After the EU Whistleblowing Directive came into force on 17 December 2021, organisations in Europe need to implement whistleblowing channels.
But how do you decide which solution is best for your own organisation? Here are some important things to keep in mind when choosing an external system for your whistleblowing channel.
The Directive doesn’t set any requirements for the exact design of the organisation’s whistleblowing channel, except that internal solutions must allow for reports in writing and/or orally. If the individual desires, he or she can also request a physical meeting.
The law also specifies that an organisation must confirm receipt of a report within seven days, and provide feedback to the whistleblower within three months. An organisation must also appoint a responsible person or department of for the channels, and reports must be saved in an appropriate manner. Whistleblowing policies and procedures should also be documented in writing.
According to the law, the channels must:
An organisation can choose to build its own reporting channels and processes. But why tie up resources unnecessarily when they are ready made whistleblowing systems on the market?
Many organisations choose to use a 3rd party’s external system for its whistleblowing channel. These are SaaS solutions that are built for the purpose and ready to use immediately.
There is no guarantee that all systems meet the requirements of the EU Whistleblowing Directive or local whistleblowing laws.
Many of the external systems available on the market may seem functional and compliant, based on what it tells you on its website or in a demo. But, you still need to make sure it does actually help your organisation be compliant. And just as important, is ensuring that the system you choose is both user-friendly and easy to implement and maintain.
Think about what your main goal with the whistleblowing system is. If you want to encourage employees to report wrongdoing, and create a safe environment to do so, you should prioritise a system that offers a range of features, as well as anonymous two-way communication with the whistleblower. It should also be a solution that you can customise for your organisation to make it instantly recognisable to employees.
Also consider how user-friendly and intuitive the interface is and if the system works on different types of devices, such as PC and mobile. Does the system provider also help you out with user guides and support help?
Personal data is only secure if the system is secure. Check what measures are taken to protect your organisation against risks. For example, encryption of data, multi-factor verification, access and action control, and protection against external attacks. Also think about it from the whistleblower’s perspective – does the solutions appear safe and credible?
The EU Directive requires compliance with the GDPR, which covers handling of personal data and data in the whistleblowing channel. Check where your system of choice stores sensitive material and what security measures they take. Following the Schrems II ruling, companies that process personal data of European citizens can no longer use the EU-US Privacy Shield Agreement for the transfer of personal data. By choosing a system that stores date in Europe (EU / EEA area), you avoid that worry.
The systems’ internal processes usually differ when it comes to how to collect and handle reports, or how to forward cases to the assigned person within the organisation. Examine what the case management module looks like in your preferred whistleblowing system. Check if it’s possible to provide limited access to specific roles for individual cases. Some systems may offer greater flexibility and custom-made processes for your organisation.
Different systems use various technical solutions for the reporting process and for the software that handles cases. Determine if the system offers features that are important to you, and if it is user-friendly and secure. Consider whether there are built-in features for secure, anonymous two-way communication between the recipient of the report and the whistleblower.
You can often get a better overall picture of the system by requesting a demo.
Some solution providers offer other services in addition to the actual whistleblowing system. For example, a provider could offer an external intake management service, or advice on handling individual cases.
It often makes more economical sense to consider a more comprehensive solution that will be good for the long term. Especially true if your whistleblowing channel is a first step in the development of a more comprehensive risk and compliance management program.
Whistlelink can help you with all of this. Would you like to discuss a whistleblowing system for your organisation?
Get acquainted with our system here and then contact us for further information!
If you have any thoughts about this article or would like to know more about Whistlelink, we’d love to hear from you.
Philippa Johnsson, Whistlelink
Test our whistleblowing system free for a month
HAPPY TO MEET YOU!