How to comply with the EU Whistleblower Protection Directive
50 employees, or more? If so, you are affected by the EU Whistleblower Protection Directive. Find out what you can start doing now to prepare with our top tips for compliance.
What is the EU Whistleblower Protection Directive?
The EU Whistleblower Protection Directive aims at protecting and encouraging whistleblowers throughout the EU who report on a range of misconduct that they become aware of through their workplace.
“Parliament has come together to send a strong signal that it has heard the concerns of its citizens and pushed for robust rules guaranteeing their safety and that of those persons who choose to speak out”. Virginie Rozière, EU parliamentarian and rapporteur of the law.
What do you need to know about the EU Whistleblower Protection Directive?
Which organisations are affected?
The EU Whistleblower Protection Directive states that all private legal entities with 50 or more employees will need to establish secure reporting channels. Additionally, companies operating in specific areas such as financial services, products and markets and companies that are vulnerable to money laundering or terrorist financing will also need to comply. All public legal entities will also need to comply, with some potential exceptions for smaller municipalities and public entities.
What kind of internal channel needs to be implemented?
Internal channels for whistleblowing are more important than ever. According to the Directive, employees are to be encouraged to report internally first to their employer if a functioning internal channel is available to them. However, whistleblowers will be able to select the most appropriate channels for the circumstances of their case, without losing the protection granted by the EU Whistleblowing Directive, this includes reporting to competent national or EU authorities or to the media.
The EU Whistleblower Protection Directive places specific requirements on the nature of the whistleblowing channel to be provided. It details requirements regarding:
- Confidentiality of the identity of the whistleblower
- Response times
- Contact persons
- GDPR compliance
- Record keeping
Find out more about each requirement below, along with our top tips for EU Whistleblower Protection Directive readiness.
What can whistleblowers report on?
Whistleblowers will be able to sound the alarm on a range of issues and remain protected from recrimination when they do so. Issues include anti-money laundering and corporate taxation, data protection, protection of the Union’s financial interests, food and product safety and environmental protection and nuclear safety.
Who can report?
Everybody who works in the private or public sector. The EU Whistleblower Protection Directive applies to employees, self-employed people, freelancers, consultants, contractors, suppliers, volunteers, unpaid trainees and job applicants, who acquire information on illegal activities in a work-related context. It also covers those who support whistleblowers such as family members and colleagues.
What if my organisation fails to comply?
The EU Whistleblower Protection Directive requires penalties against those who attempt to hinder reporting, retaliate against whistleblowers, attempt to bring proceedings or who reveal the identity of the whistleblower. Any threats or attempts to retaliate against whistleblowers are also prohibited.
Count-down to the EU Whistleblower Protection Directive
- 16th April 2019: Approval of the EU Whistleblower Protection Directive by the European Parliament, after which the new law is to be approved by EU ministers.
- Second half of 2021 (or two years after adoption): The new law must be embedded into national law by the Member States. Organisations with 250 employees or more must be ready to comply with the new law.
- Second half of 2023 (or two years after the law comes into force): Legal entities with 50 – 249 employees must be ready to comply with the new law.
Top tips for preparing for the EU Whistleblower Protection Directive – is your whistleblowing system already compliant?
Organisations will be obliged to establish internal reporting channels according to specific requirements. We have broken down these requirements and provide our advice below:
|1. Confidentiality of the identity of the whistleblower|
|What the law says:||The procedures for reporting and following-up of reports shall include channels for receiving the reports which are designed, set up and operated in a secure manner that ensures the confidentiality of the identity of the reporting person and any third party mentioned in the report, and prevents access to non-authorised staff members.|
Allow anonymous reporting and dialogue
– Anonymous reporting and dialogue are essential for people to dare to reach out. Use a system that enables you to ensure the whistleblower’s anonymity both when reporting and in the following dialogue.
– Use a system with a secure Case management tool, through which you can appoint people who are authorised to read and act on reports received.
|2. Response times|
|What the law says:||The procedures for reporting and following-up of reports shall include an acknowledgment of receipt to the reporting person within no more than seven days. The law also sets a time limit of three months from the receipt is set up to provide feedback to the reporting person about the follow-up.|
Be responsive to build trust
– Make sure that the whistleblower instantly receives confirmation that the message has been received, for example via an on-screen message.
– The receiver of whistleblower messages should be notified immediately by text message and e-mail that a report has been received. However, limit use of e-mail to notifications, all whistleblower messages that can contain sensitive or personal data should be securely encrypted and managed within a secure system.
