There are companies, and it doesn't always have to be a matter of large corporations, that believe in good practices as a sign of identity. That of making a good name for themselves not only by doing their job well but also by doing it in an ethical, responsible and respectful way.
At some point, it was given a name and everything the company did, not necessarily in terms of business, that contributed to generating value was brought under the umbrella called Corporate Social Responsibility. In general, these were actions directed outside the organization, but, of course, it couldn't just be a showcase of illusions, in the back room, good ways of doing things had to be the norm too.
What could have been a fashion at times has become consolidated to the point that it is no longer an option and has a clear and growing legislation on it. It is largely what is called 'compliance', that is, regulatory compliance as a non-negotiable framework for action. The fact that this internal code is effective generates confidence in the organization for the values and commitments in fulfilling its obligations inside and outside.
In this sense, one of the most popular issues, related to internal functioning, is the reporting system. Especially since before the end of the year, the countries of the European Union must transpose the European Directive on the protection of whistleblowers. In other words, the mechanism to make an anti-corruption tool effective from within organizations. The objective is to allow incorrect reports to be made public anonymously and continue to obtain legal protection, as long as they act in good faith. And this is where data protection legislation comes in to allow and secure these channels for reporting corruption.
Not everyone is obliged to open this reporting channel. Organizations with more than 50 employees are required to do so. The essential thing is to inform workers of the existence of the reporting system and the processing of data involved in making a report. It is usually an online mailbox. The complainant must be allowed to remain anonymous and, if this is not the case, the complainant's information must be kept safe and not made easy for the person being reported to identify them. This implies implementing reinforced security and confidentiality measures for the information. Access must be limited exclusively to those who carry out internal control and compliance functions and, finally, it should be noted that the data must only be kept for the time necessary to investigate the facts. In any case, they must be deleted three months after their introduction into the reporting system.
Without a doubt, it becomes a great challenge. The risk of not doing things right is increasingly high.
