7 minutes reading

How To Conduct A GDPR-Compliant Internal Investigation

In 2018, the EU’s General Data Protection Regulation (GDPR) went into effect, creating a uniform data protection law for everyone in the EU. The GDPR sought to give individuals control over their personal data and ensure that organizations used the data they collected from individuals responsibly. 

One noteworthy aspect of the GDPR is its severe schedule of penalties; so far, data protection agencies have imposed more than €1.29 billion in fines. Many of the largest fines—such as the €746 million fine the Luxembourg National Commission for Data Protection levied against Amazon for improperly processing its customers’ personal data—have to do with marketing practices and data breaches. But many organizations don’t realize the extent to which the GDPR touches many other aspects of their business, including internal investigations

Anytime an organization, inside or outside the EU, processes the personal data of an EU subject—even for an internal process like an investigation—it triggers the GDPR. That’s why it’s so important for organizations to know where their data lives and to have a GDPR-compliant protocol for conducting internal investigations. 


Overview of EU data privacy law
What is the legal basis for conducting internal investigations under the GDPR?
5 steps of a GDPR-compliant internal investigation
1. Determine whether there is a legitimate basis for the investigation
2. Train employees in how to conduct a compliant investigation
3. Give affected employees a privacy notice
4. Limit data processing as much as you can
5. Take further precautions if your investigation poses a high privacy risk
Tools and technology that can help with GDPR-compliant investigations 

Overview of EU data privacy law 

The EU adopted the General Data Protection Regulation on May 25, 2018, to harmonize a patchwork of existing national data laws that made it increasingly difficult to do business in the EU. The GDPR’s other goal was to ensure individuals had adequate protection for their personal data as the digital economy continued to evolve and organizations collected more and more data from individuals. 

The GDPR applies to any business offering goods or services to EU customers as well as to businesses located in the EU. It defines an individual’s personal data broadly, including names, addresses, photos, contact information, generic data, and biometric data. Essentially, if data can identify an individual, whether by itself or in combination with other data, it is considered personal data. 

The GDPR sets forth a framework of seven principles governing the use of data: 

  1. Lawfulness, fairness, and transparency: Organizations must have a good reason to process data. They must either obtain the user’s consent, fulfill contractual or legal obligations, need to protect the rights of a natural person, meet the public interest, or have a legitimate interest that isn’t overridden by a data subject’s rights and interests. To be transparent, organizations must also let users know why and how they are using their data.
  2. Purpose limitation: The data must be collected for a specific, legitimate purpose that the organization explains to users with a privacy notice.
  3. Data minimization: Organizations should collect only the data they need for their purposes.
  4. Accuracy: Organizations must ensure that the data they collect is correct and take steps to update or erase incorrect data.
  5. Storage limitation: Organizations should only store data for as long as necessary to achieve their purpose.
  6. Integrity and confidentiality: Organizations must protect data from internal and external security threats, including unauthorized processing, loss, and damage.
  7. Accountability: Organizations must document how they’re complying with the principles of the GDPR; data protection authorities may ask an organization to produce this information at any time. 

Many of these principles come into play when organizations conduct investigations into potential wrongdoing within their ranks. 

What is the legal basis for conducting internal investigations under the GDPR? 

In line with the GDPR’s lawfulness principle, organizations must have a valid legal basis for launching an internal investigation that involves an EU resident’s personal data. What constitutes a legal basis will depend on several factors, including the investigation’s purpose, the data subjects involved, and the types of data collected.

The General Data Protection Regulation permits data processing when it is “necessary for compliance with a legal obligation.” 

Alternatively, if the company or a third party has a “legitimate interest,” it can process an individual’s data, so long as the individual’s data privacy rights do not trump the company’s interests. For example, a legitimate interest might be a reasonable suspicion of misconduct based on specific facts. 

To make the proper assessment, consider the expectations of the individuals and the potential consequences for their rights, the data processed, and the extent of the investigation. You must also evaluate whether there are other ways to meet the goals of the investigation without affecting the individual’s rights. You should document all the decisions you make, including any steps you take to limit the impact of data processing on the individual. 

