Reconciling the challenges between data policy and the investigation process can be difficult. The internal investigation solicitors at DPP GDPR can provide valuable support and guidance. Contact us today on 0333 200 5859.
Internal investigation are enquiries into potential violations of business practices or policies.
The management or owners of a company may launch internal investigations. This usually happens if they believe unethical or illegal conduct has taken place.
Outcomes of an internal investigation may include:
- No action
- A re-evaluation of business practices
- Retraining of employees
- Disciplinary action
- Termination of employment
- Legal action
Under GDPR (General Data Protection Regulation), internal investigation procedures have become more challenging. These include the processing of personal data.
How our solicitors can help you
Our legal experts can assist you in maintaining internal investigations best practices while:
- Settling on the aims and approaches of your investigation
- Analysing facts and evidence to determine whether unlawful conduct has occurred
- Complying with GDPR and data protection laws
- Corresponding with law enforcement agents, prosecutors and regulatory bodies
- Managing or mitigating possible reputational issues or damage
- Handling Freedom Of Information requests, Data Subject Access Requests and similar demands
- Recovering losses or damages through legal action
- Applying for prosecution immunity
- Arranging a Deferred Prosecution Agreement
- Dealing with a data breach in the context of an internal investigation
As well as the above, our internal investigation solicitors can assist you with:
- Data protection legal advice
- Technology law
- GDPR HR support
- Contract law
Consent and legitimate interest
Consent is one of the major challenges involved in internal investigations under GDPR.
If your company plans to process any personal data, its subject must be able to consent in a way that is:
- Freely given
- Given by way of a clear, affirmative action
It’s argued that consent cannot be “freely given” in an employer/employee relationship. This is due to the imbalance of “power” and the employee’s possible concern about the security of their job.
This is even more difficult if the data subject is also the person at the centre of an investigation. In these cases, a company may rely on “legitimate interest” instead.
If it is in the interests of the data subject or the wider community to process the data, you may not need consent. This is because it is a case of legitimate interest.
Circumstances where legitimate interest may come into play include:
- Attempting to prevent criminal activities or fraud
- Protecting the rights of individuals
- Upholding legal duties
- Reporting criminal behaviour or threats to the public
- Acting in the public interest
There may also be challenges connected to internal investigations prompted by whistle blowing.
Companies must protect the identity of whistle blowers. Data subjects have the right to request details of all data held about them. These data subjects may include people under investigation due to the whistle blowing.
In these cases, it is important to take extra care. Investigators must ensure that no information they provide compromises the whistle-blower.
Data protection impact assessments
Before internal investigations begin, your company should undertake a data protection impact assessment.
You must explore all risk factors involved, especially factors involving data. Your company must identify risks and minimise them before taking further action.
It is good practice to work with a legal adviser when undertaking assessments of this kind.
Frequently asked questions about internal investigations
How long do internal investigations take?
With procedures of this kind, time scales vary. You may find that an investigation lasts days, weeks or even months. This depends on a large number of factors, including:
- The complexity of the situation
- The activities of the investigating bodies and the speed at which they act
- The size, scale and profile of the company
- The number of staff members involved
- The severity of the potential consequences
- The availability and accessibility of evidence
- The levels of cooperation demonstrated by the subjects and witnesses
- Whether it is likely to become a criminal or civil investigation
- Whether it goes to court
Would the need to investigate an employee constitute a “legitimate interest”?
Yes – if the investigation is due to concerns about the employee’s conduct and if there is evidence. There will almost definitely be legitimate interest should the case include:
- Potential criminal activity
- Possible fraud
- Any danger to the general public
Who conducts internal investigations?
Internal investigations are usually undertaken by employers and the company’s Human Resources department. Should the matter be serious, authorities such as the police may assist.
For advice on internal investigations and data protection, call us today on 0333 200 5859.