No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

How to Comply With the EU Whistleblowing Directive

Requirements vary by country, but a compliance deadline is coming this year for mid-sized companies

by Daniel Vaknine
April 26, 2023
in Compliance
speaking out

Despite its passage nearly four years ago, the EU’s whistleblower directive has yet to be adopted by many European Union member nations. Despite this, many organizations — and their compliance teams — have worked to revise their whistleblower policies or implement fresh ones in accordance with the EU’s guidance. Visslan CEO Daniel Vaknine provides a refresher course on what companies need to know about the whistleblowing directive.

If your organization operates within the EU and has 50 or more employees (or is closing in on this important mark), you’re probably covered by the requirements of the whistleblowing act to implement a whistleblower function. It’s important to note that requirements may vary from country to country, and this summary is based on the most common practices among EU countries implementing their own legislation.

If your organization has over 250 employees, you must meet these requirements as soon as possible. If you have between 50-250 employees, the deadline for compliance is this year — Dec. 17, 2023. 

Internal reporting channels

Compliance with the directive requires organizations with more than 50 employees to have internal reporting channels that ensure confidentiality and security for whistleblowers, including adherence to GDPR regulations.

While anonymous whistleblowing can be refused (“strictly confidential” reporting is allowed), most whistleblowing experts around the world, myself included, agree that it is highly recommended to allow people to make anonymous reports, as it is the most efficient approach and simplifies compliance with regulatory obligations.

whistleblower congress
Cybersecurity

Blowing the Whistle: Exploring Federal Protections After Twitter Testimony

by Katherine Krems
September 28, 2022

Twitter’s been in the news of late thanks to Elon Musk’s (failed?) takeover bid, but another recent bit of Twitter news could be even more concerning for data privacy advocates.

Read more

Protection against retaliation

Whistleblowers must be safeguarded against any retaliation that may result from their decision to blow the whistle. The protective measures extend beyond termination to other forms of retaliation, such as non-promotion, demotion, alterations in working conditions, disciplinary sanctions, non-renewal of employment contracts, and threats or harassment.

It is important to note that legal or contractual obligations, including loyalty clauses or confidentiality obligations, cannot serve as an impediment to the application of protection against retaliation. Such obligations do not negate the need for ensuring the protection of whistleblowers.

Data protection

Given that whistleblowing often involves the handling of personal information, it is imperative to note that the EU GDPR applies to whistleblowing activities. Failure to comply with those requirements may result in violations of the GDPR, which can lead to severe financial consequences, including fines of up to 20 million euros or 4% of the organization’s global revenue.

This is another argument to enable anonymous reporting since this simplifies compliance with the GDPR in some ways. It also emphasizes the importance of secure and rigorous whistleblower systems.

Communication

In most EU countries, you must allow whistleblowers to report cases verbally and in writing, and they should also have the option to schedule a physical meeting. There are specific requirements for documenting interactions appropriately, which must be strictly adhered to. It is, of course, preferable if you can report in multiple ways and book a physical meeting in the whistleblower system — otherwise, you might need to set up different reporting channels/routes.

Feedback and follow-up

After a report has been received, there are guidelines for how to handle it. Timelines, feedback and follow-up play a central role in the EU’s directive. 

Within 7 days

A confirmation that the case has been received must be sent to the whistleblower within one week. Some within the compliance community see an automatic confirmation by a whistleblower system as enough, and even if I find such automatic confirmations good, I find it hard to believe this is what the EU had in mind. I would recommend providing a personal confirmation — both to ensure complete compliance and to show the whistleblower that you actually care (at least more than only complying).

Within 3 months

Compliance professionals must ensure that a follow-up is conducted on the investigation’s results or measures that have been taken, or will be taken, within three months. In case the investigation is closed, this information can also be shared during the follow-up. Even if the investigation is not entirely concluded within three months, a longer follow-up is necessary, with details about the case’s status.

Forgetting this important follow-up is not only breaking rules but risking a company-wide negative attitude toward speaking up in the first place.

After years

Some years after a report, the information in a case must be deleted from the whistleblower system, though EU members differ when it comes to how long case information may be stored; for example, Portugal requires the case to be stored for at least five years. But on average, firms must delete the information after two years.

Whistleblower policy

A whistleblower policy should include all the relevant information that employees within the organization need to know, which channels they can use to blow the whistle (internal as well as external, e.g. to authorities) and all other relevant information that can be good to know. “What is considered to be whistleblowing?” “How will my report be handled?” And so on.

Appointing recipients of whistleblower cases (case managers)

Appointing independent and relevant recipients of whistleblower cases, or case managers, is crucial to complying with the EU whistleblowing directive. Independent case managers can assess the facts presented without any undue influence or bias, ensuring that the whistleblower’s report is taken seriously and investigated appropriately. It is equally important to appoint relevant case managers who possess the necessary skills and expertise to handle (at least initially) most cases that could be reported. Case managers could be internal or external, such as lawyers or other experts.

When consulting companies on implementing whistleblower functions, I usually recommend at least one case manager from the compliance department and one from the HR department and preferably, they’re not owners or members of the board of directors. For smaller companies below 250 employees, it might be a bit difficult to find independent and relevant case managers, and an external case manager might be needed.


Tags: Whistleblowing
Previous Post

The Asset Management Industry Needs to Make DEI More Than an HR Buzzword

Next Post

A Plan to Inhibit Significant Money Laundering Through New Regulation

Daniel Vaknine

Daniel Vaknine

Daniel Vaknine is CEO of whistleblower software provider Visslan and a risk and compliance blogger.

Related Posts

NAVEX 2023 Hotline and Incident Management Benchmark Report_f

NAVEX 2023 Hotline & Incident Management Benchmark Report

by Corporate Compliance Insights
May 3, 2023

Bolster your culture of integrity 2023 UPDATE Hotline & Incident Management Benchmark Report About this report from NAVEX: An efficient...

call of duty activision

Activision Settlement Highlights Where Companies Often Go Wrong With Whistleblowers

by Katherine Krems
March 8, 2023

The SEC has long relied on whistleblowers to enforce securities law, often making it worth their while to the tune...

hottest takes

The Hottest Compliance Takes of 2022

by Staff and Wire Reports
December 14, 2022

Nobody was canceled for anything they wrote for our pages in 2022 — at least that we know of. But...

NAVEX regional whistleblowing hotline benchmark report_f

Navex 2022 Regional Whistleblowing Hotline Benchmark Report

by Corporate Compliance Insights
November 9, 2022

Explore benchmark data and regional comparisons for Europe, APAC, North America and South America. Regional Benchmark Report 2022 Regional Whistleblowing...

Next Post
A Plan to Inhibit Significant Money Laundering Offenses and Improve Enhanced Due Diligence-f

A Plan to Inhibit Significant Money Laundering Through New Regulation

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment Sanctions SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT