You need an internal whistleblower scheme from December 17, 2023

If your company has 50 employees or more, your best decision today is to keep on reading:

From December 17, 2023, you need an internal whistleblowing scheme to ensure a secure, confidential channel where whistleblowers can report offenses and wrongdoings.

To get you off to a good start, we’ve made a blog article.

When you’ve reached the last sentence, you’ll know:

?What is whistleblowing – and who can blow the whistle?

?? The whistleblowing directive: What is up and down?

??? The types of allegations whistleblowers can submit

?? How your organization should handle reports

? The 6 initiatives that’ll make you compliant with the whistleblowing directive.?

How to Make Your Company Compliant With the EU Whistleblowing Directive

What is whistleblowing – and who can blow the whistle?

Whistleblowing comes from, as you might have guessed, someone blowing a whistle, to state and stop a wrongdoing. Like a police officer or sports referee.

In the context of the EU Whistleblowing Directive, it concerns individuals within an organization who ‘speak up’ to disclose information about unethical, illegal, or unsafe activities they’ve witnessed.

And we say ‘individuals’ since a whistleblower isn’t ‘just’ an employee. It can be any person who has a relation to your organization, like a worker, shareholder, supplier, former worker, volunteer or unpaid trainee, or even a person you had in for a job interview.

In essence, whistleblowing works as a moral compass for the organization and its ‘members’ highlighting the importance of transparency and accountability.

The whistleblowing directive: What is up and down?

When it comes to setting up an internal whistleblowing scheme, companies have been subject to different deadlines depending on the company size. The deadlines go:

• December 17, 2021, for companies with 250 employees or more.
• December 17, 2023, for companies with 50 employees or more.

So, even if there are less than 50 employees in your organization, we believe there are at least two reasons for you to get on a first-name basis with the EU Whistleblowing Directive:

First reason: If you plan to grow your business, the directive will affect you – and we recommend you to be well-prepared for that scenario.

The second reason: There might be a national law that obliges you to have a whistleblower scheme.

Let’s give you an example:

A small financial company with 46 employees has established a whistleblower scheme to meet the requirement of the Financial Business Act, coming from an EU legislative.

This means that the company’s whistleblower scheme must comply with the requirements of both the Financial Business Act and the Whistleblower Act (from December 17, 2021), even if the company has fewer than 50 employees.

The types of allegations whistleblowers can submit

The EU Whistleblowing Directive gives whistleblowers the authority to report any violation of EU law. Specifically outlined in Article 2 of the Directive are the following categories, serving as examples:

• Public procurement
• Financial services
• Products and markets
• Prevention of money laundering and terrorist financing
• Product safety and compliance
• Transport safety
• Protection of the environment
• Radiation protection and nuclear safety
• Food and feed safety
• Animal health and welfare
• Public health
• Consumer protection
• Protection of privacy and personal data
• Security of network and information systems
• Corporate tax avoidance/evasion
• State aid

We need to make one thing clear: These examples are a minimum.

?

Member States can strengthen their protection through their own national laws. This means that HR and recruitment issues might get extra coverage.

?

For example, in Denmark ‘serious legal violations’ and ‘other serious matters’ are also covered.

?

This covers serious, evident breaches of law and other serious matters that may not necessarily be specifically illegal. These could be violations such as bribery or sexual harassment.

How your organization should handle reports

As Article 9 of the EU Whistleblowing Directive states, organizations should be well-versed in the following principles when managing internal reports. Here are the ones you need to be on a first-name basis with:

• Security
• Confidentiality
• Acknowledgement
• Impartiality
• Due diligence
• Timely
• Clarity
• Accessibility

To cover these principles, we’ll take you through 6 initiatives that make your whistleblowing scheme hands-on – and, not least, compliant.

The 6 initiatives that’ll make you compliant with the whistleblowing directive

Now, you have the basics in place. Let’s get to the fun part and make them hands-on, shall we? Here are 6 initiatives, following the EU Whistleblowing Directive’s principles, that will ensure your whistleblowing compliance.

