The EU Whistleblower Protection Directive: The Vital Few Actions You Must Take

Discover the key requirements of the Directive, myths and common misperceptions, and the vital few actions you must take to comply.

Do you have December 17, 2021 highlighted on your calendar? European ethics and compliance professionals certainly have that date circled in red ink and will never forget the Friday deadline. The clock is ticking away the precious days before companies operating in EU Member States, with 250+ employees, must comply with the EU Whistleblower Protection Directive. So, are you ready? Do you know what the key requirements of the Directive are? If you’re polishing up the final draft of your organization’s policy handbook or if you’re scrambling to pull together a first draft, read on to get a handle on the key requirements of the EU Whistleblower Protection Directive. 

If you have no idea where to start or if you’re looking for an in-depth analysis of everything you need to know about the Directive, check out Part One and Part Two of our series on the Directive or download our handy guide here. The full 131-page text of the Whistleblower Protection Directive can be found in English here. If you’re ready to act and focus on practical compliance before the deadline, stick with us! 

To start, we need to make clear the difference between a regulation and a directive. A regulation is universally implemented across the 27 EU Member States on the same date. General Data Protection Regulation (GDPR) is an example of an EU regulation. A directive is up to Member States to adopt and adapt to their own needs. In practice, this means that each country’s requirements will be different, and companies operating in multiple EU countries will have to build their own compliance plan taking into account the different requirements between countries. This means that waiting it out to see how each country decides to set their own compliance standards before you implement a hotline is not an option.  

The EU Whistleblower Protection Directive
Timeline –
What’s Happening and What’s Coming  

EUWPD Timeline
The EU Whistleblower Protection Directive Timeline
  • April 2018 – EU Commission launches the proposal 
  • October 23, 2019 – Official adoption of Directive by EU Council 
  • June 24, 2021  Denmark becomes the first to enshrine the Directive in local law 
  • September 29, 2021  Sweden transposes the EU Whistleblowing Directive into local law 
  • December 2021 – Deadline for implementation by EU Member States 
  • December 17, 2021 – Enforceable for organizations with 250+ employees 
  • December 17, 2023 – Enforceable for organizations with 50+ employees 

Addressing Myths and Misconceptions 

Let’s clear the air and acknowledge that there is an overwhelming supply of misconceptions regarding the Directive out there. From malicious misinformation to well intentioned, but woefully misguided assessment, the savvy E&C professional needs to know how to sort the nonsense out and lead with the facts. 

Myth #1:
We don’t have to do anything until the EU Member States have implemented the EU Whistleblower Protection Directive
 

Don’t wait! Implementation will be slow. Spend the precious few days between now and December 17th  drilling down and developing your organization’s plan. According to André Bywater, Partner at Cordery Compliance, you need to also prepare for the impact on your budget. In order to comply, will your company need to renew contracts, outsource your whistleblower hotline, or train additional staff members? Remember that the Directive establishes the baseline for compliance and your particular plan might be more resource heavy. 

Myth #2:
We need to cover all the areas of EU law set out in the Directive
 

The Directive sets out at least 12 categories of protected whistleblowing, and your company will need to comply with the scope of the Directive—but the applicable areas of focus will vary. These areas include: 

  • Consumer protection 
  • Public procurement 
  • Financial services, products and markets, and prevention of
    money laundering and terrorist financing
     
  • Public health 
  • Product safety 
  • Transport safety 
  • Protection of the environment 
  • Radiation protection and nuclear safety 
  • Food safety, animal health, and welfare 
  • Protection of privacy and personal data, and security of network and information systems 
  • Violations affecting the financial interests of the EU 
  • Violations relating to the EU internal market, including violation of EU competition
    and State aid rules, and corporate tax law 
     

There are areas that will be common to any business, such as antitrust or competition law, data protection, and procurement. But you will need to drill down to see if environmental law, animal health, or nuclear law is applicable. For example, if you’re a vegan shoe company, the regulations concerning nuclear safety or animal health will not apply to your business. This is a great opportunity to go into more detail with your ethics and compliance team and in the preparation of your whistleblowing compliance strategy. 

Myth #3:
Legal sanctions for whistleblowing violations will basically be the same throughout the EU
 

A “one-size-fits-all” approach will not apply here because there are 27 different starting points, with each nation building off their own individual foundation. Legal sanctions will vary from country to country and will depend on the details behind the infraction. Regardless of Member State, the Directive comes with a three-tier reporting hierarchy: Internal, external to regulatory bodies, and the media. Whistleblowers who report to any of the above parties will be protected under the Directive—but it’s in your company’s best interest to capture reporters internally and where possible, avoid external reporting. Make sure that you balance messaging to incentivize internal reports first, leading with trust and respect as your greatest asset. 

Myth #4:
Whistleblowing means we want to hear about your concerns, whatever they may be
 

One of the side effects of all this focus on whistleblowing is that companies will have to sort through concerns raised by well-intentioned individuals, who may not know that their complaints are not applicable under the Directive. Distinguish between personal slights and real whistleblowing. Use this as a learning opportunity and make clear in your compliance training and communications what the scope of the Directive is. 

Myth #5:
The reverse burden of proof for retaliation only applies internally, not externally
 

Employees no longer face the burden of proving that they experienced retaliation. The reverse burden of proof is unique under the Directive and it shifts the burden of proof to the employer, proving that no retaliation occurred whether a whistleblower reported internally, to regulators, or to the media. According to Keith, 72 percent of retaliation takes place within three weeks of reporting and 98 percent of retaliation happens within six months. Most companies, according to André, are woefully underprepared here. Use your playbook as an opportunity to educate your whistleblowing team about retaliation, both internal and external. This requirement extends protection to any individual in a “work-based relationship.” That includes: 

  • Current & former employees (full and part time) 
  • Individuals who play a key role in the organization, but are not workers, such as contractors, freelancers, suppliers, vendors, and shareholders 
  • Job applicants or work applicants
  • Trainees and interns (paid or unpaid) 
  • Volunteers 
  • Protection for facilitators – third persons connected to the reporter, such as colleagues or relatives 

Key Requirements of the Directive –
The Vital Few Actions You Must Take 
 

At this time of year, the calendar is already packed with holiday engagements and family obligations, but these final weeks are set to be jam-packed with compliance efforts as well. Now that we’ve addressed the myths and misconceptions out there, next we’ll shift over to the vital few actions you must take in order to comply. Let’s unpack the most essential things you can do to comply with the key requirements of the Directive. Consider this your to-do list for compliance!

The vital actions you must take
The vital actions you must take to comply.

Internal 

  • Establish reporting channels and processes 
  • Communicate and train employees on the reporting channels
    • Ensure that employees understand who the Directive protects
    • Ensure that employees understand the reporting scope of the Directive 

External 

  • Create public-facing information for all those with “work-based” relationships
    • Outline who the Directive protects
    • Outline the reporting scope of the Directive 

Internal and External 

  • Implement and communicate anti-retaliation measures 
  • Establish and communicate feedback on the investigation processes and timescale 

We know you’re feeling the pressure, as the days until the Directive tick down. Stick with Convercent by OneTrust and keep an eye out for more blogs on the EU Whistleblower Protection Directive, full of helpful tips and insight from Convercent’s community of E&C experts. Next week, we’ll focus on practical steps to determine who will support you best with a post focusing on evaluating hotline vendor compliance with the EU Whistleblower Protection Directive across all Member States. 

Master the Requirements of the EU Whistleblower Protection Directive  

Prepare to comply with the requirements of the EU Whistleblower Protection Directive by the deadline of December 17, 2021 with this free series of eight expert-led webinars.  

Sign up for the Masterclass Series