GDPR Compliance - Disclosurely Data Protection Guide

Complete GDPR compliance guide for whistleblowing platforms. Data subject rights, retention policies, audit trails, and privacy by design for EU data protection regulations.

GDPR Compliance

How Disclosurely helps you meet General Data Protection Regulation requirements.

Overview

Disclosurely is built for GDPR compliance:

• Privacy by design: GDPR principles built-in
• Data minimization: Collect only what's needed
• Purpose limitation: Use data only for investigations
• Storage limitation: Automated retention and deletion
• Integrity and confidentiality: Military-grade encryption
• Accountability: Comprehensive audit trails

GDPR Principles in Disclosurely

Lawfulness, Fairness, and Transparency

Lawful Basis:

• Legitimate interest: Conducting workplace investigations
• Legal obligation: Compliance with whistleblowing laws
• Consent: Where required (confidential reports)
• Public interest: Preventing crime and misconduct

Transparency:

• Clear privacy notices
• Explain data processing
• Inform data subjects of their rights
• Document legal basis

Fairness:

• No hidden processing
• Expected use of data
• Balanced interests
• Proportionate collection

Purpose Limitation

Data Used Only For:

• Investigating reported allegations
• Communicating with reporters
• Compliance with legal obligations
• Statistical analysis (anonymized)
• Improving investigation processes

Not Used For:

• Marketing
• Unrelated purposes
• Profiling
• Automated decision-making (except AI assistance with human oversight)

Data Minimization

Collect Only:

• Information necessary for investigation
• Reporter identity (confidential reports only)
• Relevant evidence
• Communication history
• Investigation notes

Do Not Collect:

• Unnecessary personal details
• Special category data (unless relevant)
• Disproportionate information
• Irrelevant background

Anonymous Reports:

• No personal data collected
• Maximum data minimization
• Tracking ID only identifier
• Cannot re-identify reporter

Accuracy

Ensuring Accuracy:

• Reporters control their information
• Can update via secure messaging
• Investigators verify facts
• Corrections logged in audit trail
• Outdated data flagged

Update Mechanisms:

• Reporter can correct information
• Subject can dispute allegations
• Evidence must be verified
• Interview transcripts verified

Storage Limitation

Retention Periods:

• Configurable by case type
• Default: 7 years
• Automatic deletion after retention
• Legal holds override deletion
• Anonymization option

Automated Deletion:

• System calculates deletion date
• Alerts before deletion
• Requires approval
• Secure destruction
• Deletion certificate generated

Integrity and Confidentiality

Encryption:

• AES-256 encryption at rest
• TLS 1.3 for data in transit
• Zero-knowledge architecture
• End-to-end encryption
• Encrypted backups

Access Controls:

• Role-based permissions
• Least privilege principle
• Multi-factor authentication
• Session management
• Access logged in audit trail

Security Measures:

• ISO 27001 certified
• SOC 2 Type II compliant
• Regular penetration testing
• Vulnerability scanning
• Security monitoring

Accountability

Demonstrate Compliance:

• Data processing records
• Privacy impact assessments
• Data protection policies
• Audit trails
• Compliance reports
• Training records

Data Subject Rights

Right of Access (Article 15)

What Data Subjects Can Request:

• Copy of their personal data
• How data is being processed
• Who has accessed their data
• Retention period
• Rights to rectify or erase

Disclosurely Features:

For Confidential Reporters:

1. Log in to account
2. Navigate to "My Data"
3. View all personal data held
4. Download data export (JSON/PDF)
5. View access log (who viewed case)

For Anonymous Reporters:

• Cannot identify reporter to respond
• No personal data collected (by design)

For Subjects of Investigation:

• Submit data access request
• Verify identity
• Receive data held about them
• Subject to exemptions (investigation in progress)

Timeline: 1 month to respond

Exemptions:

• Ongoing investigation may delay response
• Cannot disclose reporter identity
• Cannot compromise investigation
• Document exemption reasoning

Right to Rectification (Article 16)

What Can Be Corrected:

• Factual errors in report
• Personal details
• Evidence annotations
• Contact information

How to Request:

Confidential Reporters:

• Send message via secure messaging
• Specify what needs correction
• Investigator reviews and updates
• Logged in audit trail

Subjects:

• Submit rectification request
• Provide correct information
• Investigator reviews
• Update if appropriate
• Note in case file if disputed

Not Applicable To:

• Opinions (subject can dispute)
• Allegations themselves
• Investigation findings
• Subjective assessments

Right to Erasure / "Right to be Forgotten" (Article 17)

When Erasure Required:

• Data no longer necessary
• Consent withdrawn (if consent was basis)
• Objection and no overriding legitimate interest
• Processed unlawfully
• Legal obligation to erase

When Erasure NOT Required:

• Compliance with legal obligation (investigations)
• Public interest (serious misconduct)
• Legal claims (potential litigation)
• During retention period