– Make sure that you have a dedicated team to receive the reports, and the right team to handle and provide feed-back to the whistleblower in a timely manner.
– If your organisation receives many messages, you might want to have standard messages ready to send out to the whistleblower.
|3. Contact persons|
|What the law says:||The procedures for reporting and following-up of reports shall include the designation of an impartial person or department competent for following up on the reports (…) and which will maintain communication with and, where necessary, ask for further information from and provide feedback to the reporting person.|
Ensure the right system, skills and routines are in place to handle investigations
– Set up a team that is as non-operational as possible, and with roles from a range of different parts of the organisation. This strengthens the integrity of the team. In the WhistleB 2019 customer study, the whistleblowing team most often included these competences: legal and compliance, internal audit and risk, ethics and HR. Having Board representatives on the team is also becoming more common.
– Make sure that you have a system that allows you to add the competences you need per case.
– Make sure that you have a channel through which the whistleblower can add pictures, videos, text documents and other file formats while also allowing metadata cleansing.
|What the law says:||
The procedures for reporting and following-up of reports shall include diligent follow-up to the report by the designated person or department, diligent follow up where provided for in national law as regards anonymous reporting, and a reasonable timeframe to provide feedback to the reporting person about the follow-up to the report.
Select a robust case management system to underpin diligent follow-up
– Ensure your whistleblower system includes a case management tool that is integrated with the reporting channel and allows for dialogue with an anonymous or non-anonymous whistleblower. This will ensure seamless, compliant and secure case follow-up and processing. According to WhistleB’s 2019 customer study: approximately 50 % of all reports lead to a dialogue with the whistleblower.
– If your organisation operates multi-nationally, select a system with safe translation support for communication in any language.
Assess how your organisation handles investigations
– Treat investigations with the utmost confidentiality and with respect for both the whistleblower and the person accused.
– Establish processes for any action plans needed based on the outcome of the investigations.
– Investigations can require very specialist skills which leaders may need to source externally, or you might want to have an external team to receive your reports. In this case, a system that allows external users to be securely included in case handling is important.
|5. Communication & information|
|What the law says:||The procedures for reporting and following-up of reports shall include clear and easily accessible information regarding the conditions and procedures for reporting externally to competent authorities and, where relevant, to institutions, bodies, offices or agencies of the Union.|
Do all you can to give people confidence to report internally
Having your own trustworthy whistleblowing system, knowledgeable people handling the messages and a thorough process increase the organisation’s chances of receiving messages internally, and to be able to address and correct matters appropriately. A robust whistleblowing system is a concrete way of showing that you mean what you say in your ethical guidelines and that the organisation is willing to listen when things go wrong. It is also a form of insurance; with an internal whistleblowing system in place you can prevent inappropriate conduct happening in the first place.
|6. GDPR Compliance|
|What the law says:||Any processing of personal data carried out pursuant to the Directive must comply with the GDPR.|
A GDPR compliant system makes things easy for you
– Choose a system that is GDPR compliant, built to help you to comply with the GDPR.
– Useful features for compliance include case and user logs, safe translations and deletion of personal data when the case is closed.
– Check that you inform potential users correctly about national differences in reporting.
|7. Record keeping of the reports|
|What the law says:||Authorities, private and public legal entities must keep records of every report received, in compliance with the confidentiality requirements provided for. Reports shall be stored for no longer than it is necessary and proportionate.|
Complete and close cases within one integrated whistleblower system
– Ensure that you can keep a user and case log of each case. A GDPR compliant whistleblowing system does this automatically for you.
– Ensure that your whistleblowing system allows for deleting personal data in line with the GDPR principle of accountability.
Use the EU Whistleblower Protection Directive to gain business value
Selecting the right skills, routines and system for internal reporting presents you with an opportunity for getting real business value from whistleblowing. Many WhistleB customers implement a whistleblowing system as a preventive measure. The very fact that the system is available may prevent misconduct occurring in the first place. Others implement such a system to show stakeholders that their organisation is committed to building trust and doing the right thing. In any case, avoiding or minimising damages by implementing effective whistleblowing channels can prove a great return on investment on its own.
Contact us to start your countdown to compliance
Contact us if you would like a free consultation on your readiness for compliance with the EU Whistleblower Protection Directive.
WhistleB is ready to help your organisation prepare to comply with the EU Whistleblower Protection Directive and we can help you with all the tips mentioned above. We have a leading, secure digital whistleblower system used by hundreds of organisations worldwide, and over 25 years of experience in compliance and ethics. We stay ahead of the latest laws and embed compliance into effective solutions that fit your organisation’s unique demands.