How to get compliant with the Whistleblowing Law
An internal reporting system should be safe for the whistleblower to use, ensure confidentiality, and help you manage whistleblower reports securely and efficiently. Read our 6 tips for implementing a whistleblower system, that meet all the requirements of the EU Whistleblowing Directive.
Whistleblowers do a great service to society and the organisation itself by reporting misconduct in both private and public entities. In Report To The Nations (ACFE, 2020) it is estimated that companies lose, on average, around 5% of their income due to various types of fraud. Therefore, we need to emphasise the importance of promoting a healthy corporate culture where employees feel safe. They should not be afraid to blow the whistle on illegal activities and other serious misconduct.
Read on to learn more about the process of implementing a whistleblower system that employees can trust.
A whistleblower system includes various processes and procedures for anonymously reporting misconduct through the organisation’s reporting channel. These processes can be internal, however the organisation may also choose an external whistleblowing system supplier.
A whistleblowing system should have several different reporting channels where a whistleblower can anonymously submit his or her complaint. These can include, for example, a telephone hotline and a website. The organisation will also need to implement a whistleblower policy and other ethical guidelines for the use of the reporting channels. The policy should outline how the reporting process works, what is done to counter retaliation against whistleblowers, and how the information will be used for continuous improvements.
The EU Whistleblowing Directive came into force on 17 December 2021. To meet the Directive’s requirements, organisations with 50+ employees and municipalities with over 10,000 inhabitants must implement secure and effective reporting channels. Most EU member states have since transposed the EU Directive into national law. To see the current status of your country, please read more about the National whistleblowing laws in the EU here.
We encourage organisations to review their whistleblower solutions as soon as possible to ensure they implement a system that is compliant not only with Whistleblower Protection laws but also fulfills the requirements of the GDPR.
The goal of implementing a whistleblower system is for employees to feel safe. They need to be able to trust that reports are taken seriously and followed up on in a professional way, without the whistleblower being subjected to any retaliatory actions. The whistleblower system must be part of the organisation’s strategic work and supplement the code of conduct.
The whistleblower system must be easily accessible.
Everyone (not just employees) must know how, and where, to submit a report. Submitting whistleblower reports should be as simple as possible, regardless of which reporting channel you choose. Some good examples are an online whistleblower system with its own website, compatible with all devices and reachable by everyone, as well as an around-the-clock phone hotline.
The whistleblower system must be secure.
The EU Whistleblower Directive states reporting channels must be secure and confidential. This means that only designated, authorized persons can have access to the information in the reports. The whistleblower’s anonymity must also be guaranteed throughout the process. To maintain confidentiality, anonymous reporting should be utilized. This allows for two-way communication with the anonymous whistleblower.
The whistleblower system must comply with the GDPR.
Another requirement of the Whistleblower Law is that the system must be compatible with the GDPR when it comes to personal data. This also includes all information in the whistleblower report. Following the Schrems II judgment, it is no longer possible for European companies to use the Privacy Shield Agreement with the United States for transfer of personal data to third parties. Therefore, you should make sure to choose a provider of whistleblowing systems where all data is stored on servers within the EU / EEA.
You can read more about data security and hosting here.
The whistleblower system must be efficient and comply with deadlines
It is important that the whistleblowing system is easy to navigate for the individual(s) who will receive and follow up whistleblowing reports. The EU Whistleblowing Directive stipulates that the whistleblower shall receive a confirmation receipt within 7 days. Feedback about the case and possible measures must be shared within three months.
It is important to appoint an impartial and independent person or department to receive, review, and follow up on whistleblower reports. There must be no conflicts of interest (for example, where the recipient is mentioned in the report). Therefore, you may have to appoint several people for different roles. The designated person or department is also responsible for communicating with the whistleblower. For example, requesting additional information, and/or providing feedback on how the case is progressing.
