Get useful tips, learn best practices and read the latest newsThe Whistlelink Blog

Ensuring data protection in Whistleblowing Systems: A lesson learned from Bologna Airport

Breach of data protection in whistleblowing system, Bologna Airport.

Download our free whitepaper:

How to get compliant with the Whistleblowing Law

Whistleblowing is a critical tool in uncovering illegal activities in organisations. However, the incident involving Bologna Airport in Italy will show the importance of implementing robust data protection measures within digital whistleblowing systems. In this blog post, we will explore the violations committed by Bologna Airport and how organisations can ensure data protection in their whistleblowing solutions. 

What happened at Bologna Airport? 

Bologna Airport had engaged a service provider to deploy a digital whistleblowing system, enabling users to anonymously report legal irregularities. However, the Italian Data Protection Authority identified multiple violations of the General Data Protection Regulation (GDPR) during the system’s implementation. As a result, the authority imposed a €40,000 fine on Bologna Airport for inadequate implementation of technical and organisational measures in the internal reporting solution. 
 

1. Security oversight: Encryption deficiency 

The airport failed to implement suitable encryption mechanisms for the transport and storage of the reported data. The absence of encryption not only compromised the confidentiality and integrity of the data but also exposed it to unauthorized access. The Italian data protection authority emphasized that the sensitive nature of the reported information required a high level of encryption to mitigate risks. 
 

2. Privacy breach: Unauthorized logging 

The airport’s whistleblowing system logged the navigation behaviour of users, including IP addresses and usernames. This logging practice violated the principles of “data protection by design” and “data protection by default settings” outlined in the GDPR. Whistleblower systems must be designed in a way that ensures confidentiality and anonymity, and logging user activities puts these principles at risk.  

3. Data protection oversight: Missing Data Protection Impact Assessment 

Another violation identified by the Italian data protection authority was the absence of a data protection impact assessment (DPIA). Whistleblowing systems often involve the processing of sensitive data, which can have severe consequences for both whistleblowers and the accused parties. Conducting a DPIA helps identify and mitigate potential risks to the rights and freedoms of individuals. 

Prioritizing data protection in whistleblowing systems: A lesson learned  

The case of Bologna Airport serves as a wakeup call for organisations to prioritize data protection in their internal reporting systems. Here are some key steps to consider: 

1. Implement robust encryption mechanisms: 

To safeguard the confidentiality and integrity of reported data, it is crucial to employ strong end-to-end encryption protocols, such as the HTTPS protocol, for data transfer. Additionally, all stored data should be encrypted to prevent unauthorized access. At Whistlelink, we employ a robust strategy that includes encryption in transit, encryption at rest and effective key management practices that offer good defense mechanisms for protecting data integrity and confidentiality. 

 2. Adhere to “Data Protection by Design” and “Data Protection by Default”: 

Ensure that the whistleblowing system is designed with privacy in mind. This includes avoiding unnecessary data logging (such as IP addresses or device data) and retaining only the minimum amount of information required for investigations. Anonymity and confidentiality should be maintained throughout the reporting process. 

3. Consider conducting a Data Protection Impact Assessment: 

Before implementing a whistleblowing system, consider conducting a DPIA to identify and address potential risks to individuals’ rights and freedoms. This assessment should consider the sensitivity of the reported information, the potential impact on whistleblowers and accused parties, and any necessary mitigation measures. 

4. Choose a trusted and experienced provider: 

When selecting a provider for a whistleblowing system, ensure that the provider is committed to data protection and GDPR compliance. Review security measures, encryption protocols, and track record to ensure the system aligns with regulatory requirements, such as the GDPR and national whistleblower protection laws. 

Whistlelink has delivered whistleblowing solutions to satisfied customers for more than 10 years. Our whistleblower service is available on your own website 24/7.

We offer 35+ languages in a customized, user-friendly digital whistleblower solution where all data is stored on servers within Europe, in accordance with GDPR. Start your free trial today! 

If you have any thoughts about this article or would like to know more about Whistlelink, we’d love to hear from you.

Are you looking for a safe and secure whistleblowing solution for your organisation?Please book a free demo of our system in the calendar below!

Talk with Territory Manager
Annelie Demred

0046 (0)706 83 82 88

WEBINARThe Whistleblowing Law

Annelie DemredVP, Strategy and Growth

Are you up to date?

Wednesday   |   11:00 – 11:30

WHISTLELINK BLOGWhat to read next...​

Taking Action: Addressing suspected fraud when internal reports are ignored
Ensuring data protection in Whistleblowing Systems: A lesson learned from Bologna Airport
A new Polish draft law has officially introduced "the whistleblower"
Whistlelink resources

Download the Whitepaper

Nice to meet you!

Get in touch

Our team would like to offer you a free demo of Whistlelink.
Please select a suitable time in our calendar.

Talk with Territory Manager
Annelie Demred

0046 (0)706 83 82 88

HAPPY TO MEET YOU!

Get in touch

Our team is ready to answer your questions. Find the answer by visiting our support centre, or fill out the form below and we'll be in touch as soon as possible. Or simply give us a call!

Talk with Territory Manager
Annelie Demred

0046 (0)706 83 82 88

HAPPY TO MEET YOU!

Get in touch

Our team is ready to answer your questions. Find the answer by visiting our support centre, or fill out the form below and we'll be in touch as soon as possible. Or simply give us a call!

Talk with Territory Manager
Annelie Demred

0046 (0)706 83 82 88