This article, authored by Principal Consultant Liz Hornby, is the second in a three-part series of articles from LEO GRC that takes an in-depth look at whistleblowing. In this article, we continue with a look at the new EU Whistleblower Protection Directive and the ways in which your organization can manage the changes.
With headline-grabbing cases involving all sectors, from healthcare to Hollywood and financial services to manufacturing, whistleblowing is rarely out of the media. As a result, the encouragement and protection of whistleblowers is a priority for legislators and organizations across the globe.
Whistleblowing is a complex area that spans law, regulation, and culture. The complexity is increased for organizations with a global presence, staff, and policies. The cost of non-compliance is high for everyone involved, especially for the whistleblowers themselves.
This article focuses on the new EU Whistleblower Protection Directive (the Directive) and highlights three facts that all organizations need to know in order to prepare for its implementation next year.
What Is the EU’s Whistleblower Protection Directive?
In October 2019, the EU’s Whistleblower Protection Directive was adopted by the European Council. The Directive’s central aim is to provide better protection for those who seek to expose, corporate wrongdoing. These protections are extended to anyone working in the public or private sector who could acquire information about wrongdoing in a work-specific context.
These protections don’t just cover employees. They’re also in place to protect job applicants, former employees, supporters of the whistleblower, and journalists. The protections are there to support again dismissal, retaliation, and any other form of discrimination, such a being denied training or receiving poor evaluations as a result of whistleblowing.
While the scope of the Directive is limited to wrongdoing specific to EU law, it’s still broad. It includes:
- Tax evasion
- Money laundering
- Public procurement offices
- Product and road safety
- Environment protection
- Public health
- Consumer and data protection
Beyond the scope of the Directive, national legislators are encouraged to extend the coverage to cover their national laws as well.
Recommended reading: ‘Whistleblowing Solutions: The Importance of a Speak-Up Culture’
Below are three facts all organizations need to know about the EU Directive.
1. It Applies to All Organizations Operating in the EU
The directive will impact all private and public sector organizations with over 50 employees operating within the EU. It covers all sectors, including financial services, pharmaceutical, manufacturing, and hospitality. Non-EU organizations that operate within the EU will also be affected, including UK organizations post-Brexit.
Relevant organizations with over 250 employees must comply with the Directive (in the form it has been implemented through relevant national legislation) from the end of 2021. There is, however, an extension on this deadline for organizations with between 50 and 250 employees.
2. It Requires Real Change
The Directive requires organizations to make material changes to their whistleblowing arrangement and policies. For some, this may simply be updates. For others, it will require setting up an entirely new framework for reporting and processing disclosures.
Reporting channels must be in place for individuals to make reports, either in writing (through an online reporting platform, email, or letter) or orally (via a telephone hotline, voice messaging, or in person). These channels must be clearly outlined in policies and processes that inform individuals how their report will be handled. This includes:
- What an investigation looks like
- Who will conduct the investigation
- Who will decide if wrongdoing has occurred
Organizations will then have a window of three months, or six in exceptional cases, in which to respond to and follow up on reports.
Protective measures must also be put in place relating to confidentiality. These must prevent an individual’s identity from being disclosed without their consent to anyone beyond authorized staff members. The Directive leaves it to each Member State to decide whether anonymous reports should be accepted and, therefore, anonymity will be subject to local legislation.
3. Communication and Training Are Vital
Affected organizations must also provide clear, easily accessible, and transparent information about their whistleblowing arrangements to employees about the reporting channels open to them and the process that they should follow.
Line managers, HR, legal/compliance departments, and those involved in any whistleblowing investigations must receive tailored training regarding the handling of reports. This training should include:
- How to respond to whistleblowing reports
- Who to inform once a report has been made
- How to ensure confidentiality (and, if applicable, anonymity)
More widely, organizations are expected to take steps to encourage reporting by promoting a supportive and open culture. This may involve:
- Reviewing Codes of Conduct
- Considering ‘tone from the top’ messaging
- Undertaking cultural surveys
You may also like: ‘FCA CASS Rules: Top Tips for Setting Training Targets’
It’s Important to Act Now - What Are The Next Steps?
These procedural and cultural changes will take time to implement. We encourage organizations to start as soon as possible to make sure they can meet the implementation deadline.
Put simply, you need to act now. Whistleblowing arrangements and processes are fast becoming a global GRC priority. They are vital to protect employees, whistleblowers, customers, and other stakeholders as well as meeting your legal and regulatory obligations.