Whistleblowing is an increasingly important topic in organizations. In Europe, it is increasingly brought up in relation to the new EU Directive on Whistleblowing and the new legal requirements it poses on companies.
In this guide, we cover everything you need to know about whistleblower systems, the best ways to set up your whistleblower scheme, the legal requirements you may be affected by, and best practices on implementing and communicating your system.
A Whistleblower scheme is your overall business strategy for the reporting of wrongdoing in your organization. It includes your policies for processing and treatment of reports, and the channels that you use to collect said reports. A whistleblower scheme protects the whistleblower from retaliation. A whistleblower system is an important component of your scheme.
A scheme often consists of the following components:
The whistleblowing system is the technical solution or vehicle through which whistleblowing occurs. In the past, companies have used physical or virtual mailboxes, or an open-door policy, to capture whistleblowing reports. Many of these methods are not compliant with Whistleblower protection regulation or GDPR.
The current best practice is to establish an internal reporting channel that is available to stakeholders through a secure online system. There, employees and other members of the organization can file reports in written form or orally, provide more information if required, and track the outcome of their report - all in a secure and confidential manner.
Your whistleblower policy is an internal document that describes your business procedures in case of a whistleblower report to your employees. Your policy includes but is not limited to:
The channels through which they can report
Which types of conduct are reportable
Team members responsible for following up on reports and taking action
An outline of the protections Whistleblowers enjoy
An outline of the investigation process
Expected timelines for the handling of whistleblower cases
These are the people in your organization in charge of receiving and handling the incoming whistleblower cases. The EU Directive recommends companies find the most suitable person to handle these sensitive reports. The task usually falls on senior persons in Human Resources, Compliance, and Legal teams.
Alternatively, you can also choose to delegate the receipt, screening, and handling tasks to an external partner, such as a law firm. In that case, the law firm partner becomes the authorized person for your organization.
Finally, a core part of the system is how you decide to share it with your employees. This is comprised of communications outlining policy, the identity of stakeholders, the existence of the reporting channel and other key information, as well as continuous training on whistleblower duties and protection.
Due to the EU Directive on Whistleblowing, and the subsequent national laws being approved, every company operating in Europe with over 250 employees needs to have a Whistleblower System by 17th of December, 2021. Starting December 2023, that requirement extends to companies with over 50 employees. Financial and Governmental organizations may have extended requirements.
There are several requirements for the form whistleblower systems take. These include:
Guarantee the confidentiality of the whistleblowers' identity
Acceptable timeframes for receipt and resolution of cases
Appointment of impartial persons to receive and follow up on reports
Reports can be made in oral or written form
In-person meetings, when required, will happen in a timely fashion
Since the individual countries in the EU have their own variation of this law, it is recommended that you look into the requirements for each country, to make sure you comply.
The goal of the new Directive is to protect the potential whistleblower from retaliation, firing, or any other harassment and exclusion in the workplace.
These protections not only apply to the whistleblower, but also to the parties assisting them, including fellow employees, labor unions, and the media.
If a whistleblower is fired after the person in question made a report, there will be an assumption that the dismissal was due to the report, and will be up to the company to prove otherwise.
If the whistleblower fears retaliation, reports can be made anonymously, or even directly to the regulator or the media. Nonetheless, the goal of the directive is to create an environment where the whistleblower can feel safe and protected and thus is encouraged to report malfeasance.
Your road to implementation will be different depending on the size of your organization, your industry, and any other steps that you may have taken previously towards establishing a whistleblower system in your organization.
Here are some common best-practice steps towards setting up your system and complying with local whistleblower regulations.
There is no requirement for the cases to be handled within your organization. You can hire the services of a law firm that specializes in managing whistleblower systems for companies like yours to take over the day-to-day management of the system.
This has benefits beyond the time savings since it ensures complete impartiality from the managing party.
If you chose to go the internal route, then you must appoint your stakeholders. Any person in your organization can become an approved manager of your whistleblower system. However, due to the seriousness and sensitivity of the topics discussed, most organizations pick members of their human resources, compliance, and leadership teams.
The only requirement here is that they are impartial and have the bandwidth to receive, manage and close cases in a timely fashion.
