In December of 2021, the final EU Whistleblower Directive deadline passed, bringing it into full effect. This piece of legislation focuses on encouraging and protecting whistleblowers who speak up about corporate misconduct. It acknowledges the value these people bring in helping organisations and states to uncover legal breaches at an earlier stage, thus preventing or minimising potentially harmful business losses and destructive behaviour. The Directive does this by placing the whistleblower at the centre, safeguarding their identity, prohibiting retaliation, and offering several channels for reporting.
In practice, the Directive requires organisations in all EU member states with 250 or more employees to establish a well-defined reporting channel and procedures to allow people to report concerns regarding illegal activities. Smaller organisations of 50 or more people will have until 2023.
While the Directive is a step forward in moving member states towards a unified legal framework, it may nonetheless result in a wide array of whistleblower laws. Responding to these will be a key challenge for compliance in 2022 – and beyond.
Not Quite One Size Fits All
Though the deadline for the EU member states to incorporate the EU Whistleblower Protection into their national laws was December 17th, 2021, the vast majority of countries did not meet this date. Some proposals require additional consultation, and other countries have yet to start. Whether due to local political bureaucracy, down-prioritisation in the wake of the COVID-19 pandemic, or other obstacles – there remains significant work to be done.
The patchy timing across the EU is further compounded by the inconsistent starting point of each territory. Some countries already have their own extensive whistleblower legislation, such as the Netherlands and France. Others have laws that only apply to certain industries or company size. How local laws should align with the minimum standards of the EU directive, and the extent to which local laws should expand on the minimum standards, is hotly debated.
Another variable to consider is each territory has the freedom to expand on the scope of requirements stipulated at the EU level – in fact, this has been encouraged by EU regulators.
A Tougher Compliance Puzzle for Larger Organisations
National differences will arise and monitoring and responding to these will create further compliance complexity for larger organisations and those operating across borders within the EU. For instance, what happens if the differences in protection lead to whistleblower forum shopping? This is when a person reports concerns in jurisdictions that are deemed to be more favourable, or where the scope of protected topics for disclosure better matches the person’s issue.
Further, there is an additional requirement for legal entities with subsidiaries that employ 250 or more people. These subsidiaries need to have their own reporting channels and appoint separate recipients of reports for whistleblowers who do not want to report to a channel that is shared at the group level. While this may be more accommodating of the whistleblower, it creates a heavier burden for organisations. They will need to put the appropriate resources in place to handle reports at both subsidiary level and group level.
It is expected that in various countries, “effective, proportionate and dissuasive” penalties will indeed mean both natural and legal persons should look out for infringing the provisions related to whistleblowing. This goes both for retaliatory actions and for malicious whistleblowing.
Clear Minimum Requirements Mean Progress Towards Compliance
Despite the above, inaction while waiting for territory transpositions is not recommended. The EU Whistleblower Directive clearly lays out a set of minimum requirements that will apply to all affected organisations in EU member states. Below we summarise these obligations and provide insight to go beyond compliance and gain further value from your whistleblowing program.
- Provide secure channels for whistleblowing. Organisations need to provide a reporting channel with a certain level of protection. It needs to be safe, and users should have multiple reporting options available – in-person, written or verbal. Think about providing a channel that is also available when the whistleblower feels comfortable using it and provide resources in the whistleblower’s preferred language.
- Maintain whistleblower confidentiality and the data subject throughout the entire process. Confidentiality is required by the Directive, and full anonymity is recommended – both increase the chances people will come forward to report and provide access to invaluable information.
- Acknowledge receipt of the report within seven days. This is a further indication of the importance placed on respectful treatment of the whistleblower. Organisations may opt for a system that alerts whistleblower report managers automatically. Accommodations must also be made to acknowledge receipt of an anonymous report to the whistleblower.
- Follow up on the case and provide feedback to the whistleblower within three months. The Directive gives the whistleblower the right to know what is happening with their report, so it is important for cases to be monitored and followed up with. Organisations will need to strike the right balance between sharing correct, but not too sensitive, information and involve the whistleblower as much as possible.
- Maintain auditable records. Consider a system that keeps a log of all case management activities carried out by all case handlers. Not only does this help keep control of investigations, it also provides evidence that the organisation acts compliantly and efficiently.
- Protect whistleblowers against retaliation. Retaliation is any form of negative consequence of filing a report. Ensuring retaliation does not occur may require training, policy or code of conduct updates and internal control. This is a key point of compliance, but more importantly contributes to ethical business and a healthy workplace environment.
- Provide the workforce with information regarding the channel. At a minimum this involves facilitating whistleblowing and informing users of the different country laws and their rights to report externally. More broadly this requirement may prompt a review of the corporate culture and whether it acts as a foundation for trust and transparency.
- Allow reporting access to third parties. The Directive defines a far wider scope of stakeholders as potential whistleblowers who would be eligible for protection. Organisations will therefore need to give reporting access to permanent and temporary employees, volunteers, former employees, contractors, family members of employees, and even suppliers.
- Appoint impartial and experienced people to manage whistleblowing reports. This presents a substantial challenge for many organisations. Typically, legal or compliance functions own this responsibility, and organisations should also assess whether it is safer or more efficient to use an outside party.
- Process any personal data in accordance with the EU GDPR requirements. It is extremely important to take data security seriously as the whistleblower channel will contain personal and sensitive data. Organisations may want to find a system that helps to comply with this requirement automatically. Such a system would include functionalities to limit accessibility to data, store data in the EU, encrypt the data and ensure the organisation alone can unencrypt the data.
Go Beyond Compliance – Capture the Value of Whistleblowing
Despite the regulatory challenge, forward thinking companies and other organisations see that the Directive is not just about compliance. The Directive provides an opportunity for more ethical business, increased transparency, risk mitigation, reduced financial losses, brand enhancement, and talent attraction. All of these benefits are outcomes of successful whistleblowing programmes, which in turn are wholly dependent on whistleblower trust.
To establish that trust, whistleblowers need to be considered valuable assets. For the first time ever, this Directive does just that. It positions the whistleblower as a hero, protects their rights and requires structures that give them greater confidence to step forward and report concerns. Companies that go beyond compliance and truly whistleblower protections stand to gain the most.
As member states and organisations within the EU adopt whistleblower programmes that adhere to the Directive, global attention will be paid to the future of whistleblowing. Organisations around the world will be expected – by the Directive, other upcoming legislation, and societal pressure – to go beyond compliance box-checking, and to create a culture where whistleblowers are encouraged to speak up, reports are managed professionally, and appropriate action is taken to correct any corporate misconduct.