Get useful tips, learn best practices and read the latest newsThe Whistlelink Blog

Implementing a whistleblower system: Our 6 best tips 

Implementing a whistleblower system

An internal reporting system should be safe for the whistleblower to use, ensure confidentiality, and help you manage whistleblower reports securely and efficiently. Read our 6 tips for implementing a whistleblower system, that meet all the requirements of the EU Whistleblowing Directive. 

In this article, we will take a closer look at: 

  1. What is a whistleblower system? 
  2. What are the requirements of the law? 
  3. Key features of a whistleblowing system 
  4. Handling and investigation of received reports 
  5. Why several reporting channels are needed 
  6. The importance of informing and educating employees 

Whistleblowers do a great service to society and the organisation itself by reporting misconduct in both private and public entities. In Report To The Nations (ACFE, 2020) it is estimated that companies lose, on average, around 5% of their income due to various types of fraud. Therefore, we need to emphasise the importance of promoting a healthy corporate culture where employees feel safe. They should not be afraid to blow the whistle on illegal activities and other serious misconduct. 

Read on to learn more about the process of implementing a whistleblower system that employees can trust. 

1. What is a whistleblower system? 

A whistleblower system includes various processes and procedures for anonymously reporting misconduct through the organisation’s reporting channel. These processes can be internal, however the organisation may also choose an external whistleblowing system supplier.   

A whistleblowing system should have several different reporting channels where a whistleblower can anonymously submit his or her complaint. These can include, for example, a telephone hotline and a website. The organisation will also need to implement a whistleblower policy and other ethical guidelines for the use of the reporting channels. The policy should outline how the reporting process works, what is done to counter retaliation against whistleblowers, and how the information will be used for continuous improvements. 

2. What are the requirements of the law? 

The new EU Whistleblowing Directive came into force on 17 December 2021. To meet the Directive’s requirements, organisations with 50+ employees and municipalities with over 10,000 inhabitants must implement secure and effective reporting channels. However, not all EU member states have adopted the Directive into national law yet. To see the current status of the deadline in your country, please read Where countries are up to in adopting the EU Whistleblowing Directive

We do not recommend waiting until the last minute and encourage organisations to review their whistleblower solutions as soon as possible. For more information about compliance with the EU Whistleblower Directive, please read more here

3. What are the key features of a whistleblower system? 

The goal of implementing a whistleblower system is for employees to feel safe. They need to be able to trust that reports are taken seriously and followed up on in a professional way, without the whistleblower being subjected to any retaliatory actions. The whistleblower system must be part of the organisation’s strategic work and supplement the code of conduct.  

A successful whistleblower service should contain the following features: 

The whistleblower system must be easily accessible. 

Everyone (not just employees) must know how, and where, to submit a report. Submitting whistleblower reports should be as simple as possible, regardless of which reporting channel you choose. Some good examples are an online whistleblower system with its own website, compatible with all devices and reachable by everyone, as well as an around-the-clock phone hotline. 

The whistleblower system must be secure

The EU Whistleblower Directive states reporting channels must be secure and confidential. This means that only designated, authorized persons can have access to the information in the reports. The whistleblower’s anonymity must also be guaranteed throughout the process. To maintain confidentiality, anonymous reporting should be utilized. This allows for two-way communication with the anonymous whistleblower. 

The whistleblower system must comply with the GDPR. 

Another requirement of the Whistleblower Law is that the system must be compatible with the GDPR when it comes to personal data. This also includes all information in the whistleblower report. Following the Schrems II judgment, it is no longer possible for European companies to use the Privacy Shield Agreement with the United States for transfer of personal data to third parties. Therefore, you should make sure to choose a provider of whistleblowing systems where all data is stored on servers within the EU / EEA.  

You can read more about data security and hosting here.  

The whistleblower system must be efficient and comply with deadlines 

It is important that the whistleblowing system is easy to navigate for the individual(s) who will receive and follow up whistleblowing reports. The EU Whistleblowing Directive stipulates that the whistleblower shall receive a confirmation receipt within 7 days. Feedback about the case and possible measures must be shared within three months. 

4. Handling and investigation of received whistleblower reports 

It is important to appoint an impartial and independent person or department to receive, review, and follow up on whistleblower reports. There must be no conflicts of interest (for example, where the recipient is mentioned in the report). Therefore, several people may have to be appointed for different roles. The designated person or department is also responsible for communicating with the whistleblower. For example, requesting additional information, and/or providing feedback on how the case is progressing. 