Establish a safe internal system through which your employees can file reports. The best practice is to provide an easily accessible web link in which whistleblowers can report confidentially or anonymously, orally or in written form, and through which they can maintain conversations with the approved managing members, provide more proof when required, and track progression towards closure.
Develop a document that includes detailed information about which systems employees can use to report, which types of conduct are reportable, the protections whistleblowers enjoy, etcetera. Then distribute that document among employees, and make it easily findable on your intranet.
Your system is only as effective as your employee's awareness of its existence and merits. This means you should communicate your policy to your employees and introduce them to the responsible (approved) persons that would be managing their cases.
At the same time you should share the internal reporting system with them and provide them with continued training on which behaviors to look for, how to report, and the protections that whistleblowers enjoy, so to foster an environment where potential whistleblowers feel safe to report.
Physical media is also a great option to communicate your system. Posters, signs, and other visual content in the office can help you create awareness of your whistleblower system.
At Whistleblower Software, we work with a number of Europe's leading compliance agencies and law firms to help their clients build compliant and effective whistleblower systems time and cost-effectively. This also means that we have an established network of great advisors.
If you require specific legal advice on your road to compliance, email us at firstname.lastname@example.org, share a bit about what you are looking for and for which countries, and we will send you in the right direction.
According to the EU Whistleblower Protection Directive 2019/1937, the role of whistleblower doesn't just apply to employees. It also applies to consultants, contractors, volunteers, board members, former employees, and work applicants as well. All of those persons should be protected under local regulations.
For the purpose of the company's internal reporting system and based on their specific requirements, some companies make their system available only to their employees through their handbook and other materials, whereas others make it publicly available on their website.
The EU Directive states that in the case of a group, each corporation with 250 (50 starting 2023) or more employees should have its own, standalone, whistleblowing systems. However, some countries such as Denmark, have chosen to challenge this, stating that the whistleblower system for the parent company applies to all subsidiaries.
At this point, the issue of the group system is country-specific.
Anonymous reporting refers to whistleblowers making reports without their identity being disclosed, not even to the person receiving the report. There is a risk of the whistleblower's identity accidentally being partially revealed during the process of providing proof for the report.
Confidential reporting refers to the whistleblower making reports under their own identity, under the understanding that their identity will not be revealed beyond the authorized staff. Their identity will only be disclosed where legally necessary and they enjoy full protection from the moment of the report.
Both reporting methods are acceptable under the EU Directive.
Although many people think Whistleblowing should be done anonymously due to the risks whistleblowers take, it actually makes both taking action and protecting the whistleblower against retaliation harder. Therefore, organizations should aim to create a safe environment in which confidential reporting is the standard.
Whistleblower systems deal with a large amount of critical personal data. As so, it is pivotal that all personal data in your system is handled in accordance with your overall GDPR policy.
1) Choose a compliant whistleblowing channel
It is important that you choose a technical tool that is compliant with GDPR and has gone through external audits to prove it. Make sure to sign the data protection agreement.
2) Prepare a Data Protection Impact Assessment (DPIA)
Since your whistleblower system is likely to handle sensitive personal data you should make a DPIA as part of your implementation. Whistleblower Software can help provide you with a DPIA for inspiration if relevant.
3) Normal data protection measures and delete policy
Make sure that the whistleblower system follows your normal procedures for good data protection whenever possible. There might be conflicts especially when it comes to the delete policy. Depending on your country and other legislation the delete policy will have to be implemented accordingly.
The management of your organization's whistleblower cases can be handled in-house by authorized persons, or outsourced to an external partner. Many law firms offer not just whistleblower system implementation services, but also ongoing scheme management services, screening, and case management.
The advantages of this approach are the guarantee of impartiality by the party managing the cases, the time savings for your team, and the increase in efficacy derived from having an outsourced team specialized in managing whistleblower reports.
The disadvantages are additional monthly/yearly retainer fees, and the potential for security breaches in the process of communication between your company and the case management company.
The EU Directive on Whistleblowing adds a requirement for organizations to establish an internal reporting system that potential whistleblowers can use. However, there are two more routes whistleblowers can take.
First, they can choose to report externally, to the pertinent public authorities when the whistleblower has a reason to suspect that internal channels are compromised or not effective.
Secondly, they can use the channel of public disclosure by, for example, informing the media. They are protected by EU law if they reported internally or externally and no action was taken or had a reason to believe there is imminent danger to the public.