#1: Ensure an internal policy and training

The EU Whistleblower Directive is not made to protect your organization; it’s made to protect your organization members.

?

Therefore, your finest job is to make sure that they know and understand your internal whistleblowing scheme – and are able to use it.

?

So, first and foremost, you need an internal whistleblowing policy that is easy to understand and access for your employees and other workers. The policy can be explained and exemplified in guidelines, brochures, or other informative materials.

Next, we recommend you do an awareness program that’ll take your employees through all five initiatives, making sure that they understand them and are able to act from them. Once again, it’s a good idea to give them examples or cases of whistleblowing or even, if you have the resources, let them do fictional reporting.

Following this principle, you create clarity on your internal whistleblowing scheme and the way you handle reporting.?

#2: Set up proper processes and reporting channels

Building a strong foundation is key: So, you need to ensure that internal channels for receiving reports are designed, established, and operated with security at the forefront.

The Directive defines three types of reporting:

• Internal reporting. To give information, either written or oral, on breaches within a legal entity in the private or public sector.
• External reporting. To give information, either written or oral, on breaches to the competent authorities.
• Public disclosure or ‘to publicly disclose’. To make information on breaches available in the public domain.

Besides these three distinctions, the Directive allows them to be both oral and written.

An oral reporting channel can be via a hotline, voice messaging system, or face-to-face.

A written reporting channel online reporting channel, email, or letter.

Which channel(s) that work best for your organization depends on your resources and how these can support the format of the channels in the best way.

However, each national law can have some requirements regarding the means.

In Denmark, for instance, it’s decided by law that organizations need to have a written means as a minimum.

Also, we highly recommend you use both oral and written means since individuals have their own preferences.

Following this initiative, you handle reporting with security as the aim.

#3: Implement the necessary support measures

Having the foundation in place, you need to support with the… well, right support to make sure that the reporting person is taken seriously and that someone will handle their report with professionalism.

First and foremost, you need to appoint an impartial entity for follow-ups who ensure open communication with the reporting person. When necessary, the entity has to be able to give additional information and constructive feedback.

Also, organizing investigations and follow-ups with due diligence is important to demonstrate reasonable care and effort throughout the process.

?

Following this initiative, you handle reporting with impartiality and due diligence.

#4: Communicate the scope of application

You are not the only one who needs to know whether a report concerns a breach in the areas referred to in the whistleblower act. The whistleblowers have to know too.

That’s why you need to clearly communicate what kinds of wrongdoing they can submit. Giving them the overview from the "The types of allegations whistleblowers can submit" section above could be done via a whistleblower policy.

Following this principle, you support initiative #1 and, therefore, handle reporting with clarity.

#5: Ensure processes that meet feedback obligations

Compliance is, among other things, about knowing important deadlines and timeframes. Therefore, you need to set up a reasonable timeframe for feedback and follow-ups:

Acknowledgement of receipt should be made within seven days after getting a report.

A courteous follow-up on a report should be given to the whistleblower within three months.

Following this initiative, you handle reporting with acknowledgement and timely.

#6: Protect data like a safeguard

Okay, it feels like choosing between your kids, but still, this initiative – and data protection in general – is close to our heart.

Therefore, we cannot emphasize enough that you need to adhere to thought-through data protection practices. The whole purpose of and criteria of success with your internal whistleblowing scheme is to ensure people’s anonymity and right to privacy. That goes for both the reporting person’s identity and any third parties being mentioned.

You should also, for the reason above, limit access strictly to authorized personnel.

As it’s also the case within GDPR , you can only store for the necessary and proportionate duration defined by the Directive or any pertinent legal obligations.

Following this initiative, you handle reporting with confidentiality (and security).

Like any other compliance workload, complying with the EU Whistleblowing Directive takes time and resources, but the 6 initiatives above will pave the way for your whistleblowing compliance.

However, if you’re curious to know about a shortcut, you should use two well-spent minutes to dive into our whistleblower software.