Finally, you can proceed with an investigation if the individual gives you specific, voluntary consent to collect their data. Voluntary consent is difficult to achieve in internal investigations because of the imbalance of power in the employer-employee relationship. Furthermore, in many investigations, employers won’t want to alert their employees to the fact of the investigation. Remember that employees may refuse to give consent or can withdraw their consent at any time, so this is not a reliable basis for pursuing an investigation. 

5 steps of a GDPR-compliant internal investigation 

The rigors of the GDPR make internal investigations challenging, but compliance is possible if you take the proper precautions. Organizations that follow the best practices described in the five steps below will be in a good position should they face a challenge from an employee or data protection authority. 

1. Determine whether there is a legitimate basis for the investigation 

Make sure that your organization has a legitimate reason to conduct the investigation—which is a good rule of thumb regardless of whether the investigation implicates EU residents’ data. 

If you don’t have a specific legal mandate for the investigation, conduct an assessment to make sure you have a justifiable “legitimate interest” to proceed with the investigation. Document your interest and the necessity for processing the individual’s data and verify that the data subject’s interests do not outweigh your legitimate interest in the investigation. Keep this document updated throughout the investigation. 

2. Train employees in how to conduct a compliant investigation 

Internal investigations that must comply with the GDPR are much more restrictive than standard investigations. It’s imperative that any person running the investigation undergo training in what the GDPR does and does not permit when it comes to processing personal data. 

3. Give affected employees a privacy notice 

Before you process any data, give the affected individuals a privacy notice that sets forth their data-related rights and the reason that you’re processing their data. The notice should explain how they can get more information about the reasons for the processing and the balancing of interests test that you conducted. It should also inform individuals of their right to object to the processing of the data. 

4. Limit data processing as much as you can 

The less data you process, and the fewer ways you use that data, the fewer concerns with GDPR compliance that you’ll have. Be sure not to go beyond your initial stated purpose for collecting the individual’s data, unless you have a legitimate basis for doing so. Additionally, ensure your data use isn’t more intrusive than necessary to meet the needs of your investigation. Finally, restrict access to the data and implement measures to safeguard against unauthorized access to the data. 

5. Take further precautions if your investigation poses a high privacy risk 

If your investigation implicates a particularly sensitive category of data or will have a strong impact on an individual’s privacy, you likely need to conduct a deeper assessment to balance the individual’s rights against your needs in the investigation. The categories of data involved here are defined in article 9 of the GDPR, namely “data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.” 

The GDPR calls this assessment a Data Protection Impact Assessment, or DPIA. Examples of situations that may require a DPIA include these: 

  • processing highly sensitive data,
  • using new technologies,
  • tracking individuals’ locations or behavior,
  • monitoring a publicly accessible place on a large scale,
  • using data to make automated decisions about people that may have significant effects,
  • processing children’s data, or
  • processing that risks physical harm to the individuals whose data is collected if the data is leaked. 

A DPIA should include the following: 

  • a systematic description of the processing and purposes of the processing, including, where applicable, the legitimate interest for the processing;
  • an assessment of the necessity and proportionality of the processing compared to the purposes for the data processing;
  • an assessment of the risks to individuals’ rights and freedoms; and
  • the measures you will take to address the risks, protect personal data, and comply with the GDPR, including safeguards, security measures, and mechanisms. 

You should also consult with your company’s data protection officer, if you have one, as you draft and implement your DPIA. 

Tools and technology that can help with GDPR-compliant investigations 

Internal organizations that implicate the GDPR are incredibly complex and risky endeavors. Organizations must take steps to reduce their risks with tools that can help them quickly identify personal data and other sensitive data. If personal data is identified, those tools must be capable of anonymizing, pseudonymizing, and redacting it, especially if data has to be transferred beyond the EU’s borders. 

ZyLAB ONE is a powerful tool that can immediately notify you about the existence of sensitive data that might trigger the GDPR, then help you manage it. Our AI-powered technology is designed to mine data for telltale concepts and patterns that indicate the need for confidentiality, such as account numbers and health data, so you can redact or anonymize it. With ZyLAB ONE, you can meet the GDPR’s requirements while collecting the data you need to accelerate your internal investigation. Contact us today to learn more.