by Frank Staelens

The EU Whistleblower Protection Directive came into force on 16 December 2019. Member States have up till 17 December 2021 to transpose the new EU regulations into national laws. The latest progress reports show that most Member States will not be able to meet this deadline. Even with some delays in some Member States, most EU organisations with more than 250 employees only have a few months left to organise their compliance, while the average implementation time for non complex environments is two months. 

Both large and small EU based organisations, in both the private and public sector, independently from ownership and location of head offices, will need to organise their compliance with new EU whistleblowing regulations. However, there are some exemptions. Organisations with less than 250 employees have two more years to organise their compliance. Small organisations with less than 50 employees are exempted from the requirement to implement internal reporting channels.

Reporting scope

The EU protection only applies to the reporting of EU law breaches. Member States have been requested to consider the extension of the scope to national law breaches, which many have already declined. However, national law breaches often end up in EU law breaches. Therefore, whistleblowers who report on illegal acts within a work related context will in most cases become eligible for retaliation protection. Whistleblowers also do not require proof before submitting reports, reasonable suspicions suffice.

Reporting setup

A confidential reporting setup will be required. Whistleblowers should know to whom they report and persons outside the initial recipient can only obtain access to the content and the identity with the approval of the whistleblower. This excludes the use of general email addresses or personal mailboxes that are accessible to IT administrators. 

Reporting systems

Although the reporting channels (web, voice, mail, post) are free of choice, the new regulations require a secure and GDPR compliant setup. All data related to whistleblowing is best kept in Europe, and all communication around whistleblowing is best encrypted. Web based reporting systems are the easiest way to justify a secure and GDPR compliant setup. However, not all providers are the same. There are substantial differences in cost, user friendliness and security settings.  

Reporting stakeholders

All individuals working within the organisation have reporting rights (employees, temporary personnel, directors, shareholders …). Certain categories of third parties also have reporting rights, these include former employees, contractors and suppliers. Confidential reporting systems should be made available to all reporting stakeholders. 

Reporting destinations

Reporting stakeholders can not be obliged to first report internally. They will all have the free choice to immediately report to competent authorities. From a corporate governance perspective it will be important for organisations to create the ideal circumstances for internal reporting. Confidence in the safety of the internal reporting channels will be important. Clear protection measures against retaliation will be necessary. From this perspective it is also recommendable for organisations to allow anonymous reporting. 

Case governance

The case governance principles are competence, diligence and impartiality. Impartiality is the most difficult to organise because it presumes that there is no interference from the business. The only function that can justify its independence from the business and at the same time is not conflicted is the Compliance Officer. Management reporting is best organised through an Ethics Committee. Diligence will require both a consistent and timely follow up on cases. A risk scoring methodology will be needed to ensure a consistent approach and support a defensible position.

In order to ensure a timely follow up organisations will need to organise themselves around the feed-back deadlines (notification within seven days, status reporting within three months, …). The principle of competence presumes that the case recipient has experience with the handling of the reported matters and the handling of whistleblowers in general. Regulators have already indicated that if organisations are missing an experienced compliance function they should best consider the outsourcing of the case handling.  

Rights abuse

Staged whistleblowing can be organised to trigger the reversed burden of proof that rests on the organisations. Whistleblowing can therefore be used as a means to block negative decisions (dismissal, demotion, contract termination,…). To avoid rights abuse organisations can consider to assign an external case recipient who takes care of the identity management. Knowing about the identities of the whistleblowers is of no value to organisations in a majority of the cases. The identity only becomes important when a case can be qualified as high or critical risk.  

Personal data

Organisations will need to document how they will avoid unauthorised access to whistleblowing data, while taking into account the GDPR access rights to personal data. Any individual mentioned in a whistleblowing report should be informed on the way their personal data will be processed as soon as practically possible. However, the deferral of information may be justified if it could jeopardise the investigation of the reported matters.  

Duty of documentation and information

Organisations are required to document their whistleblowing management process. All reporting stakeholders need to be informed about it, this includes pro-active reporting to competent authorities. In order to avoid an overload of questions from whistleblowers and the persons defending them (lawyers, unions,…), a clear whistleblowing policy and process will be required. The “who, what, where, when and why” around whistleblowing is best explained. Proof of reading will be necessary, but proof of understanding will become best practice. 

Non-compliance risks

Some consider the risk of enforcement to be low. Even if this would be through the main non-compliance risk is not fines but reputation damage. Not facilitating secure reporting or non diligent follow up on feedback deadlines can result in public disclosure immunity. As a result, whistleblowers could be given the opportunity to go public and reveal their griefs in the press or in social media, while remaining eligible for protection against any form of retaliation. 

The author, Frank Staelens is Managing Director of Whistleblowing Management.EU , a European network of experienced and impartial experts that provide support on whistleblowing management and technologies.