How to Make Your Company Compliant with the EU Whistleblowing Directive
- November 24, 2023
If your company – whether it’s private or public – has 50 employees or more, your best decision today is to keep on reading:
From December 17, 2023, you need to have an internal whistleblowing scheme to ensure a secure and confidential channel where whistleblowers can report offenses and other serious matters.
This has been decided by law with the EU Whistleblowing Directive.
So, we’ll help you navigate through it in this blog article – and when you’ve reached the end, you’ll know:
What is whistleblowing – and who can blow the whistle?
Whistleblowing comes from, as you might have guessed, someone blowing a whistle, to state and stop a wrongdoing. Like a police officer or sports referee.
In the context of EU Whistleblowing Directive, it concerns individuals within an organization who ‘speak up’ to disclose information about unethical, illegal, or unsafe activities they’ve witnessed.
And we say ‘individuals’ since whistleblower isn’t ‘just’ an employee. It can be any person who has a relation to your organization, like a worker, shareholder, supplier, former worker, volunteer or unpaid trainee, or even a person you had in for a job interview.
In essence, whistleblowing works as a moral compass for the organization and its ‘members’ highlighting the importance of transparency and accountability.
The whistleblowing directive: What is up and down?
When it comes to setting up an internal whistleblowing scheme, companies have been subject to different deadlines depending on the company sizes. The deadlines go:
- December 17, 2021, for companies with 250 employees or more.
- December 17, 2023, for companies with 50 employees or more.
So, even if there’s less than 50 employees in your organization, we believe there are at least two reasons for you to get on a first-name basis with the EU Whistleblowing Directive:
First reason: If you plan to grow your business, the directive will affect you – and we recommend you to be well-prepared for that scenario.
The second reason: There might be a national law that obliges you to have a whistleblower scheme.
Let’s give you an example:
A small financial company with 46 employees has established a whistleblower scheme to meet the requirement of the Financial Business Act, coming from an EU legislative.
This means that the company’s whistleblower scheme must comply with the requirements of both the Financial Business Act and the Whistleblower Act (from December 17, 2021), even if the company has fewer than 50 employees.
The types of allegations whistleblowers can submit
The EU Whistleblowing Directive gives whistleblowers the authority to report any violation of EU law. Specifically outlined in Article 2 of the Directive are the following categories, serving as examples:
- Public procurement
- Financial services
- Products and markets
- Prevention of money laundering and terrorist financing
- Product safety and compliance
- Transport safety
- Protection of the environment
- Radiation protection and nuclear safety
- Food and feed safety
- Animal health and welfare
- Public health
- Consumer protection
- Protection of privacy and personal data
- Security of network and information systems
- Corporate tax avoidance/evasion
- State aid
We need to make one thing clear: These examples are a minimum.
Member States can strengthen their protection through their own national laws. This means that HR and recruitment issues might get extra coverage.
For example, in Denmark ‘serious legal violations’ and ‘other serious matters’ are also covered.
This covers serious, evident breaches of law and other serious matters that may not necessarily be specifically illegal. These could be violations such as bribery or sexual harassment.
How your organization should handle reports
As Article 9 of the EU Whistleblowing Directive states, organizations should be well-versed in the following principles when managing internal reports. Here are the ones you need to be on first-name basis with:
- Security
- Confidentiality
- Acknowledgment
- Impartiality
- Due diligence
- Timely
- Clarity
- Accessibility
To cover these principles, we’ll take you through 6 initiatives that make your whistleblowing scheme hands-on – and, not least, compliant.
The 6 initiatives that’ll make you compliant with the whistleblowing directive
Now, you have the basics in place. Let’s get to the fun part and make them hands-on, shall we? Here are 6 initiatives, following the EU Whistleblowing Directive’s principles, that will ensure your whistleblowing compliance.
#1: Ensure an internal policy and training
The EU Whistleblower Directive is not made to protect your organizations; it’s made to protect your organisation members.
Therefore, your finest job is to make sure that they know and understand your internal whistleblowing scheme – and are able to use it.
So, first and foremost, you need an internal whistleblowing policy that is easy to understand and access for your employees and other workers. The policy can be explained and exemplified in guidelines, brochures or other informative materials.
Next, we recommend you to do an awareness program that’ll take your employees through all five initiatives, making sure that they understand them and are able to act from them. Once again, it’s a good idea to give them examples or cases of whistleblowing or even, if you have the resources, letting them do a fictional reporting.
Following this principle, you create clarity on your internal whistleblowing scheme and the way you handle reporting.
#2: Set up proper processes and reporting channels
Building a strong foundation is key: So, you need to ensure that internal channels for receiving reports are designed, established, and operated with security at the forefront.
The Directive defines three types of reporting:
- Internal reporting. To give information, either written or orally, on breaches within a legal entity in the private or public sector.
- External reporting. To give information, either written or orally, on breaches to the competent authorities.
- Public disclosure or ‘to publicly disclose’. To make information on breaches available in the public domain.
Besides these three distinctions, the Directive allows them to be both oral and written.
An oral reporting channel can be via hotline, voice messaging system, or face-to-face.
A written reporting channel online reporting channel, email, or letter.
Which channel(s) that works best for your organization depends on your resources and how these can support the format of the channels in the best way.
However, each national law can have some requirements regarding the means.
In Denmark, for instance, it’s decided by law that organizations need to have a written means as a minimum.
Also, we highly recommend you to use both oral and written means since individuals have their own preferences.
Following this initiative, you handle reporting with security as the aim.
#3: Implement the necessary support measures
Having the foundation in place, you need to support with the… well, right support to make sure that the reporting person is taken seriously and that someone will handle their report with professionalism.
First and foremost, you need to appoint an impartial entity for follow-ups who ensure open communication with the reporting person. When necessary, the entity has to be able to give additional information and constructive feedback.
Also, organizing investigations and follow-ups with due diligence is important to demonstrate reasonable care and effort throughout the process.
Following this initiative, you handle reporting with impartiality and due diligence.
#4: Communicate the scope of application
You are not the only one who need to know whether a report concerns a breach in the areas referred to in the whistleblower act. The whistleblowers have to know too.
That’s why you need to clearly communication what kinds of wrongdoing they can submit. Giving them this overview could be done via a whistleblower policy.
Following this principle, you support initiative #1 and, therefore, handle reporting with clarity.
#5: Ensure processes that meet feedback obligations
Compliance is, among other things, about knowing important deadlines and timeframes. Therefore, you need to set up a reasonable timeframe for feedback and follow-ups:
Acknowledgment of receipt should be made within seven days upon reception of a report.
A courteous follow-up on a report should be given to the whistleblower within three months.
Following this initiative, you handle reporting with acknowledgement and timely.
#6: Protect data like a safeguard
Okay, it feels like choosing between your kids, but still, this initiative – and data protection in general – is close to our heart.
Therefore, we cannot emphasize enough that you need to adhere to thought-through data protection practices. The whole purpose of and criteria of success with your internal whistleblowing scheme is to ensure people’s anonymity and right of privacy. That goes for both the reporting person’s identity and any third parties being mentioned.
You should also, for the reason above, limit access strictly to authorized personnel.
As it’s also the case within GDPR, you can only store for the necessary and proportionate duration defined by the Directive or any pertinent legal obligations.
Following this initiative, you handle reporting with confidentiality (and security).
Like any other compliance workload, complying with the EU Whistleblowing Directive takes time and resources, but the 6 initiatives above will pave the way for your whistleblowing compliance. However, if you’re curious to know about a shortcut, you should use two well-spent minutes to dive into our whistleblower software.
