadata of the file attachments, the whistleblower system ensures technical anonymisation. Internal communication, as well as communication with advisors can also take place exclusively on the platform in encrypted form. This reduces the risk of data leakage. An individual authorisation concept can be used to regulate access within the organisation.
If the internal reporting office is wholly or partially outsourced, external personnel have access to the information via an authorisation concept. Persons assisting in investigating a case can easily and quickly obtain permit for task management without having to view the entire case. This allows the person responsible for the case to maintain an overview of the tasks at all times and to define deadlines and dependencies. In addition, a Kanban board provides an overview of the status of pending and ongoing tasks.
For audit security, all information is recorded and cannot be changed until the final deletion of the entire case. The software also reminds of the legal deadlines.
The central, secure and unmanipulable processing of information in connection with secure communication while respecting the anonymity of the person providing the information enables efficient case processing.
The so-called SaaS (Software as a Service) is cloud-based, does not require installation on the company’s end devices and enables simple and fast implementation. Further advantages are the reduced IT administration effort, as no own servers have to be operated and updates installed. The software ensures device- and location-independent access at all times.
Data centres certified to the ISO 27001 standard guarantee data security through a professional IT security management system. Storage space can be expanded at any time. If requirements change, adjustments can be made to the software.
The high degree of flexibility, data security and protection of in-house IT resources make SaaS very attractive to companies and public authorities.
Many companies still provide a general e-mail address for reporting violations.
If the person providing the tip wants to remain anonymous, there is no way around an anonymous e-mail account. Creating an e-mail account with a private e-mail provider is very easy and free of charge nowadays. However, this method has several disadvantages and risks.
The e-mails are usually unencrypted, which creates a security risk for the company. In addition, employees are practically forced to transmit internal company information via a private e-mail provider. The sensitive information could be tapped during transmission or afterwards.
The usual US e-mail providers, such as Google and Yahoo, transmit the data to servers in the US or elsewhere, or to subcontractors or affiliates, who in turn process and transmit information to their subcontractors and affiliates. For users, the strand of data processing is not transparent. If, for example, US authorities are involved in external investigations, the providers are obliged to cooperate and must transmit the information and e-mails to the authorities. The data subjects are not informed about the transfer. In both cases, the consequence is that sensitive internal company information is passed on and processed in an uncontrolled manner.
Employees also sometimes use their private devices, depending on the structure and IT policies of the company. Either because they do not need end devices such as laptops and smartphones for their work or because there is a bring-your-own policy or the use of private end devices for company purposes is not regulated. This poses a high risk for the data subject. In the past, there have repeatedly been whistleblower cases with criminal consequences for the whistleblower due to the transfer of company information into the private sphere.
The data was transferred either physically or digitally for the purpose of transmission to external reporting bodies or to the press from the company environment, sometimes after the person suffered reprisals due to an internal report. It is not relevant whether, for example, one or more file folders are physically transferred or the data is transferred digitally to external storage media or by e-mail. What is relevant is the transfer itself. In addition, the scope of the transferred data is relevant.
Data transmissions via the company’s end devices and from the company network can be traced using various methods. This can reveal the identity of the anonymous whistleblower. More secure is the use of the web-based whistleblowing software Smart Intergity Platfom by DISS-CO and the application of the associated guidelines, which, among other things, prohibit tracking of the use of the specific URL by IT.
If file attachments are attached to the report, the identity of the whistleblower can be identified via the metadata. The metadata is attached to each file and provides information about the author, the users and the history of the file. If the whistleblower is skilled enough to remove the metadata him/herself, the information cannot be traced. We know from practice that only a small percentage of people who usually report whistleblowing have the technical knowledge or are willing to read up on it in detail. Therefore, DISS-CO’s whistleblowing software automatically removes the metadata from anonymous reports.
In addition, for security reasons, some companies have so-called data loss prevention (DLP) tools in place that can record and monitor all actions. DLP tools can be used preventively to avoid data theft, but they are also very suitable for employee monitoring and can endanger the anonymity of the whistleblower. Whistleblowers are well advised to inform themselves in advance about the use of DLP tools if they wish to use the whistleblowing system for anonymous reporting.
Using an e-mail address as an internal whistleblowing channel offers many risks for the company and the whistleblower. Sensitive information within the company is processed and forwarded externally in an uncontrolled manner, could be misused and cause financial and reputational damage. The possible negative consequences for the whistleblower reduce trust in the whistleblowing system, which leads to lower use of the whistleblowing system. This in turn leads to violations going undetected for longer.
By implementing a secure web-based whistleblowing system such as DISS-CO’s Smart Integrity Platform, companies and authorities can provide security to whistleblowers and uncover risks at an early stage.
Book a free demo now and get advice from our experts.
DISS-CO® is an innovative legal tech company with a strong focus on eGRC and RegTech. Built by investigators experienced in detecting fraud and other violations in various sectors.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |