Are you unsure about whether your organisation will need to comply with the new EU Whistleblower Protection law ? And if so how? The short answer is that if your organisation employs 50 people or more it is required to comply. In this blog, we peel back the layers of the new law to get to the core obligations that will determine how much action you need to take to ensure your whistleblowing system shapes up. And for each obligation, we provide a checklist for you to asses how far you have to go to comply with the EU Whistleblower Protection law.

What is the EU Whistleblower Protection law?

The aim of the EU Whistleblower Protection law is to protect whistleblowers in the EU who report on misconduct that they become aware of through their workplace, and to encourage more people to do so. Staying silent is costly. A recent report from the European Commission shows that the potential benefits deriving from whistleblowers' protection is estimated to be between Euro 6 and Euro 7 billion each year, and these numbers apply only to public procurement. Whistleblowers can play a prominent role in detecting and disclosing corrupt, illegal, fraudulent, and harmful activities with great benefits at all levels of society.

Read through the checklist obligation to comply with the EU Whistleblower Protection law:

  • Do you already have a whistleblower system in place?

YES: You are off to a good start. Continue to the checklist against legal obligations below.
NO: Contact WhistleB to discuss the best whistleblowing system option for your needs.

  • Confidentiality of the identity of the whistleblower

The law says: The procedures for reporting and following-up of reports shall include channels for receiving the reports which are designed, set up and operated in a secure manner that ensures the confidentiality of the identity of the reporting person and any third party mentioned in the report, and prevents access to non-authorised staff members.

  1. Does your whistleblower system allow a whistleblower's identity to remain confidential?
  2. Can you open up the system to external parties such that it also protects their identities?
  3. Are identities protected all the way from reporting to archiving of cases?
  4. Is access to your case management system adequately secure, for example with multi-factor authentication for staff members?
  5. Is your system vulnerability and penetration tested by external parties?
  • Response times

The law says: The procedures for reporting and following-up of reports shall include an acknowledgment of receipt of the report to the reporting person within no more than seven days of that receipt.

  1. Does your whistleblower system automatically and immediately give a notification to the whistleblower confirming receipt, while maintaining anonymity of the whistleblower?
  2. Can the whistleblower team be notified immediately that a report has been received?
  3. Can your system scale up to take an increase in the number of reports if needed?
  4. Are you able to create standard response messages?
  5. Do you have a dedicated person/team to receive the reports?
  • Contact persons

The law says: The procedures for reporting and following-up of reports shall include the designation of an impartial person or department competent for following up on the reports (...) and which will maintain communication with and, where necessary, ask for further information from and provide feedback to the reporting person.

  1. Do you have competent resources in place for following up on reports in an appropriate manner?
  2. Does your system allow you to add the competences you need per case?
  3. Do you have a system and the skills and routines in place to handle investigations?
  4. Does your whistleblower channel allow you to add external experts securely into the case handling process?
  • Follow-up

The law says: The procedures for reporting and following-up of reports shall include diligent follow-up to the report by the designated person or department, diligent follow up where provided for in national law as regards anonymous reporting, and a reasonable timeframe to provide feedback to the reporting person about the follow-up to the report.

  1. Do you have a channel through which the whistleblower can add pictures, videos, text documents and other file formats, and that cleanses meta data?
  2. Does your whistleblower system include a case management tool that is integrated with the reporting channel?
  3. Does your whistleblower channel allow for a dialogue with either an anonymous or non-anonymous whistleblower?
  4. Does your system allow secure translation support for communication in multiple languages?
  • Communication and information

The law says: The procedures for reporting and following-up of reports shall include clear and easily accessible information regarding the conditions and procedures for reporting externally to competent authorities and, where relevant, to institutions, bodies, offices or agencies of the Union.

  1. Do you provide clear and easily available information to employees about how and where they can report concerns, including their options for external reporting?
  2. Is such information adapted for each country in which you operate?
  3. Is the information available automatically when people access your whistleblower system?
  4. Are your policy documents, Code of Conduct and related training materials updated to inform employees on behaviour, such as "retaliation", that would be in breach of the EU Whistleblower Protection Directive?
  • GDPR compliance

The law says: Any processing of personal data carried out pursuant to the Directive must comply with the GDPR

  1. Is your whistleblower system fully compliant with the GDPR in all EU countries in which you operate?
  2. Does your system automatically allow deletion of personal data when the case is closed?
  3. Do you inform potential users correctly about national differences in reporting?
  • Record-keeping

The law says: Authorities, private and public legal entities must keep records of every report received, in compliance with the confidentiality requirements provided for. Reports shall be stored for no longer than it is necessary and proportionate.

  1. Does your system keep a user and case log of each case?
  2. Does your system allow for deleting personal data in line with the GDPR?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.