At a glance:
- Whistleblower Protections That Organisations Need to be Aware Of
- EU Directive Obligations on Businesses
- What Are the Next Steps?
- Checklist: Get Your Company Ready for the EU Whistleblowing Directive
- White Paper: Which Reporting Channels Are Suitable For Your Organisation?
- Reading Recommendations
Whistleblowers are brave, but sometimes people who openly raise concerns in their companies regret this bravery: they can be ostracized, overlooked for promotion or even lose their jobs. There are a number of high-profile examples of this. It is also however worth noting that the most well managed whistleblowing cases don’t ever hit the headlines.
Now the European Union wants to ensure that whistleblowers have adequate protections and that employees and other stakeholders can raise concerns confidentially and confidently. A directive has been agreed upon which ensures a uniform level of protection for whistleblowers in Europe. Following the formal adaptation of the directive by the EU Council on October 7 2019, a two-year implementation period begins during which time EU member states will be obliged to implement the directive into their own national laws until 2021.
The core feature of this directive is protection for whistleblowers. The essential points are:
- Protection not only exists for employees who report their concerns, but also for job applicants, former employees, supporters of the whistleblower and journalists.
- These persons are protected from dismissal, degradation and other discrimination.
- Protection applies only to reports of wrongdoing relating to EU law, such as tax fraud, money laundering or public procurement offences, product and road safety, environmental protection, public health and consumer and data protection (the EU is encouraging national legislators to extend this to also covering wrongdoing relating to national laws).
- The whistleblower can initially choose whether to report a concern internally within the company or directly to the competent supervisory authority. If nothing happens in response to such a report, or if the whistleblower has reason to believe that it is in the public interest, they can also go directly to the public. They are protected in both cases.
With these safeguards the EU is signaling to whistleblowers that they have nothing to fear while encouraging individuals to report on company infringements.
The EU Directive also imposes a number of obligations on businesses:
- Companies with more than 50 employees or more than €10 million Euros in annual turnover will be obliged to set up suitable internal reporting channels. Companies with 250 or more employees will be expected to comply within two years of adoption, companies with between 50 and 250 employees have a further two years after transposition to comply.
- Whistleblowers should be able to submit reports either in writing via an online system, a mailbox or by post and/or orally via a telephone hotline or answering machine system. Companies are also obliged to offer a personal meeting should the whistleblower request it. Companies must ensure that the identity of the whistleblower is kept confidential regardless of which reporting channel is used.
- All personal data, both that of the whistleblower and any accused persons, must be handled in accordance with the GDPR.
- Companies must determine the "most suitable" person to receive and follow up on reports internally. According to the EU, this could be a:
- Compliance officer
- Head of HR
- Legal counsel
- Chief Financial Officer (CFO)
- Executive board member or management
- Companies can also outsource the processing of reports, for example to an external ombudsman.
- The company is obliged to confirm receipt of the report to the whistleblower within seven days. The whistleblower must be informed of any action taken within three months, the status of the internal investigation and its outcome.
- Companies are required to provide information on the internal reporting process as well as on the reporting channel(s) to the competent authority. This information must be easily understandable and accessible, not only to employees, but also to suppliers, service providers and business partners.
- All reports received must be kept in a secure place so that they can be used as evidence where appropriate.
- Companies with between 50 and 250 employees may use a shared reporting channel to obtain and identify evidence, provided that all obligations outlined are met.
The EU directive also includes details on sanctions. Companies that obstruct the reporting of concerns or attempt to obstruct them will face penalties. The same applies if companies fail to keep the identity of the whistleblower confidential. Retaliatory measures against whistleblowers will also be punished. It is the job of national legislators to determine the severity of these sanctions.
While the Directive clearly benefits whistleblowers we also believe there are significant benefits for organizations. Most importantly, by ensuring that effective whistleblowing arrangements are in place, employees and other stakeholders are encouraged to raise concerns internally. By doing so, organizations have an opportunity to identify and manage risk at an early stage, helping to avoid or limit financial and reputational damage.
The Whistleblower Protection Directive was finally approved by the EU Council on 7 October 2019. The directive will now be formally signed and set for publication in the Official Journal of the European Union. This marks the start of the two-year period during which EU member states must transpose the requirements into their own national legislation. By 2021 companies with more than 250 employees must fulfill their obligations and two years later this will also apply to companies with 50 to 250 employees.
However, companies are advised not to wait until the last minute and to take action at an early stage. The Whistleblowing Report 2019 shows that many companies have already proactively set up hotlines and received reports that have enabled them to better manage risk within their organizations.
The freedom of choice aspect for whistleblowers is something companies need to note in particular. If the whistleblower cannot find suitable internal reporting channels, he or she can contact the relevant authority or even go public – the worst outcome for companies. It is therefore essential that suitable internal reporting channels are available and known about within the company. To ensure that employees feel comfortable reporting internally, the channels should be available 24/7, offer anonymity, be available in the relevant languages, have comprehensible explanatory texts and be accompanied by an effective internal communication strategy.
Simplify the implementation of your EU-compliant whistleblower system.
Feel free to contact one of our compliance experts for advice on setting up an EU-compliant whistleblower system.
In our white paper we also introduce a selection of reporting channels. Download your free version here.