Implement a whistleblowing system with a straightforward process. A confirmation receipt for the whistleblower report within 7 days (we recommend max 1-2 days) and feedback about the case within three months. To ensure the system is perceived as fair and impartial, be consistent. A reliable and secure option is to select  a digital whistleblowing system. It is also possible to add external case management for handling whistleblower reports.  

When receiving a whistleblower report, you must first decide how the investigation is to proceed. In a digital whistleblower system, it is easy to create reminders and deadlines for cases and transfer them to the relevant department within the organisation. An automated process makes it easier to comply with the requirements of the EU Directive. 

You can read more about the do’s and don’ts when it comes to managing whistleblower reports here.  
 

5. Implement a whistleblower system with both verbal and written reporting channels 

The requirements for a whistleblowing system and its reporting channels differ slightly depending on the type of organisation. First and foremost, the deadline for implementing a secure whistleblower system is either 17 December 2021 (which means it is overdue!) or 17 December 2023, depending on the number of employees.  

There are also some exceptions. For example, municipalities can share whistleblowing functions between them. In addition, companies with less than 250 employees that are part of a company group can to a certain extent share resources for investigating whistleblower reports with the main company. The reporting channels must, however, be active and functioning at the subsidiary level. They may not be fully shared with other companies in the same group. 

Read more about Group-wide whistleblowing systems not enough for the European Commission here 

The EU Whistleblower Directive also emphasises that not only current employees need to have access to the reporting channels. Organisations must ensure that the whistleblower system is accessible for, among others, former employees and job applicants, trainees and volunteers, freelancers, and suppliers, as well as shareholders and people in management and supervisory positions. 

To lower the threshold for submitting a whistleblower report as much as possible, it is a good idea to implement several different reporting channels. They can be adapted within the company’s operations. Employees doing fieldwork might prefer a phone hotline, while people working remotely from home may prefer to use a digital whistleblowing platform. 

6. The importance of informing and educating employees  

A whistleblowing service is only effective if everyone knows about it. Everyone should know how to submit a report, and how the received reports should be managed. It requires education for all employees and managers. To encourage employees to speak up, the organisation may need to continuously follow up on corporate culture and educate employees on the importance of whistleblowing. 

An important part of the training is to implement a policy against retaliation. The company can be sued for damages if it has failed to protect whistleblowers against retaliatory actions after they have reported misconduct. Therefore, it is important to follow up if the whistleblower feels exposed to such actions and be clear about how this will be handled. 

It is always a good idea to be as transparent as possible regarding the entire whistleblower process and subsequent investigations. It is not necessary (or even legal) to divulge in too much detail about the investigation and possible measures. But it is, however, possible to share anonymous statistics on whistleblower cases. Showing that the whistleblower system is used and working as intended will create trust among employees

Reading tip: How to help employees understand your whistleblowing policy 

Monitor and improve continuously 

At first, it can be difficult to assess how successful the whistleblowing system is. Looking only at the number of reports received is not a good measurement. Receiving few reports can suggest that there are few problems within the organisation, but it can also indicate a fear of using the whistleblowing service. Best practice is to monitor the process continuously and evaluate long-term trends and deviations. What could be the reason behind a sudden increase or decrease in the number of reports? Are some departments receiving a disproportionate number of reports? An internal evaluation of the whistleblower system at regular intervals can provide a better understanding of how comfortable employees feel using it. 

If you have any thoughts about this article or would like to know more about Whistlelink, we’d love to hear from you.

Liked this article?
Spread the word

The EU Whistleblowing Directive explained

Philippa Johnsson,
Whistlelink
 

Try Whistlelink for free

Test our whistleblowing system free for a month

The new whistleblowing law

WHISTLELINK BLOGWhat to read next...​

ISO 37002:2021 Whistleblowing Management Systems
Internal investigation of alleged corporate misconduct
Partner interview with Alexandra Mota Gomes, Partner at Antas da Cunha, Portugal

HAPPY TO MEET YOU!

Get in touch

Our team is ready to answer your questions. Find the answer by visiting our support centre, or fill out the form below and we'll be in touch as soon as possible. Or simply give us a call!

Talk with Territory Manager
Annelie Demred

0046 (0)706 83 82 88