Implement a whistleblowing system with a straightforward process. A confirmation receipt for the whistleblower report within 7 days (we recommend max 1-2 days) and feedback about the case within three months. To ensure the system is perceived as fair and impartial, be consistent. A reliable and secure option is to select a digital whistleblowing system. It is also possible to add external case management for handling whistleblower reports.
When receiving a whistleblower report, you must first decide how the investigation is to proceed. In a digital whistleblower system, it is easy to create reminders and deadlines for cases and transfer them to the relevant department within the organisation. An automated process makes it easier to comply with the requirements of the EU Directive.
You can read more about the do’s and don’ts when it comes to managing whistleblower reports here.
The requirements for a whistleblowing system and its reporting channels differ slightly depending on the type of organisation. First and foremost, the deadline for implementing a secure whistleblower system was 17 December 2023, depending on the number of employees.
There are also some exceptions. For example, municipalities can share whistleblowing functions between them. In addition, companies with less than 250 employees that are part of a company group can to a certain extent share resources for investigating whistleblower reports with the main company. The reporting channels must, however, be active and functioning at the subsidiary level. They may not be fully shared with other companies in the same group.
Read more about Group-wide whistleblowing systems not enough for the European Commission here
The EU Whistleblower Directive also emphasises that not only current employees need to have access to the reporting channels. Organisations must ensure that the whistleblower system is accessible for, among others, former employees and job applicants, trainees and volunteers, freelancers, and suppliers, as well as shareholders and people in management and supervisory positions.
To lower the threshold for submitting a whistleblower report as much as possible, it is a good idea to implement several different reporting channels. They can be adapted within the company’s operations. Employees doing fieldwork might prefer a voice messaging feature or a phone hotline, while people working remotely from home may prefer to use a digital whistleblowing platform.
A whistleblowing service is only effective if everyone knows about it. Everyone should know how to submit a report, and how to manage the received reports. It requires education for all employees and managers. To encourage employees to speak up, the organisation may need to continuously follow up on corporate culture and educate employees on the importance of whistleblowing.
An important part of the training is to implement a policy against retaliation. The company can be sued for damages if it has failed to protect whistleblowers against retaliatory actions after they have reported misconduct. Therefore, it is important to follow up if the whistleblower feels exposed to such actions and be clear about how this will be handled.
It is always a good idea to be as transparent as possible regarding the entire whistleblower process and subsequent investigations. It is not necessary (or even legal) to divulge in too much detail about the investigation and possible measures. But it is, however, possible to share anonymous statistics on whistleblower cases. Showing that the whistleblower system is used and working as intended will create trust among employees.
Reading tip: How to help employees understand your whistleblowing policy
At first, it can be difficult to assess how successful the whistleblowing system is. Looking only at the number of reports received is not a good measurement. Receiving few reports can suggest that there are few problems within the organisation, but it can also indicate a fear of using the whistleblowing service. Best practice is to monitor the process continuously and evaluate long-term trends and deviations. What could be the reason behind a sudden increase or decrease in the number of reports? Are some departments receiving a disproportionate number of reports? An internal evaluation of the whistleblower system at regular intervals can provide a better understanding of how comfortable employees feel using it.
Whistlelink has delivered whistleblowing solutions to satisfied customers for more than 10 years. Our whistleblower service is available on your own website 24/7.
We offer 35+ languages in a customized, user-friendly digital whistleblower solution where all data is stored on servers within Europe, in accordance with GDPR. Start your free trial today!
If you have any thoughts about this article or would like to know more about Whistlelink, we’d love to hear from you.
Whistlelink values your privacy. We will only contact you about our solutions.
You may unsubscribe at any time. For more info, please review our Privacy Policy
Nice to meet you!
HAPPY TO MEET YOU!
Whistlelink values your privacy. We will only contact you about our solutions.
You may unsubscribe at any time. For more info, please review our Privacy Policy
HAPPY TO MEET YOU!
Whistlelink values your privacy. We will only contact you about our solutions.
You may unsubscribe at any time. For more info, please review our Privacy Policy