The new EU Whistleblower Protection Directive has now been approved. This starts the process for member states to establish rules that will protect whistleblowers who report breaches of EU law.
Below is some practical information from Confidential Reporting on what your organisation can start to do now, covering:
- What is the new EU Whistleblower Protection Directive about?
- What organisation will be covered by the Directive?
- What are the expected procedures for whistleblowing and following-up whistleblowing reports?
- When must this be achieved?
- What will be the obligations for an organisation?
- What should my plan be?
What is the new EU Whistleblower Protection Directive about?
The European Commission’s Directorate-General for Justice and Consumers states:
“The new law will establish safe channels for reporting both within an organisation and to public authorities. It will also protect whistleblowers against dismissal, demotion and other forms of retaliation and require national authorities to inform citizens and provide training for public authorities on how to deal with whistleblowers.”
Reporting breaches of law in accordance with the Directive means the whistleblower will be protected from liability and that retaliation against the whistleblower will expose those people to sanctions.
The EU Whistleblower Protection Directive includes a wide array of European Union law that whistleblowers may report on including anti-money laundering and corporate taxation, data protection, protection of the Union’s financial interests, food and product safety and environmental protection and nuclear safety. Moreover, as the European Commission’s press release states, “Member States are free to extend these rules to other areas. The Commission encourages them to establish comprehensive frameworks for whistleblower protection based on the same principles.”
What organisation will be covered by the Directive?
The Directive requirement to establish secure reporting channels will apply to:
- Private legal entities with 50 or more employees. With reduced requirements for SMEs
- Private legal entities operating in financial services, products and markets
- Private legal entities vulnerable to money laundering or terrorist financing
- Entities governed by public law with less than 10,000 residents or 50 employees, with potential for municipalities to be exempyed
What are the expected procedures for whistleblowing and following-up whistleblowing reports?
The Directive requires:
- An organisation must provide appropriate channels for receiving disclosures in a secure manner, ensuring anonymity and also ensuring confidentiality the of the identity of the whistleblower and other person or organisation mentioned in the report, and prevent access to non-authorised staff members. The disclosure process should be in writing and/or verbally and if requested by the whistleblower, at a physical meeting.
- The organisation must acknowledge having received the report by letting the whistleblower know within seven days of the disclosure.
- The organisation must have a designated impartial person or department for following up on the disclosure
- The designated of an impartial person or department will also be responsible for maintaining communication, obtaining further information and providing feedback to the whistleblower.
- Diligent follow-up of:
- the disclosure itself, by the designated person or department
- anonymous reporting as provided for in a relevant national law
- Appropriate timeframe (less than three months) for responding to the whistleblower about the report follow-up the acknowledgment of the disclosure
- Providing for disclosure to external parties , based on clear and accessible information on the conditions and procedures for making the disclosure. Specifically for public authorities, they must have independent and autonomous external reporting channels for receiving and handling information provided by the discloser
The framework for a disclosure must be designed, set up and operated in a way that ensures that nay information is complete, retains its integrity and confidentiality, is retained for further investigations and unable to be accessed by non-authorised staff members.
When must this be achieved?
By April 2021, Member States must be ready to comply with the Directive within two years after adoption. While legal entities of between 50 and 250 employees, have another two years after transposition to comply.
What will be the obligations for an organisation?
- Internal Reporting | External Reporting | Public Disclosure
While internal reporting channels is preferred as the first strategy, the Directive acknowledges the whistleblower may choose the most appropriate channel, depending on their individual circumstances of the case. This included the whistleblower having the option to report internally or externally to competent authorities, and as a last resort, whistleblowers may make a public disclosure such as to the media.
- Anonymous Reporting | Confidential Reporting.
The Directive is neutral on what Member States decide on anonymous reports of breaches to private or public entities and competent authorities. Member States can decide on whether anonymous reports of breaches must be accepted and followed up.
The mandates penalties be imposed against those who:
- attempt to hinder disclosure
- retaliate against a whistleblower
- attempt to bring proceedings against a whistleblower
- who reveal the identity of a whistleblower
- threaten or attempt to retaliate against a whistleblower
- Wide range of protections
The new EU Whistleblower Protection Directive applies to those working in the private or public sector who acquire information on breaches in a work-related context.
- Legal support to be made available to a whistleblower
The Directive also requires that various support measures be provided for people making disclosures.
What should my plan be?
- Review your Whistleblower Policy
Review the capacity of the organisation. Does the organisation have:
- Sufficient resources?
- Competent people in place for receive and respond to reports consistent with the Directive?
- Ability to respond within the required timeframe?
- Support from experts that may be needed to help the organisation (disclosure, responding, investigating?
- Are the right people onboard with your Whistleblower Policy
Review the organisation stakeholders and all current policies and procedures. This includes:
- Members of the Board
- External audit
- Internal audit
- Risk and Compliance
- Human Resources and Culture
- Key Operational managers
- Review your Whistleblowing System
Given the expected strict demands for internal reporting, it is critical that the whistleblowing system is able to meet the Directive. The whistleblowing system should support the organisation’s internal reporting. Your criteria for the whistleblowing system should consider:
- Protection of data, meta data, information in a disclosure
- Allowance for anonymity and the mode to protect anonymity, identity and confidentiality
- Whether there is a rigorous process for accepting, following up and providing feedback to the Discloser within the required timelines
- Which mode of engagement will be used, including internal and external, and online and email and who can access, internal or external parties
- What is the capacity to actively manage expected demand on resources from disclosure through to final report from the investigation, including:
- new in-house system, combination of in-house and external resources or external system and resources
- does the organisation’s system have capacity to manage a disclosure from reporting to archiving
- the interaction between quality, risk and compliance
- Assess GDPR compliance
GDPR is all pervasive and it is important that personal data carried must be consistent with the GDPR. GDPR principles are:
- Lawfulness, fairness and transparency | Obtain the data on a lawful basis, leave the individual fully informed and keep your word.
- Purpose limitation | Be specific
- Data minimization | Collect the minimum data you need
- Accuracy | Store accurate up-to-date data
- Storage limitations | Retain the data for a necessary limited period and then erase
- Integrity and confidentiality | Keep it secure
- Accountability | Record and prove compliance
- Review and Update policies and training
Some of the Directive may ne new or inconsistent with current policies and procedures. Key areas include awareness of:
- What retaliation is and the penalties for retaliatory action
- Anonymity and identity protection
- Disclosure processes, including external disclosures and investigation and feedback
- Assessing the culture
In many cases a disclosure is also an indicator of a systems failure in the organisation Accordingly management should already be supporting quality and improvement. In that sense, internal reporting should already be assisting the organisation.
The commitment to open communication should extend to whistleblowing and that the leaders are committed to listen to and to act on reports received.
- Allow and protect anonymous reporting
The Directive requires that internal reporting be set up and operated in a secure manner to ensure the confidentiality of the identity of the whistleblower.
Allowing for anonymous reporting and secure confidential lines of reporting, increases the likelihood of receiving reports on serious misconduct. This is fundamental to the organisation being able to minimise damage and risks.
- Is this a cost or a benefit to the organisation
A learning, innovative or customer service focused organisation will see this as an opportunity to improve performance and prevent major issues. Partnering with an independent external Whistleblowing Service will give confidence in the disclosure process, the commitment of management and the positive resolution of the disclosure.
With over 25 years of experience in compliance and ethics and a leading digital whistleblower system