Disclosurely Process:

1. Request Received

   • Via email or in-app
   • Identity verified
   • Logged in system

2. Evaluation

   • Legal team reviews
   • Assess legal basis for processing
   • Check exemptions
   • Consider retention obligations

3. Decision

   • Erase if required
   • Explain if exemption applies
   • Partial erasure if appropriate
   • Document reasoning

4. Implementation

   • Secure deletion if approved
   • Anonymization alternative
   • Update audit trail
   • Notify data subject

Timeline: 1 month to respond

Right to Restriction of Processing (Article 18)

When Applicable:

• Accuracy disputed (restrict while verifying)
• Processing unlawful but subject prefers restriction to erasure
• No longer need data but subject needs it for legal claims
• Objection lodged (restrict while assessing)

Effect:

• Data stored but not processed
• Only with subject's consent or for legal claims
• Must inform before lifting restriction

Disclosurely Implementation:

• "Restricted Processing" flag on case
• Data viewable but not used
• Cannot update case
• Alerts when accessed
• Subject notified before restriction lifted

Right to Data Portability (Article 20)

Scope:

• Data provided by subject
• Automated processing
• Based on consent or contract
• Technically feasible

Disclosurely Export:

• Structured format (JSON)
• Machine-readable
• Commonly used format
• Direct transfer where possible

Export Contents:

• Report content
• Messages sent
• Files uploaded
• Account information
• Not investigation notes (not provided by subject)

How to Export:

1. Account settings > "Export My Data"
2. Select data to include
3. Choose format (JSON, CSV)
4. Download file
5. Transfer to another service if desired

Right to Object (Article 21)

Grounds for Objection:

• Processing based on legitimate interests
• Direct marketing (not applicable)
• Scientific/historical research
• Particular situation of data subject

Disclosurely Response:

1. Receive Objection

   • Via email or in-app
   • Document grounds

2. Assess

   • Compelling legitimate grounds?
   • Legal claims potential?
   • Public interest?
   • Overriding interests?

3. Decision

   • Stop processing if no compelling grounds
   • Continue if legal obligation or legitimate grounds
   • Explain decision
   • Inform of right to complain to supervisory authority

Rights Related to Automated Decision-Making (Article 22)

Disclosurely's Approach:

• No solely automated decisions
• AI assists but humans decide
• Meaningful human oversight
• Can request human review
• Can express point of view
• Can contest decision

AI Case Helper:

• Provides recommendations only
• Investigator makes final decision
• Can override AI suggestions
• Subject can challenge findings
• Human review always available

Data Processing Records

Article 30 Records

Required Documentation:

Controller Information:

• Organization name and contact
• Data Protection Officer contact
• Processing purposes
• Data subject categories
• Personal data categories
• Recipient categories
• International transfers
• Retention periods
• Security measures

Disclosurely Maintains:

• Organization profile
• DPO designation
• Processing purposes (investigations)
• Categories (reporters, subjects, witnesses)
• Data types (reports, evidence, messages)
• Recipients (investigators, management)
• Transfers (if applicable)
• Retention policies
• Security documentation

Access:

• Dashboard > Compliance > GDPR Records
• Generate Article 30 report
• Export for supervisory authority
• Update as needed

Data Protection Impact Assessment (DPIA)

When Required:

• High risk processing
• Systematic monitoring
• Large scale special category data
• New technologies

Disclosurely Use Cases Requiring DPIA:

• Implementing Disclosurely initially
• Processing sensitive allegations
• Using AI Case Helper
• Custom integrations

Disclosurely Provides:

• DPIA template
• Risk assessment guide
• Mitigation recommendations
• Regular review prompts

DPIA Process:

1. Describe processing operations
2. Assess necessity and proportionality
3. Identify risks to data subjects
4. Evaluate measures to address risks
5. Document and review

Data Processing Agreements (DPAs)

Disclosurely as Processor:

• You (customer) are the controller
• Disclosurely is the processor
• DPA required by Article 28

DPA Includes:

• Subject matter and duration
• Nature and purpose of processing
• Type of personal data
• Categories of data subjects
• Controller and processor obligations
• Security measures
• Sub-processor arrangements
• Data subject rights assistance
• Audit rights
• Deletion obligations

Access DPA:

• Dashboard > Legal > Data Processing Agreement
• Review and accept
• Download signed copy
• Attached to subscription

International Data Transfers

Data Location

Disclosurely Hosting:

• EU/UK customers: Data in EU
• US customers: Data in US
• Choice of region
• No transfers without consent

Sub-Processors:

• Vetted and approved
• Data processing agreements
• Adequate safeguards
• Listed in documentation

Transfer Mechanisms

If Transfer Needed:

EU to Third Countries:

• Adequacy decision (UK, Switzerland)
• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules
• Subject consent (rare)

UK Post-Brexit:

• UK considered adequate by EU
• EU considered adequate by UK
• Seamless transfers

Disclosurely Provides:

• SCCs if needed
• Transfer impact assessment
• Alternative safeguards
• Documentation

Data Breaches

Breach Notification Obligations

Timeline:

• Discover breach
• Assess severity
• Notify supervisory authority within 72 hours (if high risk)
• Notify data subjects without undue delay (if high risk to rights)

Disclosurely Process:

1. Detection

   • Security monitoring
   • Automated alerts
   • User reports
   • Regular audits

2. Containment

   • Immediate action to stop breach
   • Preserve evidence
   • Prevent further damage

3. Assessment

   • What data affected?
   • How many data subjects?
   • Risk to rights and freedoms?
   • Notification required?

4. Notification

   • Supervisory authority (if required)
   • Affected data subjects (if high risk)
   • Customer organizations
   • Documentation

5. Remediation

   • Fix vulnerability
   • Implement additional controls
   • Monitor for recurrence
   • Document lessons learned

Customer Responsibilities:

• Assess impact on your processing
• Notify your supervisory authority if controller
• Notify affected data subjects if required
• Cooperate with Disclosurely on investigation

Breach Prevention

Disclosurely Security:

• Encryption at rest and in transit
• Access controls and MFA
• Security monitoring
• Regular penetration testing
• Vulnerability management
• Incident response plan
• Staff training
• ISO 27001 certified

GDPR Compliance Tools

Automated Data Deletion

Configuration:

1. Set retention period by case type
2. System calculates deletion date
3. Alerts 90, 30, 7 days before deletion
4. Approve or extend
5. Automatic secure deletion
6. Certificate of deletion

GDPR Benefit: Demonstrates storage limitation principle

Access Request Portal

Data Subject Requests:

1. Submit request via form
2. Identity verification
3. Automated data gathering
4. Legal review for exemptions
5. Response generated
6. 30-day timeline tracking

Reduces Burden: Automates most of GDPR rights requests

Privacy Notices

Customizable Templates:

• Reporting page privacy notice
• Reporter privacy notice
• Subject privacy notice
• Staff privacy notice

Required Content:

• Controller identity
• Processing purposes
• Legal basis
• Recipients
• Retention
• Data subject rights
• Right to complain

Access:

• Dashboard > Settings > Privacy Notices
• Edit templates
• Multiple languages
• Version control

Consent Management

For Confidential Reports:

• Optional consent for identity disclosure
• Granular consent options
• Withdrawal mechanism
• Audit trail of consent
• Time-stamped

Not Required for:

• Anonymous reports (no personal data)
• Legal obligation processing
• Legitimate interest processing

Best Practices

Designate a DPO

When Required:

• Public authority processing
• Large scale systematic monitoring
• Large scale special category data

DPO Responsibilities:

• Monitor GDPR compliance
• Advise on DPIAs
• Cooperate with supervisory authority
• Contact point for data subjects

In Disclosurely:

• Assign DPO role to user
• DPO dashboard access
• Compliance reports
• Alert notifications

Regular Compliance Reviews

Quarterly:

• Review data processing records
• Check retention and deletion
• Assess data subject requests
• Review privacy notices
• Staff training check

Annually:

• Update DPIAs
• Review DPAs
• Audit security measures
• Assess new processing activities
• Train staff on GDPR

Document Everything

Maintain Records:

• Legal basis for processing
• DPIA outcomes
• Data subject requests and responses
• Breach assessments
• Deletion certificates
• Staff training
• Policy updates

Demonstrates Accountability: Can show supervisory authority

Training

Who Needs Training:

• All Disclosurely users
• Investigators especially
• HR team
• Compliance team
• Senior management

Topics:

• GDPR principles
• Data subject rights
• Breach notification
• Secure handling of data
• Retention and deletion
• Using Disclosurely compliantly

Disclosurely Resources:

• Training videos
• Documentation
• Best practice guides
• Compliance checklists

Supervisory Authorities

UK Information Commissioner's Office (ICO)

Contact:

• Website: ico.org.uk
• Telephone: 0303 123 1113
• Report concerns online

Responsibilities:

• Enforce GDPR in UK
• Investigate complaints
• Issue guidance
• Impose fines

EU Data Protection Authorities

Each EU Country:

• National supervisory authority
• Lead authority for cross-border processing
• Cooperation mechanisms

Find Your Authority:

• European Data Protection Board website
• Lists all EU/EEA authorities
• Contact details

Filing a Complaint

Data Subjects Can:

• Complain to supervisory authority
• Disclosurely must cooperate
• May result in investigation
• Can appeal decisions

How to Avoid:

• Respond promptly to requests
• Respect data subject rights
• Be transparent
• Document compliance
• Seek legal advice when uncertain

Related:

• Audit Trail
• Data Retention
• Security Overview
• Privacy & Encryption