How to Comply With the EU Whistleblowing Directive

If your organization operates within the EU and has 50 or more employees (or is closing in on this important mark), you’re probably covered by the requirements of the whistleblowing act to implement a whistleblower function. It’s important to note that requirements may vary from country to country, and this summary is based on the most common practices among EU countries implementing their own legislation.

If your organization has over 250 employees, you must meet these requirements as soon as possible. If you have between 50-250 employees, the deadline for compliance is this year — Dec. 17, 2023. 

Internal reporting channels

Compliance with the directive requires organizations with more than 50 employees to have internal reporting channels that ensure confidentiality and security for whistleblowers, including adherence to GDPR regulations.

While anonymous whistleblowing can be refused (“strictly confidential” reporting is allowed), most whistleblowing experts around the world, myself included, agree that it is highly recommended to allow people to make anonymous reports, as it is the most efficient approach and simplifies compliance with regulatory obligations.

Cybersecurity

Blowing the Whistle: Exploring Federal Protections After Twitter Testimony

by Katherine Krems

September 28, 2022

Twitter’s been in the news of late thanks to Elon Musk’s (failed?) takeover bid, but another recent bit of Twitter news could be even more concerning for data privacy advocates.

Read moreDetails

Protection against retaliation

Whistleblowers must be safeguarded against any retaliation that may result from their decision to blow the whistle. The protective measures extend beyond termination to other forms of retaliation, such as non-promotion, demotion, alterations in working conditions, disciplinary sanctions, non-renewal of employment contracts, and threats or harassment.

It is important to note that legal or contractual obligations, including loyalty clauses or confidentiality obligations, cannot serve as an impediment to the application of protection against retaliation. Such obligations do not negate the need for ensuring the protection of whistleblowers.

Data protection

Given that whistleblowing often involves the handling of personal information, it is imperative to note that the EU GDPR applies to whistleblowing activities. Failure to comply with those requirements may result in violations of the GDPR, which can lead to severe financial consequences, including fines of up to 20 million euros or 4% of the organization’s global revenue.

This is another argument to enable anonymous reporting since this simplifies compliance with the GDPR in some ways. It also emphasizes the importance of secure and rigorous whistleblower systems.

Communication

In most EU countries, you must allow whistleblowers to report cases verbally and in writing, and they should also have the option to schedule a physical meeting. There are specific requirements for documenting interactions appropriately, which must be strictly adhered to. It is, of course, preferable if you can report in multiple ways and book a physical meeting in the whistleblower system — otherwise, you might need to set up different reporting channels/routes.

Feedback and follow-up

After a report has been received, there are guidelines for how to handle it. Timelines, feedback and follow-up play a central role in the EU’s directive. 

Within 7 days

A confirmation that the case has been received must be sent to the whistleblower within one week. Some within the compliance community see an automatic confirmation by a whistleblower system as enough, and even if I find such automatic confirmations good, I find it hard to believe this is what the EU had in mind. I would recommend providing a personal confirmation — both to ensure complete compliance and to show the whistleblower that you actually care (at least more than only complying).

Within 3 months

Compliance professionals must ensure that a follow-up is conducted on the investigation’s results or measures that have been taken, or will be taken, within three months. In case the investigation is closed, this information can also be shared during the follow-up. Even if the investigation is not entirely concluded within three months, a longer follow-up is necessary, with details about the case’s status.

Forgetting this important follow-up is not only breaking rules but risking a company-wide negative attitude toward speaking up in the first place.

After years

Some years after a report, the information in a case must be deleted from the whistleblower system, though EU members differ when it comes to how long case information may be stored; for example, Portugal requires the case to be stored for at least five years. But on average, firms must delete the information after two years.

Whistleblower policy

A whistleblower policy should include all the relevant information that employees within the organization need to know, which channels they can use to blow the whistle (internal as well as external, e.g. to authorities) and all other relevant information that can be good to know. “What is considered to be whistleblowing?” “How will my report be handled?” And so on.

Appointing recipients of whistleblower cases (case managers)

Appointing independent and relevant recipients of whistleblower cases, or case managers, is crucial to complying with the EU whistleblowing directive. Independent case managers can assess the facts presented without any undue influence or bias, ensuring that the whistleblower’s report is taken seriously and investigated appropriately. It is equally important to appoint relevant case managers who possess the necessary skills and expertise to handle (at least initially) most cases that could be reported. Case managers could be internal or external, such as lawyers or other experts.

When consulting companies on implementing whistleblower functions, I usually recommend at least one case manager from the compliance department and one from the HR department and preferably, they’re not owners or members of the board of directors. For smaller companies below 250 employees, it might be a bit difficult to find independent and relevant case managers, and an external case manager might be needed.